deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fix merge conflict

Browse Source
This commit is contained in:
Meghan Stewart 2024-03-19 08:41:51 -07:00
commit d90baf532e
454 changed files with 7721 additions and 24243 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.windows-application-management.json
View File

@ -29,6 +29,11 @@
"source_path": "windows/application-management/sideload-apps-in-windows-10.md", "source_path": "windows/application-management/sideload-apps-in-windows-10.md",
"redirect_url": "/windows/application-management/sideload-apps-in-windows", "redirect_url": "/windows/application-management/sideload-apps-in-windows",
"redirect_document_id": false "redirect_document_id": false
},
{
"source_path": "windows/application-management/add-apps-and-features.md",
"redirect_url": "/windows/client-management/client-tools/add-remove-hide-features",
"redirect_document_id": false
} }
] ]
} }

151
.openpublishing.redirection.windows-configuration.json
View File

@ -167,7 +167,7 @@
}, },
{ {
"source_path": "windows/configuration/stop-employees-from-using-the-windows-store.md", "source_path": "windows/configuration/stop-employees-from-using-the-windows-store.md",
"redirect_url": "/windows/configuration/stop-employees-from-using-microsoft-store", "redirect_url": "/windows/configuration/store",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -282,7 +282,7 @@
}, },
{ {
"source_path": "windows/configuration/configure-windows-10-taskbar.md", "source_path": "windows/configuration/configure-windows-10-taskbar.md",
"redirect_url": "/windows/configuration/taskbar/configure-windows-10-taskbar", "redirect_url": "/windows/configuration/taskbar/",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -297,7 +297,7 @@
}, },
{ {
"source_path": "windows/configuration/customize-taskbar-windows-11.md", "source_path": "windows/configuration/customize-taskbar-windows-11.md",
"redirect_url": "/windows/configuration/taskbar/customize-taskbar-windows-11", "redirect_url": "/windows/configuration/taskbar",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -347,7 +347,7 @@
}, },
{ {
"source_path": "windows/configuration/kiosk-prepare.md", "source_path": "windows/configuration/kiosk-prepare.md",
"redirect_url": "/windows/configuration/kiosk/kiosk-prepare", "redirect_url": "/windows/configuration/kiosk/recommendations",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -372,7 +372,7 @@
}, },
{ {
"source_path": "windows/configuration/lockdown-features-windows-10.md", "source_path": "windows/configuration/lockdown-features-windows-10.md",
"redirect_url": "/windows/configuration/kiosk/lockdown-features-windows-10", "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/kiosk/lockdown-features-windows-10",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -392,7 +392,7 @@
}, },
{ {
"source_path": "windows/configuration/manage-tips-and-suggestions.md", "source_path": "windows/configuration/manage-tips-and-suggestions.md",
"redirect_url": "/windows/configuration/tips/manage-tips-and-suggestions", "redirect_url": "/windows/configuration/",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -432,7 +432,12 @@
}, },
{ {
"source_path": "windows/configuration/stop-employees-from-using-microsoft-store.md", "source_path": "windows/configuration/stop-employees-from-using-microsoft-store.md",
"redirect_url": "/windows/configuration/store/stop-employees-from-using-microsoft-store", "redirect_url": "/windows/configuration/store",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/store/stop-employees-from-using-microsoft-store.md",
"redirect_url": "/windows/configuration/store",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -442,7 +447,7 @@
}, },
{ {
"source_path": "windows/configuration/supported-csp-taskbar-windows.md", "source_path": "windows/configuration/supported-csp-taskbar-windows.md",
"redirect_url": "/windows/configuration/taskbar/supported-csp-taskbar-windows", "redirect_url": "/windows/configuration/taskbar/policy-settings",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -729,6 +734,136 @@
"source_path": "windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md", "source_path": "windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org", "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org",
"redirect_document_id": false "redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/lockdown-features-windows-10.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/kiosk/lockdown-features-windows-10",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md",
"redirect_url": "/windows/configuration/store/find-aumid",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/lock-down-windows-10-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md",
"redirect_url": "/windows/configuration/assigned-access/configuration-file",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/assigned-access/create-xml.md",
"redirect_url": "/windows/configuration/assigned-access/configuration-file",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md",
"redirect_url": "/windows/configuration/assigned-access/configuration-file",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/kiosk-additional-reference.md",
"redirect_url": "/windows/configuration/assigned-access",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/kiosk-mdm-bridge.md",
"redirect_url": "/windows/configuration/assigned-access/quickstart-kiosk",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/kiosk-policies.md",
"redirect_url": "/windows/configuration/assigned-access/policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/kiosk-shelllauncher.md",
"redirect_url": "/windows/configuration/assigned-access/shell-launcher",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/kiosk-validate.md",
"redirect_url": "/windows/configuration/assigned-access/overview",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/kiosk-xml.md",
"redirect_url": "/windows/configuration/assigned-access/configuration-file",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/setup-digital-signage.md",
"redirect_url": "/windows/configuration/assigned-access/overview",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/kiosk-single-app.md",
"redirect_url": "/windows/configuration/assigned-access/overview",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/kiosk-methods.md",
"redirect_url": "/windows/configuration/assigned-access",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/guidelines-for-assigned-access-app.md",
"redirect_url": "/windows/configuration/assigned-access/overview",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/kiosk-prepare.md",
"redirect_url": "/windows/configuration/assigned-access/recommendations",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/start/customize-start-menu-layout-windows-11.md",
"redirect_url": "/windows/configuration/start/customize-and-export-start-layout",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md",
"redirect_url": "/windows/configuration/start/customize-and-export-start-layout",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md",
"redirect_url": "/windows/configuration/start/customize-and-export-start-layout",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md",
"redirect_url": "/windows/configuration/start/customize-and-export-start-layout",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/taskbar/configure-windows-10-taskbar.md",
"redirect_url": "/windows/configuration/taskbar/",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/taskbar/customize-taskbar-windows-11.md",
"redirect_url": "/windows/configuration/taskbar/",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/tips/manage-tips-and-suggestions.md",
"redirect_url": "/windows/configuration",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/taskbar/configure.md",
"redirect_url": "/windows/configuration/taskbar/",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/taskbar/supported-csp-taskbar-windows.md",
"redirect_url": "/windows/configuration/taskbar/policy-settings",
"redirect_document_id": false
} }
] ]
} }

5
.openpublishing.redirection.windows-deployment.json
View File

@ -1124,6 +1124,11 @@
"source_path": "windows/deployment/Windows-AutoPilot-EULA-note.md", "source_path": "windows/deployment/Windows-AutoPilot-EULA-note.md",
"redirect_url": "/legal/windows/windows-autopilot-eula-note", "redirect_url": "/legal/windows/windows-autopilot-eula-note",
"redirect_document_id": false "redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-10-missing-fonts.md",
"redirect_url": "/windows/deployment/windows-missing-fonts",
"redirect_document_id": false
} }
] ]
} }

857
.openpublishing.redirection.windows-security.json
View File

@ -1452,12 +1452,12 @@
}, },
{ {
"source_path": "windows/security/threat-protection/intelligence/av-tests.md", "source_path": "windows/security/threat-protection/intelligence/av-tests.md",
"redirect_url": "/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests", "redirect_url": "/microsoft-365/security/defender/top-scoring-industry-antivirus-tests.md",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
"source_path": "windows/security/threat-protection/intelligence/coinminer-malware.md", "source_path": "windows/security/threat-protection/intelligence/coinminer-malware.md",
"redirect_url": "/microsoft-365/security/intelligence/coinminer-malware", "redirect_url": "/microsoft-365/security/defender-endpoint/malware/coinminer-malware",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -1467,12 +1467,12 @@
}, },
{ {
"source_path": "windows/security/threat-protection/intelligence/criteria.md", "source_path": "windows/security/threat-protection/intelligence/criteria.md",
"redirect_url": "/microsoft-365/security/intelligence/criteria", "redirect_url": "/microsoft-365/security/defender/criteria",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
"source_path": "windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md", "source_path": "windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md",
"redirect_url": "/microsoft-365/security/intelligence/cybersecurity-industry-partners", "redirect_url": "/microsoft-365/security/defender/virus-initiative-criteria",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -1487,17 +1487,17 @@
}, },
{ {
"source_path": "windows/security/threat-protection/intelligence/exploits-malware.md", "source_path": "windows/security/threat-protection/intelligence/exploits-malware.md",
"redirect_url": "/microsoft-365/security/intelligence/exploits-malware", "redirect_url": "/microsoft-365/security/defender-endpoint/malware/exploits-malware",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
"source_path": "windows/security/threat-protection/intelligence/fileless-threats.md", "source_path": "windows/security/threat-protection/intelligence/fileless-threats.md",
"redirect_url": "/microsoft-365/security/intelligence/fileless-threats", "redirect_url": "/microsoft-365/security/defender-endpoint/malware/fileless-threats",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
"source_path": "windows/security/threat-protection/intelligence/macro-malware.md", "source_path": "windows/security/threat-protection/intelligence/macro-malware.md",
"redirect_url": "/microsoft-365/security/intelligence/macro-malware", "redirect_url": "/microsoft-365/security/defender-endpoint/malware/macro-malware",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -1507,12 +1507,12 @@
}, },
{ {
"source_path": "windows/security/threat-protection/intelligence/phishing-trends.md", "source_path": "windows/security/threat-protection/intelligence/phishing-trends.md",
"redirect_url": "/microsoft-365/security/intelligence/phishing-trends", "redirect_url": "/microsoft-365/security/defender-endpoint/malware/phishing-trends",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
"source_path": "windows/security/threat-protection/intelligence/phishing.md", "source_path": "windows/security/threat-protection/intelligence/phishing.md",
"redirect_url": "/microsoft-365/security/intelligence/phishing", "redirect_url": "/microsoft-365/security/defender-endpoint/malware/phishing",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -1522,7 +1522,7 @@
}, },
{ {
"source_path": "windows/security/threat-protection/intelligence/prevent-malware-infection.md", "source_path": "windows/security/threat-protection/intelligence/prevent-malware-infection.md",
"redirect_url": "/microsoft-365/security/intelligence/prevent-malware-infection", "redirect_url": "/microsoft-365/security/defender-endpoint/malware/prevent-malware-infection",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -8172,7 +8172,7 @@
}, },
{ {
"source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md", "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md",
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll", "redirect_url": "/windows/security/identity-protection/hello-for-business/how-it-works#provisioning",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -8334,6 +8334,841 @@
"source_path": "windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md", "source_path": "windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md",
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust", "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust",
"redirect_document_id": false "redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/access-this-computer-from-the-network",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/account-lockout-duration.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-lockout-duration",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/account-lockout-policy.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-lockout-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-lockout-threshold",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/account-policies.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-administrator-account-status",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-guest-account-status",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-rename-administrator-account",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-rename-guest-account",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/add-workstations-to-domain",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/administer-security-policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-locally",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/audit-policy.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/back-up-files-and-directories",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/bypass-traverse-checking",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/change-the-system-time.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/change-the-system-time",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/change-the-time-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/change-the-time-zone",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/create-a-pagefile.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/create-a-pagefile",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/create-a-token-object.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/create-a-token-object",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/create-global-objects.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/create-global-objects",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/create-permanent-shared-objects",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/create-symbolic-links.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/create-symbolic-links",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/debug-programs.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/debug-programs",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/deny-log-on-as-a-service",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/deny-log-on-locally",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/enforce-password-history.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/enforce-password-history",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/generate-security-audits.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/generate-security-audits",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/increase-a-process-working-set",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/increase-scheduling-priority",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/kerberos-policy.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/kerberos-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/load-and-unload-device-drivers",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/lock-pages-in-memory",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/log-on-as-a-batch-job",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/log-on-as-a-service",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/manage-auditing-and-security-log",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/maximum-password-age.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-password-age",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/minimum-password-age.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/minimum-password-age",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/minimum-password-length.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/minimum-password-length",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/modify-an-object-label.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/modify-an-object-label",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/modify-firmware-environment-values",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-list-manager-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/password-policy.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/password-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/profile-single-process.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/profile-single-process",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/profile-system-performance.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/profile-system-performance",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/remove-computer-from-docking-station",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/replace-a-process-level-token",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/restore-files-and-directories",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/security-options.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/security-options",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/security-policy-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/security-policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/security-policy-settings-reference",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/shut-down-the-system.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/shut-down-the-system",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/synchronize-directory-service-data",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-settings-optional-subsystems",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/user-rights-assignment.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment",
"redirect_document_id": false
} }
] ]
} }

11
education/windows/edu-stickers.md
View File

@ -36,7 +36,6 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>| | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] [!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
> [!TIP] > [!TIP]
> Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. <sup>[1](#footnote1)</sup> > Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. <sup>[1](#footnote1)</sup>
@ -52,14 +51,13 @@ Content-Type: application/json
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings: [!INCLUDE [provisioning-package-1](../../includes/configure/provisioning-package-1.md)]
| Setting | | Setting |
|--------| |--------|
| <li> Path: **`Education/AllowStickers`** </li><li>Value: **True**</li>| | <li> Path: **`Education/AllowStickers`** </li><li>Value: **True**</li>|
Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. [!INCLUDE [provisioning-package-2](../../includes/configure/provisioning-package-2.md)]
--- ---
## How to use Stickers ## How to use Stickers
@ -76,8 +74,3 @@ Multiple stickers can be added from the picker by selecting them. The stickers c
:::image type="content" source="./images/win-11-se-stickers-animation.gif" alt-text="animation showing Windows 11 SE desktop with 4 pirate stickers being resized and moved" border="true"::: :::image type="content" source="./images/win-11-se-stickers-animation.gif" alt-text="animation showing Windows 11 SE desktop with 4 pirate stickers being resized and moved" border="true":::
Select the *X button* at the top of the screen to save your progress and close the sticker editor. Select the *X button* at the top of the screen to save your progress and close the sticker editor.
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package

28
education/windows/edu-take-a-test-kiosk-mode.md
View File

@ -26,7 +26,7 @@ The other options allow you to configure Take a Test in kiosk mode using a local
Follow the instructions below to configure your devices, selecting the option that best suits your needs. Follow the instructions below to configure your devices, selecting the option that best suits your needs.
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) # [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
You can use Intune for Education or a custom profile in Microsoft Intune: You can use Intune for Education or a custom profile in Microsoft Intune:
@ -68,9 +68,8 @@ To configure devices using Intune for Education, follow these steps:
:::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true"::: :::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true":::
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] [!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) # [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To create a provisioning package, you can either use Set up School PCs or Windows Configuration Designer: To create a provisioning package, you can either use Set up School PCs or Windows Configuration Designer:
@ -85,7 +84,7 @@ Create a provisioning package using the Set up School PCs app, configuring the s
### Create a provisioning package using Windows Configuration Designer ### Create a provisioning package using Windows Configuration Designer
[Create a provisioning package][WIN-1] using Windows Configuration Designer with the following settings: [!INCLUDE [provisioning-package-1](../../includes/configure/provisioning-package-1.md)]
| Setting | | Setting |
|--------| |--------|
@ -99,22 +98,11 @@ Create a provisioning package using the Set up School PCs app, configuring the s
:::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true"::: :::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true":::
Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. [!INCLUDE [provisioning-package-2](../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) # [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell)
Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). [!INCLUDE [powershell-wmi-bridge-1](../../includes/configure/powershell-wmi-bridge-1.md)]
> [!TIP]
> PowerShell scripts can be executed as scheduled tasks via Group Policy.
> [!IMPORTANT]
> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
>
> To test a PowerShell script, you can:
> 1. [Download the psexec tool](/sysinternals/downloads/psexec)
> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
> 1. Run the script in the PowerShell session
Edit the following sample PowerShell script to: Edit the following sample PowerShell script to:
@ -171,7 +159,9 @@ $cimObject.HideFastUserSwitching = 1
Set-CimInstance -CimInstance $cimObject Set-CimInstance -CimInstance $cimObject
``` ```
#### [:::image type="icon" source="images/icons/settings.svg"::: **Settings app**](#tab/settings) [!INCLUDE [powershell-wmi-bridge-2](../../includes/configure/powershell-wmi-bridge-2.md)]
# [:::image type="icon" source="images/icons/settings.svg"::: **Settings app**](#tab/settings)
To create a local account, and configure Take a Test in kiosk mode using the Settings app: To create a local account, and configure Take a Test in kiosk mode using the Settings app:

4
education/windows/take-tests-in-windows.md
View File

@ -1,7 +1,7 @@
--- ---
title: Take tests and assessments in Windows title: Take tests and assessments in Windows
description: Learn about the built-in Take a Test app for Windows and how to use it. description: Learn about the built-in Take a Test app for Windows and how to use it.
ms.date: 03/31/2023 ms.date: 02/29/2024
ms.topic: how-to ms.topic: how-to
--- ---
@ -48,7 +48,7 @@ This is an ideal option for teachers who want to create a link to a specific ass
For this option, you embed a URL with a specific prefix and specify parameters depending on what you want to allow during the test. For this option, you embed a URL with a specific prefix and specify parameters depending on what you want to allow during the test.
The URL must be in the following format: The URL must be in the following format:
``` ```text
ms-edu-secureassessment:<URL>#enforceLockdown ms-edu-secureassessment:<URL>#enforceLockdown
``` ```

9
includes/configure/intune-custom-settings-1.md
View File

@ -6,11 +6,4 @@ ms.topic: include
ms.service: windows-client ms.service: windows-client
--- ---
To configure devices with Microsoft Intune, use a custom policy: To configure devices with Microsoft Intune, [create a custom policy](/mem/intune/configuration/custom-settings-windows-10) and use the following settings:
1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
2. Select **Devices > Configuration profiles > Create profile**
3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
4. Select **Create**
5. Specify a **Name** and, optionally, a **Description > Next**
6. Add the following settings:

5
includes/configure/intune-custom-settings-2.md
View File

@ -6,7 +6,4 @@ ms.topic: include
ms.service: windows-client ms.service: windows-client
--- ---
7. Select **Next** Assign the policy to a group that contains as members the devices or users that you want to configure.
8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
9. Under **Applicability Rules**, select **Next**
10. Review the policy configuration and select **Create**

9
includes/configure/intune-custom-settings-info.md
View File

@ -1,9 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/15/2023
ms.topic: include
ms.service: windows-client
---
For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).

18
includes/configure/powershell-wmi-bridge-1.md Normal file
View File

@ -0,0 +1,18 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/12/2023
ms.topic: include
ms.prod: windows-client
---
Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal).
> [!IMPORTANT]
> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
To test the PowerShell script, you can:
1. [Download the psexec tool](/sysinternals/downloads/psexec)
1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
1. Run the script in the PowerShell session

9
includes/configure/powershell-wmi-bridge-2.md Normal file
View File

@ -0,0 +1,9 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/12/2023
ms.topic: include
ms.prod: windows-client
---
For more information, see [Use PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).

4
includes/licensing/assigned-access-kiosk-mode.md → includes/licensing/assigned-access.md
View File

@ -7,13 +7,13 @@ ms.topic: include
## Windows edition and licensing requirements ## Windows edition and licensing requirements
The following table lists the Windows editions that support Assigned Access (kiosk mode): The following table lists the Windows editions that support Assigned Access:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:| |:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes| |Yes|Yes|Yes|Yes|
Assigned Access (kiosk mode) license entitlements are granted by the following licenses: Assigned Access license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:| |:---:|:---:|:---:|:---:|:---:|

8
includes/licensing/account-lockout-policy.md → includes/licensing/shell-launcher.md
View File

@ -7,16 +7,16 @@ ms.topic: include
## Windows edition and licensing requirements ## Windows edition and licensing requirements
The following table lists the Windows editions that support Account Lockout Policy: The following table lists the Windows editions that support Shell Launcher:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:| |:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes| |No|Yes|No|Yes|
Account Lockout Policy license entitlements are granted by the following licenses: Shell Launcher license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:| |:---:|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|Yes| |No|Yes|Yes|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

22
includes/licensing/windows-security-policy-settings-and-auditing.md
View File

@ -1,22 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/18/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Windows security policy settings and auditing:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Windows security policy settings and auditing license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

98
windows/application-management/add-apps-and-features.md
View File

@ -1,98 +0,0 @@
---
title: Add or hide Windows features
description: Learn how to add Windows optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 08/18/2023
ms.topic: how-to
ms.service: windows-client
ms.subservice: itpro-apps
ms.localizationpriority: medium
ms.collection: tier2
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Add or hide Windows features
Windows includes optional features that aren't installed by default, but you can add later. These features are called [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities), and can be installed at any time. Some of these features are language resources like language packs or handwriting support. On organization-owned devices, you can control access to these other features. You can use group policy or mobile device management (MDM) policies to hide the UI from users, or use Windows PowerShell to enable or disable specific features.
## Use the Windows Settings app to add or uninstall features
### Windows 11
1. Open the Start menu and search for **Settings**.
1. In the Settings app, search for "optional" and select **Optional features**.
> [!TIP]
> You can also use the following shortcut to open it directly: [`ms-settings:optionalfeatures`](ms-settings:optionalfeatures).
1. To add a feature:
1. Select **View features** next to "Add an optional feature."
1. Find the feature you want to add, like **XPS Viewer**. Select the box to add it. You can select multiple features.
1. Select **Next**. Review the list of features you selected, and then select **Install** to add the selected features.
1. To uninstall a feature:
1. Search for it in the list of **Installed features**.
1. Expand the section, and select **Uninstall**.
### Windows 10
1. In the Search bar, search for "apps" and select **Apps and features**.
1. Select **Optional features** > **Add a feature**.
1. Select the feature you want to add, like **XPS Viewer**, and then select **Install.**
When the installation completes, the feature is listed in **Apps & features**. In **Apps & features** > **Optional features** > **More Windows features**, there are more features that you and your users can install.
To uninstall a feature, open the **Settings** app. Select the feature, and then select **Uninstall**.
## Use group policy or MDM policies to hide Windows features
By default, the OS might show Windows features and allow users to install and uninstall these optional apps and features. To hide Windows features on your user devices, you can use group policy or an MDM provider like Microsoft Intune.
### Group policy
If you use group policy, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Windows Features"` policy. By default, this policy may be set to **Not configured**, which means users can add or remove features. When this setting is **Enabled**, the settings page to add optional features is hidden on the device.
You can't use group policy to disable specific Windows features, such as XPS Viewer. If you want to disable specific features, use [Windows PowerShell](#use-windows-powershell-to-disable-specific-features).
If you want to hide the entire **Apps** feature in the Settings app, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Programs and Features" page` policy.
### MDM
Using Microsoft Intune, you can use [administrative templates](/mem/intune/configuration/administrative-templates-windows) or the [settings catalog](/mem/intune/configuration/settings-catalog) to hide Windows features.
If you want to hide the entire **Apps** feature in the Settings app, you can use a configuration policy on Intune enrolled devices. For more information on the settings you can configure, see [Control Panel and Settings device restrictions in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings).
## Use Windows PowerShell to disable specific features
To disable specific features, use the Windows PowerShell [Disable-WindowsOptionalFeature](/powershell/module/dism/disable-windowsoptionalfeature) cmdlet.
> [!NOTE]
> There isn't a group policy that disables specific Windows features.
To automate disabling specific features, create a scheduled task to run a PowerShell script. For more information about Windows task scheduler, see [Task Scheduler for developers](/windows/win32/taskschd/task-scheduler-start-page).
Microsoft Intune can also run PowerShell scripts. For more information, see [Use PowerShell scripts on Windows client devices in Intune](/mem/intune/apps/intune-management-extension).
To enable specific features, use the [Enable-WindowsOptionalFeature](/powershell/module/dism/enable-windowsoptionalfeature) cmdlet.
Another useful PowerShell cmdlet is [Get-WindowsOptionalFeature](/powershell/module/dism/get-windowsoptionalfeature). Use this cmdlet to view information about optional features in the current OS or a mounted image. This cmdlet returns the current state of features, and whether a restart may be required when the state changes.
## Related articles
- [Features on Demand overview](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities)
- [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod)
- [Language and region Features on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-language-fod)

1
windows/application-management/docfx.json
View File

@ -39,6 +39,7 @@
"ms.collection": [ "ms.collection": [
"tier2" "tier2"
], ],
"zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"uhfHeaderId": "MSDocsHeader-Windows", "uhfHeaderId": "MSDocsHeader-Windows",
"ms.service": "windows-client", "ms.service": "windows-client",
"ms.subservice": "itpro-apps", "ms.subservice": "itpro-apps",

2
windows/application-management/toc.yml
View File

@ -5,8 +5,6 @@ items:
items: items:
- name: Overview of apps in Windows - name: Overview of apps in Windows
href: overview-windows-apps.md href: overview-windows-apps.md
- name: Add or hide Windows features
href: add-apps-and-features.md
- name: Sideload line of business (LOB) apps - name: Sideload line of business (LOB) apps
href: sideload-apps-in-windows.md href: sideload-apps-in-windows.md
- name: Private app repo on Windows 11 - name: Private app repo on Windows 11

170
windows/client-management/client-tools/add-remove-hide-features.md Normal file
View File

@ -0,0 +1,170 @@
---
title: Add, remove, or hide Windows features
description: Learn how to add or remove Windows optional features using the Optional features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 03/13/2024
ms.topic: how-to
ms.service: windows-client
ms.subservice: itpro-apps
ms.localizationpriority: medium
ms.collection: tier2
zone_pivot_groups: windows-versions-11-10
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Add, remove, or hide Windows features
Windows has optional features that aren't included by default, but you can add later. These features are called [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities), and can be added at any time. Some of these features are language resources like language packs or handwriting support. On organization-owned devices, you can control access to these other features. You can use group policy or mobile device management (MDM) policies to hide the UI from users, or use Windows PowerShell to enable or disable specific features.
## Use the Windows Settings app to add or remove features
<!-- OSADO-45535220 -->
Open the **Optional features** pane in the **Settings** app by selecting the following link:
> [!div class="nextstepaction"]
> [Optional features](ms-settings:optionalfeatures)
or
1. Right-click on the **Start** menu and select **Run**.
1. In the **Run** window, next to **Open:**, enter:
```console
ms-settings:optionalfeatures
```
and then select **OK**.
or
::: zone pivot="windows-11"
1. Right-click on the **Start** menu and select **Settings**.
1. In the left hand pane of the Settings app, select **System**.
1. In the right hand **System** pane, select **Optional features**.
> [!NOTE]
>
> The navigation steps, UI elements, and UI text in this section are based on the latest version of Windows 11 with the latest cumulative update installed. For other versions of Windows 11 that are currently supported or don't have the latest cumulative update, some of the navigation steps, UI elements, and UI text might be different. For example, the [**Optional features**](ms-settings:optionalfeatures) pane might be located under **Settings** > **Apps**.
::: zone-end
::: zone pivot="windows-10"
1. Right-click on the **Start** menu and select **Settings**.
1. In the Settings app, select **System**.
1. In the left hand pane, select **Optional features**.
> [!NOTE]
>
> The navigation steps, UI elements, and UI text in this section are based on Windows 10 22H2 with the latest cumulative update installed. For other versions of Windows 10 that are currently supported or don't have the latest cumulative update, some of the navigation steps, UI elements, and UI text might be different. For example, the [**Optional features**](ms-settings:optionalfeatures) pane might be located under **Settings** > **Apps** > **Apps & features**.
::: zone-end
### Add a feature
::: zone pivot="windows-11"
Once the **System > Optional features** pane is open, add a feature with the following steps:
1. Select the **View features** button next to **Add an optional feature**.
1. In the **Add an optional feature** window that opens:
1. Find the desired feature to add and then select the box next to the feature to add it. Multiple features can be selected.
1. Once all of the desired features are selected, select the **Next** button.
1. Review the selected list of features and then select the **Install** button to add the selected features.
::: zone-end
::: zone pivot="windows-10"
Once the **Optional features** pane is open, add a feature with the following steps:
1. Select the **+** button next to **Add a feature**.
1. In the **Add an optional feature** window that opens:
1. Find the desired feature to add and then select the box next to the feature to add it. Multiple features can be selected.
1. Once all of the desired features are selected, select the **Install** button.
::: zone-end
> [!IMPORTANT]
>
> Windows Update is used to add the optional features. The device needs to be online so Windows Update can download the content that it needs to add.
### Remove a feature
::: zone pivot="windows-11"
Once the **System > Optional features** pane is open, remove a feature with the following steps:
1. Under **Installed features**, search for the feature that needs to be removed in the **Search installed features** search box, or scroll through the list of added features until the feature that needs to be removed is found.
1. Once the feature that needs to be removed is found, select the feature to expand it, and then select the **Uninstall** button.
::: zone-end
::: zone pivot="windows-10"
Once the **Optional features** pane is open, remove a feature with the following steps:
1. Under **Installed features**, search for the feature that needs to be removed in the **Find an installed optional feature** search box, or scroll through the list of added features until the feature that needs to be removed is found.
1. Once the feature that needs to be removed is found, select the feature to expand it, and then select the **Uninstall** button.
::: zone-end
## Use group policy or MDM policies to hide Windows features
By default, the OS might show Windows features and allow users to add and remove these optional apps and features. To hide Windows features on your user devices, you can use group policy or an MDM provider like Microsoft Intune.
### Group policy
If you use group policy, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Windows Features"` policy. By default, this policy might be set to **Not configured**, which means users can add or remove features. When this setting is **Enabled**, the settings page to add optional features is hidden on the device.
You can't use group policy to disable specific Windows features. If you want to disable specific features, use [Windows PowerShell](#use-windows-powershell-to-disable-specific-features).
If you want to hide the entire **Apps** feature in the Settings app, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Programs and Features" page` policy.
### MDM
Using Microsoft Intune, you can use [administrative templates](/mem/intune/configuration/administrative-templates-windows) or the [settings catalog](/mem/intune/configuration/settings-catalog) to hide Windows features.
If you want to hide the entire **Apps** feature in the Settings app, you can use a configuration policy on Intune enrolled devices. For more information on the settings you can configure, see [Control Panel and Settings device restrictions in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings).
## Use Windows PowerShell to disable specific features
To disable specific features, use the Windows PowerShell [Disable-WindowsOptionalFeature](/powershell/module/dism/disable-windowsoptionalfeature) cmdlet.
> [!NOTE]
>
> There isn't a group policy that disables specific Windows features.
To automate disabling specific features, create a scheduled task to run a PowerShell script. For more information about Windows task scheduler, see [Task Scheduler for developers](/windows/win32/taskschd/task-scheduler-start-page).
Microsoft Intune can also run PowerShell scripts. For more information, see [Use PowerShell scripts on Windows client devices in Intune](/mem/intune/apps/intune-management-extension).
To enable specific features, use the [Enable-WindowsOptionalFeature](/powershell/module/dism/enable-windowsoptionalfeature) cmdlet.
Another useful PowerShell cmdlet is [Get-WindowsOptionalFeature](/powershell/module/dism/get-windowsoptionalfeature). Use this cmdlet to view information about optional features in the current OS or a mounted image. This cmdlet returns the current state of features, and whether a restart might be required when the state changes.
## Related content
- [Features on Demand overview](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities).
- [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
- [Language and region Features on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-language-fod).

2
windows/client-management/client-tools/toc.yml
View File

@ -1,4 +1,6 @@
items: items:
- name: Add, remove, or hide Windows features
href: add-remove-hide-features.md
- name: Windows Tools/Administrative Tools - name: Windows Tools/Administrative Tools
href: administrative-tools-in-windows.md href: administrative-tools-in-windows.md
- name: Use Quick Assist to help users - name: Use Quick Assist to help users

988
windows/client-management/mdm/assignedaccess-csp.md
View File

File diff suppressed because it is too large Load Diff

12
windows/client-management/mdm/bitlocker-csp.md
View File

@ -16,13 +16,19 @@ ms.date: 01/18/2024
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro. The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
> [!NOTE] > [!NOTE]
> To manage BitLocker through CSP except to enable and disable it using the `RequireDeviceEncryption` policy, one of the following licenses must be assigned to your users regardless of your management platform:
> >
> - Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes. > - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5).
> - You must send all the settings together in a single SyncML to be effective. > - Windows 10/11 Enterprise A3 or A5 (included in Microsoft 365 A3 and A5).
A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns the setting configured by the admin. A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength). For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
> [!NOTE]
>
> - Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes.
> - You must send all the settings together in a single SyncML to be effective.
<!-- BitLocker-Editable-End --> <!-- BitLocker-Editable-End -->
<!-- BitLocker-Tree-Begin --> <!-- BitLocker-Tree-Begin -->
@ -654,7 +660,7 @@ Sample value for this node to enable this policy is: `<enabled/>`
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. --> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
**Example**: **Example**:
To disable this policy, use hte following SyncML: To disable this policy, use the following SyncML:
```xml ```xml
<Replace> <Replace>

4
windows/client-management/mdm/clouddesktop-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: CloudDesktop CSP title: CloudDesktop CSP
description: Learn more about the CloudDesktop CSP. description: Learn more about the CloudDesktop CSP.
ms.date: 01/18/2024 ms.date: 03/05/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -29,7 +29,7 @@ The following list shows the CloudDesktop configuration service provider nodes:
<!-- Device-BootToCloudPCEnhanced-Applicability-Begin --> <!-- Device-BootToCloudPCEnhanced-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later |
<!-- Device-BootToCloudPCEnhanced-Applicability-End --> <!-- Device-BootToCloudPCEnhanced-Applicability-End -->
<!-- Device-BootToCloudPCEnhanced-OmaUri-Begin --> <!-- Device-BootToCloudPCEnhanced-OmaUri-Begin -->

12
windows/client-management/mdm/clouddesktop-ddf-file.md
View File

@ -1,7 +1,7 @@
--- ---
title: CloudDesktop DDF file title: CloudDesktop DDF file
description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider. description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider.
ms.date: 01/31/2024 ms.date: 03/05/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -38,9 +38,9 @@ The following XML file contains the device description framework (DDF) for the C
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.22621.3235</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;0xD2;</MSFT:EditionAllowList> <MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
@ -68,8 +68,8 @@ The following XML file contains the device description framework (DDF) for the C
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.22621.3235</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM"> <MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>

12
windows/client-management/mdm/personalization-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: Personalization CSP title: Personalization CSP
description: Learn more about the Personalization CSP. description: Learn more about the Personalization CSP.
ms.date: 01/31/2024 ms.date: 03/05/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/31/2024
<!-- Personalization-Begin --> <!-- Personalization-Begin -->
# Personalization CSP # Personalization CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Personalization-Editable-Begin --> <!-- Personalization-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Personalization CSP can set the lock screen, desktop background images and company branding on sign-in screen ([BootToCloud mode](policy-csp-clouddesktop.md#boottocloudmode) only). Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package. The Personalization CSP can set the lock screen, desktop background images and company branding on sign-in screen ([BootToCloud mode](policy-csp-clouddesktop.md#boottocloudmode) only). Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
@ -38,7 +36,7 @@ The following list shows the Personalization configuration service provider node
<!-- Device-CompanyLogoStatus-Applicability-Begin --> <!-- Device-CompanyLogoStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later |
<!-- Device-CompanyLogoStatus-Applicability-End --> <!-- Device-CompanyLogoStatus-Applicability-End -->
<!-- Device-CompanyLogoStatus-OmaUri-Begin --> <!-- Device-CompanyLogoStatus-OmaUri-Begin -->
@ -77,7 +75,7 @@ This represents the status of the Company Logo. 1 - Successfully downloaded or c
<!-- Device-CompanyLogoUrl-Applicability-Begin --> <!-- Device-CompanyLogoUrl-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later |
<!-- Device-CompanyLogoUrl-Applicability-End --> <!-- Device-CompanyLogoUrl-Applicability-End -->
<!-- Device-CompanyLogoUrl-OmaUri-Begin --> <!-- Device-CompanyLogoUrl-OmaUri-Begin -->
@ -116,7 +114,7 @@ An http or https Url to a jpg, jpeg or png image that needs to be downloaded and
<!-- Device-CompanyName-Applicability-Begin --> <!-- Device-CompanyName-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later |
<!-- Device-CompanyName-Applicability-End --> <!-- Device-CompanyName-Applicability-End -->
<!-- Device-CompanyName-OmaUri-Begin --> <!-- Device-CompanyName-OmaUri-Begin -->
@ -127,7 +125,7 @@ An http or https Url to a jpg, jpeg or png image that needs to be downloaded and
<!-- Device-CompanyName-Description-Begin --> <!-- Device-CompanyName-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This represents the name of the company. It can be at most 30 characters long. This setting is currently available only for boot to cloud shared pc mode to display the company name on sign-in screen. The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.
<!-- Device-CompanyName-Description-End --> <!-- Device-CompanyName-Description-End -->
<!-- Device-CompanyName-Editable-Begin --> <!-- Device-CompanyName-Editable-Begin -->

16
windows/client-management/mdm/personalization-ddf.md
View File

@ -1,7 +1,7 @@
--- ---
title: Personalization DDF file title: Personalization DDF file
description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider. description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider.
ms.date: 01/31/2024 ms.date: 03/05/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the P
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList> <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;</MSFT:EditionAllowList>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
@ -101,7 +101,7 @@ The following XML file contains the device description framework (DDF) for the P
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.</Description> <Description>A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
@ -148,7 +148,7 @@ The following XML file contains the device description framework (DDF) for the P
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.</Description> <Description>A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
@ -162,7 +162,7 @@ The following XML file contains the device description framework (DDF) for the P
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.22621.3235</MSFT:OsBuildVersion>
<MSFT:CspVersion>2.0</MSFT:CspVersion> <MSFT:CspVersion>2.0</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
<MSFT:AllowedValues ValueType="None"> <MSFT:AllowedValues ValueType="None">
@ -189,7 +189,7 @@ The following XML file contains the device description framework (DDF) for the P
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.22621.3235</MSFT:OsBuildVersion>
<MSFT:CspVersion>2.0</MSFT:CspVersion> <MSFT:CspVersion>2.0</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
@ -203,7 +203,7 @@ The following XML file contains the device description framework (DDF) for the P
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>This represents the name of the company. It can be at most 30 characters long. This setting is currently available only for boot to cloud shared pc mode to display the company name on sign-in screen.</Description> <Description>The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
@ -217,7 +217,7 @@ The following XML file contains the device description framework (DDF) for the P
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.22621.3235</MSFT:OsBuildVersion>
<MSFT:CspVersion>2.0</MSFT:CspVersion> <MSFT:CspVersion>2.0</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
<MSFT:AllowedValues ValueType="RegEx"> <MSFT:AllowedValues ValueType="RegEx">

522
windows/configuration/assigned-access/configuration-file.md Normal file
View File

@ -0,0 +1,522 @@
---
title: Create an Assigned Access configuration file
description: Learn how to create an XML file to configure Assigned Access.
ms.topic: how-to
zone_pivot_groups: windows-versions-11-10
ms.date: 03/04/2024
appliesto:
---
# Create an Assigned Access configuration XML file
To configure Assigned Access, you must create and apply a configuration XML file to your devices. The configuration file must conform to a *schema*, as defined in [Assigned Access XML Schema Definition (XSD)](xsd.md).
This article describes how to configure an Assigned Access configuration file, including practical examples.
Let's start by looking at the basic structure of the XML file. An Assigned Access configuration file contains:
- One or multiple `profiles`. Each `profile` defines a set of applications that are allowed to run
- One or multiple `configs`. Each `config` associates a user account or a group to a `profile`
Here's a basic example of an Assigned Access configuration file, with one profile and one config:
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{GUID}">
<!-- Add configuration here as needed -->
</Profile>
</Profiles>
<Configs>
<Config>
<!-- Add configuration here as needed -->
</Config>
</Configs>
</AssignedAccessConfiguration>
```
## Versioning
The Assigned Access configuration XML is versioned. The version is defined in the XML root element, and it's used to determine which schema to use to validate the XML file. The version is also used to determine which features are available for the configuration. Here's a table of the versions, aliases used in the documentation examples, and namespaces:
| Version | Alias | Namespace |
|-|-|-|
|Windows 11, version 22H2|`v5`|`http://schemas.microsoft.com/AssignedAccess/2022/config`|
|Windows 11, version 21H2|`v4`|`http://schemas.microsoft.com/AssignedAccess/2021/config`|
|Windows 10|`v5`|`http://schemas.microsoft.com/AssignedAccess/202010/config`|
|Windows 10|`v3`|`http://schemas.microsoft.com/AssignedAccess/2020/config`|
|Windows 10|`rs5`|`http://schemas.microsoft.com/AssignedAccess/201810/config`|
|Windows 10|default|`http://schemas.microsoft.com/AssignedAccess/2017/config`|
To authorize a compatible configuration XML that includes version-specific elements and attributes, always include the namespace of the add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the `StartPins` feature that was added in Windows 11, version 22H2, use the below example. Note the alias `v5` associated to the `http://schemas.microsoft.com/AssignedAccess/2022/config` namespace for 22H2 release, and the alias is tagged on `StartPins` inline.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{GUID}">
<!-- Add configuration here as needed -->
<v5:StartPins>
<!-- Add StartPins configuration here -->
</v5:StartPins>
</Profile>
</Profiles>
<Configs>
<Config>
<!-- Add configuration here as needed -->
</Config>
</Configs>
</AssignedAccessConfiguration>
```
Here you can find the Assigned Access XML schema definitions: [Assigned Access XML Schema Definition (XSD)](xsd.md).
## Profiles
A configuration file can contain one or more profiles. Each profile is identified by a unique identifier `Profile Id` and, optionally, a `Name`. For example:
```xml
<Profiles>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" Name="Microsoft Learn example">
<!-- Add configuration here as needed -->
</Profile>
</Profiles>
```
> [!TIP]
> The `Profile Id` must be unique within the XML file. You can generate a GUID with the PowerShell cmdlet `New-Guid`.
A profile can be one of two types:
- `KioskModeApp`: is used to configure a kiosk experience. Users assigned this profile don't access the desktop, but only the Universal Windows Platform (UWP) application or Microsoft Edge running in full-screen above the Lock screen
- `AllAppList` is used to configure a restricted user experience. Users assigned this profile, access the desktop with the specific apps on the Start menu
> [!IMPORTANT]
>
> - You can't set both `KioskModeApp` and `ShellLauncher` at the same time on the device
> - A configuration file can contain only one `KioskModeApp` profile, but it can contain multiple `AllAppList` profiles.
### KioskModeApp
The properties of a `KioskModeApp` profile are:
| Property| Description | Details |
|-|-|-|
|`AppUserModelId`|The Application User Model ID (AUMID) of the UWP app.|Learn how to [Find the Application User Model ID of an installed app](../store/find-aumid.md).|
|`v4:ClassicAppPath`|The full path to a desktop app executable.|This is the path to the desktop app used in kiosk mode. The path can contain system environment variables in the form of `%variableName%`.|
|`v4:ClassicAppArguments`|The arguments to be passed to the desktop app.|This property is optional.|
By default, you can use the <kbd>CTRL</kbd>+<kbd>ALT</kbd>+<kbd>DEL</kbd> sequence to exit kiosk mode. You can define a `BreakoutSequence` element to change the default sequence. The `Key` attribute is a string that represents the key combination.
Example of two profiles, a desktop app and a UWP app:
```xml
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" v4:ClassicAppArguments="--kiosk https://www.contoso.com/ --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" />
<v4:BreakoutSequence Key="Ctrl+A"/>
</Profile>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F79}">
<KioskModeApp AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
</Profile>
```
> [!NOTE]
> You can only assign a `KioskModeApp` profile to users, not to groups.
### AllAppList
Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules are generated to allow the apps that are listed in the configuration.
> [!NOTE]
> If an app has a dependency on another app, both must be included in the allowed apps list.
Within the `AllAppList` node, define a list of applications that are allowed execute. Each `App` element has the following properties:
| Property| Description | Details |
|-|-|-|
|`AppUserModelId`|The Application User Model ID (AUMID) of the UWP app.|Learn how to [Find the Application User Model ID of an installed app](../store/find-aumid.md).|
|`DesktopAppPath`|The full path to a desktop app executable.|This is the path to the desktop app that used in kiosk mode. The path can contain system environment variables in the form of `%variableName%`.|
|`rs5:AutoLaunch`|A Boolean attribute to indicate whether to launch the app (either desktop or UWP app) automatically when the user signs in.|This property is optional. Only one application can autolaunch.|
|`rs5:AutoLaunchArguments`|The arguments to be passed to the app that is configured with `AutoLaunch`.|AutoLaunchArguments are passed to the apps as is and the app needs to handle the arguments explicitly. This property is optional.|
Example:
```xml
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="%windir%\setuperr.log" />
</AllowedApps>
</AllAppsList>
```
::: zone pivot="windows-10"
### File Explorer restrictions
In a restricted user experience (`AllAppList`), folder browsing is locked down by default. You can explicitly allow access to known folders by including the `FileExplorerNamespaceRestrictions` node.
You can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time.
```xml
<Profiles>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" Name="Microsoft Learn example">
<AllAppsList>
<AllowedApps>
<!-- Add configuration here as needed -->
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<!-- Add configuration here as needed -->
</rs5:FileExplorerNamespaceRestrictions>
<!-- Add configuration here as needed -->
</Profile>
</Profiles>
```
Here are some practical examples.
#### Block everything
Either don't use the node or leave it empty.
```xml
<rs5:FileExplorerNamespaceRestrictions>
</rs5:FileExplorerNamespaceRestrictions>
```
#### Only allow downloads
```xml
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads"/>
</rs5:FileExplorerNamespaceRestrictions>
```
#### Only allow removable drives
```xml
<rs5:FileExplorerNamespaceRestrictions>
<v3:AllowRemovableDrives />
</rs5:FileExplorerNamespaceRestrictions>
```
#### Allow both Downloads, and removable drives
```xml
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads"/>
<v3:AllowRemovableDrives/>
</rs5:FileExplorerNamespaceRestrictions>
```
#### No restrictions, all locations are allowed
```xml
<rs5:FileExplorerNamespaceRestrictions>
<v3:NoRestriction />
</rs5:FileExplorerNamespaceRestrictions>
```
> [!TIP]
> To grant access to File Explorer in a restricted user experience, add `Explorer.exe` to the list of allowed apps, and pin a shortcut to the Start menu.
::: zone-end
### Start menu customizations
For a restricted user experience profile (`AllAppList`), you must define the Start layout. The Start layout contains a list of applications that are pinned to the Start menu. You can choose to pin all the allowed applications to the Start menu, or a subset. The easiest way to create a customized Start layout is to configure the Start menu on a test device and then export the layout.
::: zone pivot="windows-10"
To learn how to customize and export a Start menu configuration, see [Customize the Start menu](../start/customize-and-export-start-layout.md).
With the exported Start menu configuration, use the `StartLayout` element and add the content of the XML file. For example:
```xml
<StartLayout>
<![CDATA[
<!-- Add your exported Start menu XML configuration file here -->
]]>
</StartLayout>
```
Example with some apps pinned:
```xml
<StartLayout>
<![CDATA[
<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1"
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Group1">
<start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft. ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft. ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
</start:Group>
<start:Group Name="Group2">
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad. lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
```
::: zone-end
::: zone pivot="windows-11"
To learn how to customize and export a Start menu configuration, see [Customize the Start menu](../start/customize-and-export-start-layout.md).
With the exported Start menu configuration, use the `v5:StartPins` element and add the content of the exported JSON file. For example:
```xml
<v5:StartPins>
<![CDATA[
<!-- Add your exported Start menu JSON configuration file here -->
]]>
</v5:StartPins>
```
Example with some apps pinned:
<v5:StartPins>
<![CDATA[
{
"pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
]
}
]]>
</v5:StartPins>
::: zone-end
> [!NOTE]
> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
### Taskbar customizations
::: zone pivot="windows-10"
You can't pin apps on the taskbar in a restricted user experience. It's not supported to configure a Taskbar layout using the `<CustomTaskbarLayoutCollection>` tag in a layout modification XML, as part of the Assigned Access configuration.
The only Taskbar customization available is the option to show or hide it, using the `ShowTaskbar` boolean attribute.
The following example exposes the taskbar:
```xml
<Taskbar ShowTaskbar="true"/>
```
The following example hides the taskbar:
```xml
<Taskbar ShowTaskbar="false"/>
```
> [!NOTE]
> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting `ShowTaskbar` as `false` hides the taskbar permanently.
::: zone-end
::: zone pivot="windows-11"
You can customize the Taskbar by creating a custom layout and adding it to your XML file. To learn how to customize and export the Taskbar configuration, see [Customize the Taskbar](../taskbar/configure.md).
> [!NOTE]
> In Windows 11, the `ShowTaskbar` attribute is no-op. Configure it with a value of `true`.
With the exported Taskbar configuration, use the `v5:TaskbarLayout` element and add the content of the XML file. For example:
```xml
<Taskbar ShowTaskbar="true" />
<v5:TaskbarLayout><![CDATA[
<!-- Add your exported Taskbar XML configuration file here -->
]]>
</v5:TaskbarLayout>
```
Here's an example of a custom Taskbar with a few apps pinned:
```xml
<Taskbar ShowTaskbar="true" />
<v5:TaskbarLayout><![CDATA[
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection>
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer" />
<taskbar:DesktopApp DesktopApplicationID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
]]>
</v5:TaskbarLayout>
```
::: zone-end
<!--here-->
## Configs
Under `Configs`, define one or more user accounts, or groups, and their association with a profile.
When the user account signs in, the associated Assigned Access profile is enforced along with policy settings that are part of the restricted user experience.
You can assign:
- A standard user account, which can be local, domain, or Microsoft Entra ID
- A group account, which can be local, Active Directory (domain), or Microsoft Entra ID
Limitations:
- Configs that specify group accounts can't use a kiosk profile, only a restricted user experience profile
- Apply the restricted user experience to standard users only. It's not supported to associate an admin user with an Assigned Access profile
- Don't apply the profile to users or groups that are targeted by conditional access policies that require user interaction. For example, multi-factor authentication (MFA), or Terms of Use (TOU). For more information, see [Users can't log on to Windows if a multi-app kiosk profile is assigned](/troubleshoot/mem/intune/device-configuration/users-cannot-logon-windows-multi-app-kiosk)
>[!NOTE]
> On Microsoft Entra joined and domain joined devices, local user accounts aren't displayed on the sign-in screen by default. To display the local accounts on the sign-in screen, enable the policy setting:
>
>- GPO: **Computer Configuration** > **Administrative Templates** > **System** > **Logon** > **Enumerate local users on domain-joined computers**
>- CSP: `./Device/Vendor/MSFT/Policy/Config/WindowsLogon/`[EnumerateLocalUsersOnDomainJoinedComputers](/windows/client-management/mdm/policy-csp-windowslogon#enumeratelocalusersondomainjoinedcomputers)
### AutoLogon account
With `<AutoLogonAccount>`, Assigned Access creates and manages a user account to automatically sign in after a device restarts. The account is a local standard user.
The following example shows how to specify an account to sign in automatically, and the optional display name for the account on the sign-in screen:
```xml
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="Microsoft Learn example"/>
<DefaultProfile Id="{GUID}"/>
</Config>
</Configs>
```
>[!IMPORTANT]
>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature doesn't work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
### Global profile
With `GlobalProfile`, you can define an Assigned Access profile that is applied to every non-admin account that signs in. `GlobalProfile` is useful in scenarios like frontline workers or student devices, where you want to ensure that every user has a consistent experience.
```xml
<Configs>
<v3:GlobalProfile Id="{GUID}"/>
</Configs>
```
> [!NOTE]
> You can combine a global profile with other profiles. If you assign a user a non-global profile, the global profile won't be applied to that user.
### User accounts
Individual accounts are specified using `<Account>`.
> [!IMPORTANT]
> Before applying the Assigned Access configuration, make sure the specified user account is available on the device, otherwise it fails.
>
> For both domain and Microsoft Entra accounts, as long as the device is Active Directory joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
#### Local user
Local account can be entered as `devicename\user`, `.\user`, or just `user`.
```xml
<Config>
<Account>user</Account>
<DefaultProfile Id="{GUID}"/>
</Config>
```
#### Active Directory user
Domain accounts must be entered using the format `domain\samAccountName`.
```xml
<Config>
<Account>contoso\user</Account>
<DefaultProfile Id="{GUID}"/>
</Config>
```
#### Microsoft Entra user
Microsoft Entra accounts must be specified with the format: `AzureAD\{UPN}`. `AzureAD` must be provided *as is*, then follow with the Microsoft Entra user principal name (UPN).
```xml
<Config>
<Account>AzureAD\user@contoso.onmicrosoft.com</Account>
<DefaultProfile Id="{GUID}"/>
</Config>
```
### Group accounts
Group accounts are specified using `<UserGroup>`. Nested groups aren't supported. For example, if *User A* is member of *Group A*, *Group A* is member of *Group B*, and *Group B* is used in `<Config/>`, *User A* doesn't have the kiosk experience.
#### Local group
Specify the group type as `LocalGroup` and add the group name in the `Name` attribute.
```xml
<Config>
<UserGroup Type="LocalGroup" Name="groupname" />
<DefaultProfile Id="{GUID}"/>
</Config>
```
#### Active Directory group
Both security and distribution groups are supported. Specify the group type as `ActiveDirectoryGroup`. Use the domain name as the prefix in the name attribute.
```xml
<Config>
<UserGroup Type="ActiveDirectoryGroup" Name="contoso\groupname" />
<DefaultProfile Id="{GUID}"/>
</Config>
```
#### Microsoft Entra group
Use the object ID of the Microsoft Entra group. You can find the object ID on the overview page for the group by signing in to the Microsoft Entra admin center and browsing to **Identity** > **Groups** > **All groups**. Specify the group type as `AzureActiveDirectoryGroup`. The kiosk device must have internet connectivity when users that belong to the group sign-in.
```xml
<Config>
<UserGroup Type="AzureActiveDirectoryGroup" Name="Group_GUID" />
<DefaultProfile Id="{GUID}"/>
</Config>
```
## Next steps
> [!div class="nextstepaction"]
> Review some practical examples of Assigned Access XML configurations:
>
> [Assigned Access examples](examples.md)

49
windows/configuration/assigned-access/examples.md Normal file
View File

@ -0,0 +1,49 @@
---
title: Assigned Access examples
description: Practical examples of XML files to configure Assigned Access.
ms.date: 03/04/2024
ms.topic: reference
zone_pivot_groups: windows-versions-11-10
appliesto:
---
# Assigned Access examples
This article contains examples of XML files to configure a device with Assigned Access. The files can be easily modified to fit your specific needs.
To learn more:
- [Create an Assigned Access configuration XML file](configuration-file.md).
- [Assigned Access XML Schema Definition (XSD)](xsd.md).
## Kiosk experience with Microsoft Edge
[!INCLUDE [example-kiosk-edge](includes/example-kiosk-edge.md)]
## Kiosk experience with Universal Windows Platform (UWP) app
[!INCLUDE [example-kiosk-uwp](includes/example-kiosk-uwp.md)]
::: zone pivot="windows-10"
## File Explorer restrictions
[!INCLUDE [example-file-explorer-restrictions](includes/example-file-explorer-restrictions.md)]
::: zone-end
## Global Profile
The following configuration demonstrates that only a global profile is used, with no user configured.
[!INCLUDE [example-global-profile](includes/example-global-profile.md)]
## User Group
The following configuration demonstrates how to assign profiles to different users and groups, including a user configured to automatically sign in.
[!INCLUDE [example-usergroup](includes/example-usergroup.md)]
## Restricted user experience
[!INCLUDE [example-restricted-experience](includes/example-restricted-experience.md)]

BIN
windows/configuration/assigned-access/images/kiosk.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.6 KiB

BIN
windows/configuration/assigned-access/images/restricted-user-experience-windows-10.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 172 KiB

BIN
windows/configuration/assigned-access/images/restricted-user-experience-windows-11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 544 KiB

BIN
windows/configuration/assigned-access/images/restricted-user-experience.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.4 KiB

30
windows/configuration/assigned-access/includes/example-file-explorer-restrictions.md Normal file
View File

@ -0,0 +1,30 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 03/01/2024
ms.topic: include
---
<!-- example of a restricted user profile with File Explorer restrictions and autologon account -->
```xml
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<!-- Add configuration here -->
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads" />
<v3:AllowRemovableDrives />
</rs5:FileExplorerNamespaceRestrictions>
<!-- Add configuration here -->
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="MS Learn Example" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
```

22
windows/configuration/assigned-access/includes/example-global-profile.md Normal file
View File

@ -0,0 +1,22 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
<!--Global profile-->
```xml
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<!-- Add configuration here -->
</Profile>
</Profiles>
<Configs>
<v3:GlobalProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
</Configs>
</AssignedAccessConfiguration>
```

26
windows/configuration/assigned-access/includes/example-kiosk-edge.md Normal file
View File

@ -0,0 +1,26 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 03/01/2024
ms.topic: include
---
<!-- Microsoft Edge kiosk-->
```xml
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config">
<Profiles>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" v4:ClassicAppArguments="--kiosk https://www.contoso.com/ --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" />
<v4:BreakoutSequence Key="Ctrl+A" />
</Profile>
</Profiles>
<Configs>
<Config>
<Account>Edge kiosk</Account>
<DefaultProfile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
```

25
windows/configuration/assigned-access/includes/example-kiosk-uwp.md Normal file
View File

@ -0,0 +1,25 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
<!-- example of a kiosk experience with UWP app-->
```xml
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
<KioskModeApp AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
</Profile>
</Profiles>
<Configs>
<Config>
<Account>Weather app</Account>
<DefaultProfile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
```

115
windows/configuration/assigned-access/includes/example-restricted-experience.md Normal file
View File

@ -0,0 +1,115 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
<!-- example of a restricted user experience-->
::: zone pivot="windows-10"
```xml
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads" />
<v3:AllowRemovableDrives />
</rs5:FileExplorerNamespaceRestrictions>
<StartLayout><![CDATA[
<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="">
<start:Tile Size="2x2" Column="0" Row="4" AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="4" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:DesktopApplicationTile Size="2x2" Column="4" Row="2" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk" />
<start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]></StartLayout>
<Taskbar ShowTaskbar="true" />
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="MS Learn Example" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
```
::: zone-end
::: zone pivot="windows-11"
```xml
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads" />
<v3:AllowRemovableDrives />
</rs5:FileExplorerNamespaceRestrictions>
<v5:StartPins><![CDATA[{
"pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
]
}]]></v5:StartPins>
<Taskbar ShowTaskbar="true" />
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="MS Learn Example" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
```
::: zone-end

37
windows/configuration/assigned-access/includes/example-two-profiles.md Normal file
View File

@ -0,0 +1,37 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
<!-- example of a kiosk experience and a restricted user experience with 2 profiles-->
```xml
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
<KioskModeApp AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
</Profile>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<!-- Add configuration here as needed -->
</AllowedApps>
</AllAppsList>
<!-- Add configuration here as needed -->
</Profile>
</Profiles>
<Configs>
<Config>
<Account>Weather app</Account>
<DefaultProfile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" />
</Config>
<Config>
<Account>Library Kiosk</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
```

47
windows/configuration/assigned-access/includes/example-usergroup.md Normal file
View File

@ -0,0 +1,47 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
<!--UserGroup example-->
```xml
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config">
<Profiles>
<!-- Add configuration here as needed -->
</Profiles>
<Configs>
<Config>
<Account>contoso\user</Account>
<DefaultProfile Id="{GUID}" />
</Config>
<Config>
<Account>AzureAD\user@contoso.onmicrosoft.com</Account>
<DefaultProfile Id="{GUID}" />
</Config>
<Config>
<Account>user</Account>
<DefaultProfile Id="{GUID}" />
</Config>
<Config>
<AutoLogonAccount rs5:DisplayName="Hello World" />
<DefaultProfile Id="{GUID}" />
</Config>
<Config>
<UserGroup Type="LocalGroup" Name="groupname" />
<DefaultProfile Id="{GUID}" />
</Config>
<Config>
<UserGroup Type="ActiveDirectoryGroup" Name="contoso\groupname" />
<DefaultProfile Id="{GUID}" />
</Config>
<Config>
<UserGroup Type="AzureActiveDirectoryGroup" Name="Group_GUID" />
<DefaultProfile Id="{GUID}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
```

13
windows/configuration/assigned-access/includes/quickstart-kiosk-intune.md Normal file
View File

@ -0,0 +1,13 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
Content-Type: application/json
{ "id": "00000000-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Kiosk - Assigned Access", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "displayName": "Configuration", "@odata.type": "#microsoft.graph.omaSettingString", "value": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<AssignedAccessConfiguration\n xmlns=\"http://schemas.microsoft.com/AssignedAccess/2017/config\"\n xmlns:rs5=\"http://schemas.microsoft.com/AssignedAccess/201810/config\"\n xmlns:v4=\"http://schemas.microsoft.com/AssignedAccess/2021/config\"\n >\n <Profiles>\n <Profile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F78}\">\n <KioskModeApp v4:ClassicAppPath=\"%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe\" v4:ClassicAppArguments=\"--kiosk https://www.contoso.com/ --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2\" />\n <v4:BreakoutSequence Key=\"Ctrl+A\"/>\n </Profile>\n </Profiles>\n <Configs>\n <Config>\n <AutoLogonAccount rs5:DisplayName=\"MS Learn Example\"/>\n <DefaultProfile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F78}\"/>\n </Config>\n </Configs>\n</AssignedAccessConfiguration>" } ] }
```

32
windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md Normal file
View File

@ -0,0 +1,32 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
```powershell
$assignedAccessConfiguration = @"
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config">
<Profiles>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" v4:ClassicAppArguments="--kiosk https://www.contoso.com/ --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" />
<v4:BreakoutSequence Key="Ctrl+A" />
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="MS Learn Example" />
<DefaultProfile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
Set-CimInstance -CimInstance $obj
```

24
windows/configuration/assigned-access/includes/quickstart-kiosk-xml.md Normal file
View File

@ -0,0 +1,24 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
```xml
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config">
<Profiles>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" v4:ClassicAppArguments="--kiosk https://www.contoso.com/ --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" />
<v4:BreakoutSequence Key="Ctrl+A" />
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="MS Learn Example" />
<DefaultProfile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
```

28
windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md Normal file
View File

@ -0,0 +1,28 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
::: zone pivot="windows-10"
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
Content-Type: application/json
{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 10", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<AssignedAccessConfiguration\n xmlns:xs=\"http://www.w3.org/2001/XMLSchema\"\n xmlns=\"http://schemas.microsoft.com/AssignedAccess/2017/config\"\n xmlns:default=\"http://schemas.microsoft.com/AssignedAccess/2017/config\"\n xmlns:rs5=\"http://schemas.microsoft.com/AssignedAccess/201810/config\"\n xmlns:v3=\"http://schemas.microsoft.com/AssignedAccess/2020/config\">\n <Profiles>\n <Profile Id=\"{9A2A490F-10F6-4764-974A-43B19E722C23}\">\n <AllAppsList>\n <AllowedApps>\n <App AppUserModelId=\"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\" />\n <App AppUserModelId=\"Microsoft.Windows.Photos_8wekyb3d8bbwe!App\" />\n <App AppUserModelId=\"Microsoft.BingWeather_8wekyb3d8bbwe!App\" />\n <App DesktopAppPath=\"C:\\Windows\\system32\\cmd.exe\" />\n <App DesktopAppPath=\"%windir%\\System32\\WindowsPowerShell\\v1.0\\Powershell.exe\" />\n <App DesktopAppPath=\"%windir%\\explorer.exe\" />\n <App AppUserModelId=\"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\" />\n <App AppUserModelId=\"%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe\" />\n </AllowedApps>\n </AllAppsList>\n <rs5:FileExplorerNamespaceRestrictions>\n <rs5:AllowedNamespace Name=\"Downloads\"/>\n <v3:AllowRemovableDrives/>\n </rs5:FileExplorerNamespaceRestrictions>\n <StartLayout>\n <![CDATA[\n <LayoutModificationTemplate xmlns:defaultlayout=\"http://schemas.microsoft.com/Start/2014/FullDefaultLayout\" xmlns:start=\"http://schemas.microsoft.com/Start/2014/StartLayout\" Version=\"1\" xmlns=\"http://schemas.microsoft.com/Start/2014/LayoutModification\">\n <LayoutOptions StartTileGroupCellWidth=\"6\" />\n <DefaultLayoutOverride>\n <StartLayoutCollection>\n <defaultlayout:StartLayout GroupCellWidth=\"6\">\n <start:Group Name=\"\">\n <start:Tile Size=\"2x2\" Column=\"0\" Row=\"4\" AppUserModelID=\"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\" />\n <start:DesktopApplicationTile Size=\"2x2\" Column=\"2\" Row=\"4\" DesktopApplicationLinkPath=\"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk\" />\n <start:Tile Size=\"2x2\" Column=\"4\" Row=\"0\" AppUserModelID=\"Microsoft.BingWeather_8wekyb3d8bbwe!App\" />\n <start:DesktopApplicationTile Size=\"2x2\" Column=\"4\" Row=\"2\" DesktopApplicationLinkPath=\"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\File Explorer.lnk\" />\n <start:DesktopApplicationTile Size=\"2x2\" Column=\"2\" Row=\"2\" DesktopApplicationLinkPath=\"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk\" />\n <start:Tile Size=\"2x2\" Column=\"2\" Row=\"0\" AppUserModelID=\"Microsoft.Windows.Photos_8wekyb3d8bbwe!App\" />\n <start:Tile Size=\"2x2\" Column=\"0\" Row=\"0\" AppUserModelID=\"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\" />\n <start:DesktopApplicationTile Size=\"2x2\" Column=\"0\" Row=\"2\" DesktopApplicationLinkPath=\"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk\" />\n </start:Group>\n </defaultlayout:StartLayout>\n </StartLayoutCollection>\n </DefaultLayoutOverride>\n </LayoutModificationTemplate>\n ]]>\n </StartLayout>\n <Taskbar ShowTaskbar=\"true\"/>\n </Profile>\n </Profiles>\n <Configs>\n <Config>\n <AutoLogonAccount rs5:DisplayName=\"MS Learn Example\"/>\n <DefaultProfile Id=\"{9A2A490F-10F6-4764-974A-43B19E722C23}\"/>\n </Config>\n </Configs>\n</AssignedAccessConfiguration>" } ] }
```
::: zone-end
::: zone pivot="windows-11"
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
Content-Type: application/json
{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 11", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<AssignedAccessConfiguration\n xmlns:xs=\"http://www.w3.org/2001/XMLSchema\"\n xmlns=\"http://schemas.microsoft.com/AssignedAccess/2017/config\"\n xmlns:default=\"http://schemas.microsoft.com/AssignedAccess/2017/config\"\n xmlns:rs5=\"http://schemas.microsoft.com/AssignedAccess/201810/config\"\n xmlns:v3=\"http://schemas.microsoft.com/AssignedAccess/2020/config\"\n xmlns:v5=\"http://schemas.microsoft.com/AssignedAccess/2022/config\">\n <Profiles>\n <Profile Id=\"{9A2A490F-10F6-4764-974A-43B19E722C23}\">\n <AllAppsList>\n <AllowedApps>\n <App AppUserModelId=\"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\" />\n <App AppUserModelId=\"Microsoft.Windows.Photos_8wekyb3d8bbwe!App\" />\n <App AppUserModelId=\"Microsoft.BingWeather_8wekyb3d8bbwe!App\" />\n <App DesktopAppPath=\"C:\\Windows\\system32\\cmd.exe\" />\n <App DesktopAppPath=\"%windir%\\System32\\WindowsPowerShell\\v1.0\\Powershell.exe\" />\n <App DesktopAppPath=\"%windir%\\explorer.exe\" />\n <App AppUserModelId=\"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\" />\n <App AppUserModelId=\"%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe\" />\n </AllowedApps>\n </AllAppsList>\n <rs5:FileExplorerNamespaceRestrictions>\n <rs5:AllowedNamespace Name=\"Downloads\"/>\n <v3:AllowRemovableDrives/>\n </rs5:FileExplorerNamespaceRestrictions>\n <v5:StartPins>\n <![CDATA[{\n \"pinnedList\":[\n {\"packagedAppId\":\"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\"},\n {\"packagedAppId\":\"Microsoft.Windows.Photos_8wekyb3d8bbwe!App\"},\n {\"packagedAppId\":\"Microsoft.BingWeather_8wekyb3d8bbwe!App\"},\n {\"desktopAppLink\":\"%APPDATA%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\System Tools\\\\Command Prompt.lnk\"},\n {\"desktopAppLink\":\"%APPDATA%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Windows PowerShell\\\\Windows PowerShell.lnk\"},\n {\"desktopAppLink\":\"%APPDATA%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\File Explorer.lnk\"},\n {\"packagedAppId\": \"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\"},\n {\"desktopAppLink\": \"%ALLUSERSPROFILE%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Microsoft Edge.lnk\"}\n ]\n }]]>\n </v5:StartPins>\n <Taskbar ShowTaskbar=\"true\"/>\n </Profile>\n </Profiles>\n <Configs>\n <Config>\n <AutoLogonAccount rs5:DisplayName=\"MS Learn Example\"/>\n <DefaultProfile Id=\"{9A2A490F-10F6-4764-974A-43B19E722C23}\"/>\n </Config>\n </Configs>\n</AssignedAccessConfiguration>" } ] }
```
::: zone-end

129
windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md Normal file
View File

@ -0,0 +1,129 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
::: zone pivot="windows-10"
```powershell
$assignedAccessConfiguration = @"
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\System32\cmd.exe" />
<App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads" />
<v3:AllowRemovableDrives />
</rs5:FileExplorerNamespaceRestrictions>
<StartLayout><![CDATA[
<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="">
<start:Tile Size="2x2" Column="0" Row="4" AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="4" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:DesktopApplicationTile Size="2x2" Column="4" Row="2" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk" />
<start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]></StartLayout>
<Taskbar ShowTaskbar="true" />
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="MS Learn Example" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
Set-CimInstance -CimInstance $obj
```
::: zone-end
::: zone pivot="windows-11"
```powershell
$assignedAccessConfiguration = @"
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\System32\cmd.exe" />
<App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads" />
<v3:AllowRemovableDrives />
</rs5:FileExplorerNamespaceRestrictions>
<v5:StartPins><![CDATA[{
"pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
]
}]]></v5:StartPins>
<Taskbar ShowTaskbar="true" />
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="MS Learn Example" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
Set-CimInstance -CimInstance $obj
```
::: zone-end

113
windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md Normal file
View File

@ -0,0 +1,113 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
::: zone pivot="windows-10"
```xml
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads" />
<v3:AllowRemovableDrives />
</rs5:FileExplorerNamespaceRestrictions>
<StartLayout><![CDATA[
<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="">
<start:Tile Size="2x2" Column="0" Row="4" AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="4" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:DesktopApplicationTile Size="2x2" Column="4" Row="2" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk" />
<start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]></StartLayout>
<Taskbar ShowTaskbar="true" />
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="MS Learn Example" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
```
::: zone-end
::: zone pivot="windows-11"
```xml
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads" />
<v3:AllowRemovableDrives />
</rs5:FileExplorerNamespaceRestrictions>
<v5:StartPins><![CDATA[{
"pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
]
}]]></v5:StartPins>
<Taskbar ShowTaskbar="true" />
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="MS Learn Example" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
```
::: zone-end

72
windows/configuration/assigned-access/index.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Windows kiosks and restricted user experiences
description: Learn about the options available in Windows to configure kiosks and restricted user experiences.
ms.topic: overview
ms.date: 03/04/2024
---
# Windows kiosks and restricted user experiences
Organizations are constantly seeking ways to streamline operations, improve customer service, and enhance productivity. One effective solution is the deployment of kiosk devices. These specialized devices offer a range of benefits that can significantly impact an organization's efficiency and success. For example:
- Cost-effective customer service: kiosks allow organizations to provide essential services without the need for dedicated staff. Whether it's checking in at a hotel, ordering food at a restaurant, or printing boarding passes at an airport, kiosks reduce labor costs while maintaining service quality. Customers appreciate the convenience of self-service options, leading to higher satisfaction levels
- Reduced wait times: long queues and wait times frustrate customers and staff members. Kiosks expedite processes by allowing users to complete tasks independently. Whether it's paying bills, renewing memberships, or accessing information, kiosks empower users to get things done swiftly
- Consistent brand experience: kiosks ensure a uniform brand experience across different locations. Whether in retail stores, schools, airports, or healthcare facilities, the interface remains consistent. Brand consistency builds trust and reinforces the organization's image
- Customization and flexibility: kiosks can be tailored to specific needs. From touchscreens to barcode scanners, organizations choose features that align with their goals. Whether it's self-checkout, wayfinding, or interactive product catalogs, kiosks adapt to diverse requirements
Windows offers two different options for public or specialized use:
:::row:::
:::column span="1":::
:::image type="content" source="images/kiosk.png" alt-text="Icon representing a kiosk." border="false":::
:::column-end:::
:::column span="3":::
#### Kiosk experience
:::column-end:::
:::row-end:::
This option runs a single application in full screen, and people using the device can only use that app. When the designated kiosk account signs in, the kiosk app launches automatically. This option is sometimes referred to as *single-app kiosk*.
Windows offers two different features to configure a kiosk experience:
- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen above the lock screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it automatically restarts
- **Shell Launcher**: used to configure a device to execute a Windows desktop application as the user interface. The application that you specify replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen
:::row:::
:::column span="1":::
:::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false":::
:::column-end:::
:::column span="3":::
#### Restricted user experience
:::column-end:::
:::row-end:::
This option loads the Windows desktop, but it only allows to run a defined set of applications. When the designated user signs in, the user can only run the apps that are allowed. The Start menu is customized to show only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types. This option is sometimes referred to as *multi-app kiosk*.
To configure a restricted user experience, you use the **Assigned Access** feature.
## Choose the right experience
When you're considering a kiosk or restricted user experience, you need to choose the right experience for your needs. A good approach is to ask yourself the following set of questions:
| | Question |
|--|--|
| **🔲** | *How many apps?* <br>The number of apps determines the experience to build: **kiosk** or **restricted user experience**.|
| **🔲** | *Desktop experience or custom?* <br>If your users require access to the desktop with a custom Start menu, then you can build a **restricted user experience** with **Assigned Access**. If your users require access to multiple applications but with a custom user interface, then you should use **Shell Launcher**.|
| **🔲** | *In single-app scenario, which type of app will your kiosk run?* <br>If the kiosk requires a Universal Windows Platform (UWP) app or Microsoft Edge, you can build a **kiosk experience** with **Assigned Access**. If the kiosk requires a desktop app, you can build a **kiosk experience** with **Shell Launcher**.|
| **🔲** | *Which edition of Windows client will the kiosk run?"* <br>**Assigned Access** is supported on Windows Pro and Enterprise/Education. **Shell Launcher** is only supported on Windows Enterprise and Education editions.|
## Next steps
In the next sections, you can learn more about the options available to configure kiosks and restricted user experiences:
- [Assigned Access](overview.md)
- [Shell Launcher](shell-launcher/index.md)
### :::image type="icon" source="../images/icons/rocket.svg" border="false"::: Quickstarts
If you're ready to try out the options available to configure kiosks and restricted user experiences, check out the following quickstarts:
- [Quickstart: configure a kiosk with Assigned Access](quickstart-kiosk.md)
- [Quickstart: configure a kiosk experience with Shell Launcher](shell-launcher/quickstart-kiosk.md)
- [Quickstart: configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)

342
windows/configuration/assigned-access/overview.md Normal file
View File

@ -0,0 +1,342 @@
---
title: What is Assigned Access?
description: Learn about Assigned Access and how you can use it to configure a Windows device as a kiosk or restricted user experience.
ms.date: 03/04/2024
ms.topic: overview
---
# What is Assigned Access?
Assigned Access is a Windows feature that you can use to configure a device as a kiosk or with a restricted user experience.
When you configure a **kiosk experience**, a single Universal Windows Platform (UWP) application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it automatically restarts. Practical examples include:
- Public browsing
- Interactive digital signage
When you configure a **restricted user experience**, users can only execute a defined list of applications, with a tailored Start menu and Taskbar. Different policy settings and AppLocker rules are enforced, creating a locked down experience. The users can access a familiar Windows desktop, while limiting their access, reducing distractions, and potential for inadvertent uses. Ideal for shared devices, you can create different configurations for different users. Practical examples include:
- Frontline worker devices
- Student devices
- Lab devices
> [!NOTE]
> When you configure a restricted user experience, different policy settings are applied to the device. Some policy settings apply to standard users only, and some to administrator accounts too. For more information, see [Assigned Access policy settings](policy-settings.md).
## Requirements
Here are the requirements for Assigned Access:
- To use a kiosk experience, [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be enabled
- To use a kiosk experience, you must sign in from the console. The kiosk experience isn't supported over a remote desktop connection
[!INCLUDE [assigned-access](../../../includes/licensing/assigned-access.md)]
## Configure a kiosk experience
There are several options to configure a kiosk experience. If you need to configure a single device with a local account, you can use:
- PowerShell: you can use the `Set-AssignedAccess` PowerShell cmdlet to configure a kiosk experience using a local standard account
- Settings: use this option when you need a simple method to configure a single device with a local standard user account
For advanced customizations, you can use the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp) to configure the kiosk experience. The CSP allows you to configure the kiosk app, the user account, and the kiosk app's behavior. When you use the CSP, you must create an XML configuration file that specifies the kiosk app and the user account. The XML file is applied to the device using one of the following options:
- A Mobile Device Management (MDM) solution, like Microsoft Intune
- Provisioning packages
- PowerShell, with the MDM Bridge WMI Provider
To learn how to configure the Shell Launcher XML file, see [Create an Assigned Access configuration file](configuration-file.md).
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration`
- **Value:** content of the XML configuration file
Assign the policy to a group that contains as members the devices that you want to configure.
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
- **Path:** `AssignedAccess/AssignedAccessSettings`
- **Value:** Enter the account and the application you want to use for Assigned access, using the AUMID of the app. Example:
- `{"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}`
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
To configure a device using Windows PowerShell:
1. Sign in as administrator
1. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access
1. Sign in as the Assigned Access user account
1. Install the required UWP app
1. Sign out as the Assigned Access user account
1. Sign in as administrator and from an elevated PowerShell prompt use one of the following commands:
```PowerShell
#Configure Assigned Access by AppUserModelID and user name
Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
#Configure Assigned Access by AppUserModelID and user SID
Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>
#Configure Assigned Access by app name and user name
Set-AssignedAccess -AppName <CustomApp> -UserName <username>
#Configure Assigned Access by app name and user SID**:
Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
> [!NOTE]
> To set up Assigned Access using `-AppName`, the user account that you enter for Assigned Access must have signed in at least once.
For more information:
- [Find the Application User Model ID of an installed app](../store/find-aumid.md)
- [Set-AssignedAccess](/powershell/module/assignedaccess/set-assignedaccess)
To remove assigned access, using PowerShell, run the following cmdlet:
```powershell
Clear-AssignedAccess
```
For advanced customizations that use the XML configuration file, you can use PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal).
> [!IMPORTANT]
> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
To test the PowerShell script, you can:
1. [Download the psexec tool](/sysinternals/downloads/psexec)
1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
1. Run the script in the PowerShell session
```PowerShell
$shellLauncherConfiguration = @"
# content of the XML configuration file
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
Exit 1
}
Write-Output "Successfully applied Shell Launcher configuration"
```
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
#### [:::image type="icon" source="../images/icons/settings.svg"::: **Settings**](#tab/settings)
Here are the steps to configure a kiosk using the Settings app:
1. Open the Settings app to view and configure a device as a kiosk. Go to **Settings > Accounts > Other Users**, or use the following shortcut:
> [!div class="nextstepaction"]
>
> [Other Users](ms-settings:otherusers)
1. Under **Set up a kiosk**, select **Get Started**
1. In the **Create an account** dialog, enter the account name, and select **Next**
>[!NOTE]
>If there are any local standard user accounts already, the **Create an account** dialog offers the option to **Choose an existing account**
1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen are available in the list of apps to choose from. If you select **Microsoft Edge** as the kiosk app, you configure the following options:
- Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
- Which URL should be open when the kiosk accounts signs in
- When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser)
1. Select **Close**
When the device isn't joined to an Active Directory domain or Microsoft Entra ID, automatic sign-in of the kiosk account is configured automatically:
- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything
- If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you want to use as the kiosk account. Open **Settings** > **Accounts** > **Sign-in options**. Set the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device
---
> [!TIP]
> For practical examples, see the [Quickstart: Configure a kiosk with Assigned Access](quickstart-kiosk.md).
## Configure a restricted user experience
To configure a restricted user experience with Assigned Access, you must create an XML configuration file with the settings for the desired experience. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
- A Mobile Device Management (MDM) solution, like Microsoft Intune
- Provisioning packages
- PowerShell, with the MDM Bridge WMI Provider
To learn how to configure the Assigned Access XML file, see [Create an Assigned Access configuration file](configuration-file.md).
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
- **Value:** content of the XML configuration file
Assign the policy to a group that contains as members the devices that you want to configure.
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
- **Value:** content of the XML configuration file
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
```PowerShell
$assignedAccessConfiguration = @"
# content of the XML configuration file
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
Exit 1
}
Write-Output "Successfully applied Assigned Access configuration"
```
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
#### [:::image type="icon" source="../images/icons/settings.svg"::: **Settings**](#tab/settings)
This option isn't available using Settings.
---
> [!TIP]
> For practical examples, see the [Quickstart: Configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)
## User experience
To validate the kiosk or restricted user experience, sign in with the user account you specified in the configuration file.
The Assigned Access configuration takes effect the next time the targeted user signs in. If that user account is signed in when you apply the configuration, sign out and sign back in to validate the experience.
> [!NOTE]
> Starting in Windows 11, a restricted user experience supports the use of multiple monitors.
### Autotrigger touch keyboard
The touch keyboard is automatically triggered when there's an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.
> [!TIP]
> The touch keyboard is triggered only when tapping a textbox. Mouse clicks don't trigger the touch keyboard. If you're testing this feature, use a physical device instead of a virtual machine (VM), as the touch keyboard is not triggered on VMs.
### Sign out of assigned access
By default, to exit the kiosk experience, press <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd>. The kiosk app exits automatically. If you sign in again as the Assigned Access account, or wait for the sign in screen timeout, the kiosk app relaunches. The default timeout is 30 seconds, but you can change the timeout with the registry key:
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for Assigned Access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
> [!NOTE]
> `IdleTimeOut` doesn't apply to the Microsoft Edge kiosk mode.
The Breakout Sequence of <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence is <kbd>CTRL</kbd> + <kbd>ALT</kbd> + <kbd>A</kbd>, where <kbd>CTRL</kbd> + <kbd>ALT</kbd> are the modifiers, and <kbd>A</kbd> is the key value. To learn more, see [Create an Assigned Access configuration XML file](configuration-file.md).
### Keyboard shortcuts
The following keyboard shortcuts are blocked for the user accounts with Assigned Access:
| Keyboard shortcut | Action |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------|
| <kbd>Ctrl</kbd> + <kbd>Shift</kbd> + <kbd>Esc</kbd> | Open Task Manager |
| <kbd>WIN</kbd> + <kbd>,</kbd> (comma) | Temporarily peek at the desktop |
| <kbd>WIN</kbd> + <kbd>A</kbd> | Open Action center |
| <kbd>WIN</kbd> + <kbd>Alt</kbd> + <kbd> D</kbd> | Display and hide the date and time on the desktop |
| <kbd>WIN</kbd> + <kbd>Ctrl</kbd> + <kbd> F</kbd> | Find computer objects in Active Directory |
| <kbd>WIN</kbd> + <kbd>D</kbd> | Display and hide the desktop |
| <kbd>WIN</kbd> + <kbd>E</kbd> | Open File Explorer |
| <kbd>WIN</kbd> + <kbd>F</kbd> | Open Feedback Hub |
| <kbd>WIN</kbd> + <kbd>G</kbd> | Open Game bar when a game is open |
| <kbd>WIN</kbd> + <kbd>I</kbd> | Open Settings |
| <kbd>WIN</kbd> + <kbd>J</kbd> | Set focus to a Windows tip when one is available |
| <kbd>WIN</kbd> + <kbd>O</kbd> | Lock device orientation |
| <kbd>WIN</kbd> + <kbd>Q</kbd> | Open search |
| <kbd>WIN</kbd> + <kbd>R</kbd> | Open the Run dialog box |
| <kbd>WIN</kbd> + <kbd>S</kbd> | Open search |
| <kbd>WIN</kbd> + <kbd>Shift</kbd> + <kbd> C</kbd> | Open Cortana in listening mode |
| <kbd>WIN</kbd> + <kbd>X</kbd> | Open the Quick Link menu |
| <kbd>LaunchApp1</kbd> | Open the app that is assigned to this key |
| <kbd>LaunchApp2</kbd> | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator |
| <kbd>LaunchMail</kbd> | Open the default mail client |
## Remove Assigned Access
Deleting the restricted user experience removes the policy settings associated with the users, but it can't revert all the configurations. For example, the Start menu configuration is maintained.
## Next steps
> [!div class="nextstepaction"]
> Review the recommendations before you deploy Assigned Access:
>
> [Assigned Access recommendations](recommendations.md)
<!--links-->
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp

114
windows/configuration/assigned-access/policy-settings.md Normal file
View File

@ -0,0 +1,114 @@
---
title: Assigned Access policy settings
description: Learn about the policy settings enforced on a device configured with Assigned Access.
ms.topic: reference
ms.date: 03/04/2024
---
# Assigned Access policy settings
When the Assigned Access configuration is applied on a device, certain policy settings and AppLocker rules are enforced, impacting the users accessing the device. The policy settings use a combination of configuration service provider (CSP) and group policy (GPO) settings.
This reference article lists the policy settings and AppLocker rules applied by Assigned Access.
>[!NOTE]
>It's not recommended to configure policy settings enforced by Assigned Access to different values using other channels. Assigned Access is optimized to provide a locked-down experience.
## Device policy settings
The following policy settings are applied at the device level when you deploy a restricted user experience. Any user accessing the device is subject to the policy settings, including administrator accounts:
| Type | Path | Name/Description |
|---------|----------------------------------------------------------------------------|---------------------------------------------------------------------------|
| **CSP** | `./Vendor/MSFT/Policy/Config/Experience/AllowCortana` | Disable Cortana |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDocuments` | Disable Start documents icon |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDownloads` | Disable Start downloads icon |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderFileExplorer` | Disable Start file explorer icon |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderHomeGroup` | Disable Start home group icon |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderMusic` | Disable Start music icon |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderNetwork` | Disable Start network icon |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderPersonalFolder` | Disable Start personal folder icon |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderPictures` | Disable Start pictures icon |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderSettings` | Disable Start settings icon |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderVideos` | Disable Start videos icon |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/HideChangeAccountSettings` | Hide *Change account settings* from appearing in the user tile |
| **CSP** | `./Vendor/MSFT/Policy/Config/Update/SetAutoRestartNotificationDisable` | Hides all update notifications |
| **CSP** | `./Vendor/MSFT/Policy/Config/Update/UpdateNotificationLevel` | Disables auto restart notifications for updates |
| **CSP** | `./Vendor/MSFT/Policy/Config/WindowsInkWorkspace/AllowWindowsInkWorkspace` | Access to ink workspace is disabled |
| **CSP** | `./Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI` | Hide networks UI on the logon screen, as well as on "security options" UI |
## User policy settings
The following policy settings are applied to any nonadministrator account when you deploy a restricted user experience:
| Type | Path | Name/Description |
|---------|----------------------------------------------------------------------------------|-------------------------------------------------------------------|
| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/DisableContextMenus` | Disable Context Menu for Start menu apps |
| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar` | Hide People Bar from appearing on taskbar |
| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps` | Hide recently added apps from appearing on the Start menu |
| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists` | Hide recent jumplists from appearing on the Start menu/taskbar |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Clear history of recently opened documents on exit |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Disable showing balloon notifications as toast |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not allow pinning items in Jump Lists |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not allow pinning programs to the Taskbar |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not display or track items in Jump Lists from remote locations |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide and disable all items on the desktop |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide the Task View button |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Lock all taskbar settings |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Lock the Taskbar |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from adding or removing toolbars |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from customizing their Start Screen |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from moving taskbar to another screen dock location |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from rearranging toolbars |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from resizing the taskbar |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from uninstalling applications from Start |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove access to the context menus for the task bar |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove All Programs list from the Start menu |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Control Center |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove frequent programs list from the Start Menu |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Notification and Action Center |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Quick Settings |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Run menu from Start Menu |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove the Security and Maintenance icon |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Turn off all balloon notifications |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Turn off feature advertisement balloon notifications |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Turn off toast notifications |
| **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Change Password |
| **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Logoff |
| **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Task Manager |
| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove *Map network drive* and *Disconnect Network Drive* |
| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove File Explorer's default context menu |
The following policy settings are applied to the kiosk account when you configure a kiosk experience with Microsoft Edge:
| Type | Path | Name/Description |
|---------|-----------------------------------------------------------------------------------|--------------------------------------------------------|
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Run only specified Windows applications > `msedge.exe` |
| **GPO** | User Configuration\Administrative Templates\System | Turn off toast notifications |
| **GPO** | User Configuration\Administrative Templates\Windows Components\Attachment Manager | Default risk level for file attachments > High risk |
| **GPO** | User Configuration\Administrative Templates\Windows Components\Attachment Manager | Inclusion list for low file types > `.pdf;.epub` |
| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove File Explorer's default context menu |
## AppLocker rules
When you deploy an Assigned Access restricted user experience, AppLocker rules are generated to allow the apps that are listed in the configuration. Here are the predefined Assigned Access AppLocker rules:
### Universal Windows Platform (UWP) app rules
1. The default rule is to allow all users to launch the signed *packaged apps*
1. The packaged app *deny list* is generated at runtime when the Assigned Access user signs in:
1. Based on the installed apps available for the user account, Assigned Access generates the deny list. The list excludes the default allowed inbox packaged apps, which are critical for the system to function, and then exclude the allowed packages that are defined in the Assigned Access configuration
1. If there are multiple apps within the same package, all the apps are excluded
The deny list is used to prevent the user from accessing the apps, which are currently available for the user but not in the allowed list
> [!NOTE]
> You can't manage AppLocker rules that are generated by the restricted user experience in MMC snap-ins. Avoid creating AppLocker rules that conflict with AppLocker rules generated by Assigned Access.
>
> Assigned access doesn't prevent the organization or users from installing UWP apps. When a new UWP app is installed during an Assigned Access session, the app isn't in the deny list. When the user signs out and signs in again, the installed app is included in the deny list. For apps deployed centrally that you want to allow, like line-of-biness apps, update the Assigned Access configuration and include the apps in the *allow app list*.
### Desktop app rules
1. The default rule is to allow all users to launch the desktop programs signed with *Microsoft Certificate* for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
1. There's a predefined inbox desktop app deny list for the Assigned Access user account, which is updated based on the *desktop app allow list* that you defined in the Assigned Access configuration
1. Enterprise-defined allowed desktop apps are added in the AppLocker allow list

104
windows/configuration/assigned-access/quickstart-kiosk.md Normal file
View File

@ -0,0 +1,104 @@
---
title: "Quickstart: configure a kiosk experience with Assigned Access"
description: Learn how to configure a kiosk experience with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
ms.date: 03/04/2024
---
# Quickstart: configure a kiosk with Assigned Access
This quickstart provides practical examples of how to configure a *kiosk experience* on Windows with Assigned Access. The examples describe the steps using the Settings app, a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
The examples can be modified to fit your specific requirements. For example, you can change the app used, the URL specified when opening Microsoft Edge, or change the name of the user that automatically signs in to Windows.
## Prerequisites
>[!div class="checklist"]
>Here's a list of requirements to complete this quickstart:
>
>- A Windows device
>- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM
>- Windows Configuration Designer, if you want to configure the settings using a provisioning package
>- Access to the [psexec tool](/sysinternals/downloads/psexec), if you want to test the configuration using Windows PowerShell
## Configure a kiosk
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
> [!TIP]
> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags.
>
> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
[!INCLUDE [quickstart-kiosk-intune](includes/quickstart-kiosk-intune.md)]
Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration`
- **Value:**
[!INCLUDE [quickstart-kiosk-xml](includes/quickstart-kiosk-xml.md)]
Assign the policy to a group that contains as members the devices that you want to configure.
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
- **Value:**
[!INCLUDE [quickstart-kiosk-xml](includes/quickstart-kiosk-xml.md)]
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
[!INCLUDE [quickstart-kiosk-ps](includes/quickstart-kiosk-ps.md)]
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
#### [:::image type="icon" source="../images/icons/settings.svg"::: **Settings**](#tab/settings)
Here are the steps to configure a kiosk using the Settings app:
1. Open the Settings app to view and configure a device as a kiosk. Go to **Settings > Accounts > Other Users**, or use the following shortcut:
> [!div class="nextstepaction"]
>
> [Other Users](ms-settings:otherusers)
1. Under **Set up a kiosk**, select **Get Started**
1. In the **Create an account** dialog, enter the account name, and select **Next**
>[!NOTE]
>If there are any local standard user accounts already, the **Create an account** dialog offers the option to **Choose an existing account**
1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen are available in the list of apps to choose from. If you select **Microsoft Edge** as the kiosk app, you configure the following options:
- Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
- Which URL should be open when the kiosk accounts signs in
- When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser)
1. Select **Close**
---
## User experience
After the settings are applied, reboot the device. A local user account is automatically signed in, opening Microsoft Edge.
## Next steps
> [!div class="nextstepaction"]
> Learn more about Assigned Access and how to configure it:
>
> [Assigned Access overview](overview.md)
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

93
windows/configuration/assigned-access/quickstart-restricted-user-experience.md Normal file
View File

@ -0,0 +1,93 @@
---
title: "Quickstart: configure a restricted user experience with Assigned Access"
description: Learn how to configure a restricted user experience with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
ms.date: 03/04/2024
appliesto:
zone_pivot_groups: windows-versions-11-10
---
# Quickstart: configure a restricted user experience with Assigned Access
This quickstart provides practical examples of how to configure a *restricted user experience* on Windows. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
The examples can be modified to fit your specific requirements. For example, you can add or remove applications from the list of allowed apps, or change the name of the user that automatically signs in to Windows.
## Prerequisites
>[!div class="checklist"]
>Here's a list of requirements to complete this quickstart:
>
>- A Windows device
>- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM
>- Windows Configuration Designer, if you want to configure the settings using a provisioning package
>- Access to the [psexec tool](/sysinternals/downloads/psexec), if you want to test the configuration using Windows PowerShell
## Configure a restricted user experience
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
> [!TIP]
> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags.
>
> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
[!INCLUDE [quickstart-restricted-experience-intune.md](includes/quickstart-restricted-experience-intune.md)]
[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration`
- **Value:**
[!INCLUDE [quickstart-restricted-experience-xml.md](includes/quickstart-restricted-experience-xml.md)]
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
- **Value:**
[!INCLUDE [quickstart-restricted-experience-xml.md](includes/quickstart-restricted-experience-xml.md)]
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
[!INCLUDE [quickstart-restricted-experience-ps.md](includes/quickstart-restricted-experience-ps.md)]
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
---
## User experience
After the settings are applied, reboot the device. A local user account is automatically signed in, with access to a limited set of applications, which are pinned to the Start menu.
::: zone pivot="windows-11"
:::image type="content" source="images/restricted-user-experience-windows-11.png" alt-text="Screenshot of the Windows 11 desktop used for the quickstart." border="false":::
::: zone-end
::: zone pivot="windows-10"
:::image type="content" source="images/restricted-user-experience-windows-10.png" alt-text="Screenshot of the Windows 10 desktop used for the quickstart." border="false":::
::: zone-end
## Next steps
> [!div class="nextstepaction"]
> Learn more about Assigned Access and how to configure it:
>
> [Assigned Access overview](overview.md)
<!--links-->
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

169
windows/configuration/assigned-access/recommendations.md Normal file
View File

@ -0,0 +1,169 @@
---
title: Assigned Access recommendations
description: Learn about the recommended kiosk and restricted user experience configuration options.
ms.topic: best-practice
ms.date: 03/11/2024
---
# Assigned Access recommendations
This article contains recommendations for devices configured with Assigned Access and Shell Launcher. Most of the recommendations include both group policy (GPO) and configuration service provider (CSP) settings to help you configure your kiosk devices.
## Kiosk user account
For kiosks devices located in public-facing environments, configure as a kiosk account a user account with the least privileges, such as a local, standard user account. Using an Active Directory user or Microsoft Entra user might allow an attacker to gain access to domain resources that are accessible to any domain accounts. When using domain accounts with assigned access, proceed with caution. Consider the domain resources potentially exposed by using a domain account.
### Automatic sign-in
Consider enabling *automatic sign-in* for your kiosk device. When the device restarts, from an update or power outage, you can configure the device to sign in with the Assigned Access account automatically. Ensure that policy settings applied to the device don't prevent automatic sign in from working as expected. For example, the policy settings [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname) prevents automatic sign-in from working.
You can configure the Assigned Access and Shell Launcher XML files with an account to sign-in automatically. For more information, review the articles:
- [Create an Assigned Access configuration XML file](configuration-file.md)
- [Create a Shell Launcher configuration file](shell-launcher/configuration-file.md)
Alternatively, you can edit the Registry to have an account sign in automatically:
| Path | Name | Type | Value |
|--|--|--|--|
| `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` | `AutoAdminLogon` | REG_DWORD | 1 |
| `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` | `DefaultUserName` | String | Set value as the account that you want signed in. |
| `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` | `DefaultPassword` | String | Set value as the password for the account. |
| `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` | `DefaultDomainName` | String | Set value for domain, only for domain accounts. For local accounts, don't add this key. |
Once automatic sign-in is configured, reboot the device. The account will sign in automatically.
> [!NOTE]
> If you are using [Custom Logon](/windows-hardware/customize/enterprise/custom-logon) with `HideAutoLogonUI` enabled, you might experience a black screen when the user account password expires. Consider [setting the password to never expire](/windows-hardware/customize/enterprise/troubleshooting-custom-logon#the-device-displays-a-black-screen-when-a-password-expiration-screen-is-displayed).
## Windows Update
Configure your kiosk devices so that they're always up to date, without disrupting the user experience. Here are some policy settings to consider, to configure Windows Update for your kiosk devices:
| Type | Path | Name/Description |
|--|--|--|
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Update/`[ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#activehoursend) | Integer value that represents the end of active hours. For example, `22` represents 10PM |
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Update/`[ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#activehoursstart) | Integer value that represents the start of active hours. For example, `7` represents 7AM |
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Update/`[AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#allowautoupdate) | Integer value. Set to `3` - Auto download and schedule the install |
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Update/`[ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#scheduledinstalltime) | Integer value. Specify the time for the device to install updates. For example, `23` represents 11PM |
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Update/`[UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) | Integer value. Set to `2`: turn off all notifications, including restart warnings |
| **GPO** | Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience | Display options for update notifications > Set the value to **2 - Turn off all notifications, including restart warnings** |
| **GPO** | Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Configure Automatic Updates | **4 - Auto download and schedule the install** > specify an install time that is outside the active hours |
| **GPO** | Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Turn off autorestart for updates during active hours | Configure the start and end active hours, during which the kiosk device can't restart due to Windows Update |
## Power settings
You might want to prevent the kiosk device from going to sleep, or prevent users to shut down or restart the kiosk. Here are some options to consider:
| Type | Path | Name/Description |
|--|--|--|
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/`[HidePowerOptions](/windows/client-management/mdm/policy-csp-admx-startmenu#hidepoweroptions) | String. Set to `<Enabled/>` |
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/`<br>[Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#shutdown_allowsystemtobeshutdownwithouthavingtologon) | Integer value. Set to `0` |
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Power/`[DisplayOffTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | String. Set to `<Enabled/><Data ID="EnterVideoACPowerDownTimeOut" value="0"/>` |
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Power/`[SelectPowerButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Integer. Set to `0` |
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Power/`[SelectSleepButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#SelectSleepButtonActionPluggedIn) | Integer. Set to `0` |
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Power/`[StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | String. Set to `<Enabled/><Data ID="EnterACStandbyTimeOut" value="0"/>` |
| **GPO** | Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands | **Enable** |
| **GPO** | Computer Configuration\Administrative Templates\System\Power Management\Button Settings\Select the Power button action | Select the action: **Take no action** |
| **GPO** | Computer Configuration\Administrative Templates\System\Power Management\Button Settings\Select the Sleep button action | Select the action: **Take no action** |
| **GPO** | Computer Configuration\Administrative Templates\System\Power Management\Specify the system sleep timeout | Set the value to **0** seconds. |
| **GPO** | Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings\Turn off the display | Set the value to **0** seconds. |
| **GPO** | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on | **Disabled** |
| **GPO** | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system | Remove the users or groups from this policy. To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group. |
> [!NOTE]
> You can also disable the power button from the security options screen using a feature called *Custom Logon*. For more information on removing the power button or disabling the physical power button, see [Custom Logon][WHW-1].
## Keyboard shortcuts
The following keyboard shortcuts aren't blocked for any user account that is configured with a restricted user experience:
- <kbd>Alt</kbd> + <kbd>F4</kbd>
- <kbd>Alt</kbd> + <kbd>Tab</kbd>
- <kbd>Alt</kbd> + <kbd>Shift</kbd> + <kbd>Tab</kbd>
- <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Delete</kbd>
You can use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the key combinations. Keyboard Filter settings apply to other standard accounts.
### Accessibility shortcuts
Assigned access doesn't change accessibility settings. Use *Keyboard Filter* to block the following key combinations that open accessibility features:
| Key combination | Blocked behavior |
| --- | --- |
| <kbd>Left Alt</kbd> + <kbd>Left Shift</kbd> + <kbd>Print Screen</kbd> | Open High Contrast dialog box |
| <kbd>Left Alt</kbd> + <kbd>Left Shift</kbd> + <kbd>Num Lock</kbd> | Open Mouse Keys dialog box |
| <kbd>WIN</kbd> + <kbd>U</kbd> | Open the Settings app accessibility panel |
> [!NOTE]
> If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter).
You can also disable the accessibility features and other options on the lock screen with [Custom Logon][WHW-1]. For example, to remove the Accessibility option, use the following registry key:
| Path | Name | Type | Value |
|--|--|--|--|
| `HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon\BrandingNeutral` | `BrandingNeutral` | REG_DWORD | 8 |
## Choose an app for a kiosk experience
To create a kiosk experience with Assigned Access, you can choose UWP apps or Microsoft Edge. However, some applications might not provide a good user experience when used as a kiosk.
The following guidelines help you choose an appropriate Windows app for a kiosk experience:
- Windows apps must be provisioned or installed for the Assigned Access account before they can be selected as the Assigned Access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps)
- UWP app updates can sometimes change the Application User Model ID (AUMID) of the app. In such scenario, you must update the Assigned Access settings to execute the updated app, because Assigned Access uses the AUMID to determine the app to launch
- The app must be able to run above the lock screen. If the app can't run above the lock screen, it can't be used as a kiosk app
- Some apps can launch other apps. Assigned Access in kiosk mode prevents Windows apps from launching other apps. Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality
- Microsoft Edge includes support for kiosk mode. To learn more, see [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
- Don't select Windows apps that might expose information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access
- Some apps might require more configurations before they can be used appropriately in Assigned Access. For example, Microsoft OneNote requires you to set up a Microsoft account for the Assigned Access user account before OneNote opens
- The kiosk profile is designed for public-facing kiosk devices. Use a local, nonadministrator account. If the device is connected to your organization network, using a domain or Microsoft Entra account could compromise confidential information
When planning to deploy a kiosk or a restricted user experience, consider the following recommendations:
- Evaluate all applications that users should use. If applications require user authentication, don't use a local or generic user account. Rather, target the group of users within the Assigned Access configuration file
- A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, certain policy settings that affect all nonadministrator users on the device. For a list of these policies, see [Assigned Access policy settings](policy-settings.md)
### Develop your kiosk app
Assigned Access uses the *Lock framework*. When an Assigned Access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an *above lock* screen app. To learn more, see [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
## Stop errors and recovery options
When a stop error occurs, Windows displays a blue screen with a stop error code. You can replace the standard screen with a blank screen for OS errors. For more information, see [Configure system failure and recovery options](/troubleshoot/windows-client/performance/configure-system-failure-and-recovery-options).
## Lock screen notifications
Consider removing notifications from the lock screen to prevent users from seeing notifications when the device is locked. Here are some options to consider:
| Type | Path | Name/Description |
|--|--|--|
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/AboveLock/`[AllowToasts](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts)| Integer. Set to `0` |
| **GPO** | Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen | **Enabled**|
## Troubleshooting and logs
When testing Assigned Access, it can be useful to enable logging to help you troubleshoot issues. Logs can help you identify configuration and runtime issues. You can enable the following log: **Applications and Services Logs** > **Microsoft** > **Windows** > **AssignedAccess** > **Operational**.
The following registry keys contain the Assigned Access configurations:
- `HKLM\Software\Microsoft\Windows\AssignedAccessConfiguration`
- `HKLM\Software\Microsoft\Windows\AssignedAccessCsp`
The following registry key contains the configuration for each user with an Assigned Access policy:
- `HKCU\SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration`
For more information about troubleshooting kiosk issues, see [Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting).
## Next steps
> [!div class="nextstepaction"]
> Learn how to create an XML file to configure Assigned Access:
>
> [Create an Assigned Access configuration file](configuration-file.md)
<!--links-->
[WHW-1]: /windows-hardware/customize/enterprise/custom-logon
[WHW-2]: /windows-hardware/customize/enterprise/unified-write-filter

291
windows/configuration/assigned-access/shell-launcher/configuration-file.md Normal file
View File

@ -0,0 +1,291 @@
---
title: Create a Shell Launcher configuration file
description: Learn how to create an XML file to configure a device with Shell Launcher.
ms.date: 02/12/2024
ms.topic: how-to
---
# Create a Shell Launcher configuration file
To configure Shell Launcher, you must create and apply a configuration XML file to your devices. The configuration file must conform to a *schema*, as defined in [Shell Launcher XML Schema Definition (XSD)](xsd.md).
This article describes how to configure a Shell Launcher configuration file, including practical examples.
Let's start by looking at the basic structure of the XML file. A Shell Launcher configuration file contains:
- One or multiple `profiles`. Each `profile` defines:
- the application that replaces the standard Windows shell (`Explorer.exe`), which is executed when a user signs in
- the default action to take when the application exits, and actions when the application exits with a specific return code
- One or multiple `configs`. Each `config` associates a user account to a `profile`
> [!NOTE]
> A profile has no effect if it's not associated to a user account.
Here's a basic example of a Shell Launcher configuration file, with one profile and one config:
```xml
<?xml version="1.0" encoding="utf-8" ?>
<ShellLauncherConfiguration
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<Profile Id="{GUID}">
<!-- Add configuration here as needed -->
</Profile>
</Profiles>
<Configs>
<Config>
<!-- Add configuration here as needed -->
</Config>
</Configs>
</ShellLauncherConfiguration>
```
## Versioning
The Shell Launcher configuration XML is versioned. The version is defined in the XML root element, and it's used to determine which schema to use to validate the XML file. The version is also used to determine which features are available for the configuration. Here's a table of the versions, aliases used in the documentation examples, and namespaces:
| Version | Alias | Namespace |
|-|-|-|
|Windows 10|`V2`|http://schemas.microsoft.com/ShellLauncher/2019/Configuration|
|Windows 10|default|http://schemas.microsoft.com/ShellLauncher/2018/Configuration|
To authorize a compatible configuration XML that includes version-specific elements and attributes, always include the namespace of the add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the kiosk application to execute in full screen, use the below example. Note the alias `V2` associated to `http://schemas.microsoft.com/ShellLauncher/2019/Configuration` namespace, and the alias is tagged on the `AppType` and `AllAppsFullScreen` properties inline.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<ShellLauncherConfiguration
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<Profile Id="{GUID}">
<!-- Add configuration here as needed -->
<Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
</Profile>
</Profiles>
<Configs>
<Config>
<!-- Add configuration here as needed -->
</Config>
</Configs>
</ShellLauncherConfiguration>
```
Here you can find the [Shell Launcher XML Schema Definitions (XSDs)](xsd.md).
## Profiles
A configuration file can contain one or more profiles. Each profile has a unique identifier `Profile Id` and, optionally, a `Name`. For example:
```xml
<Profiles>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" Name="Microsoft Learn example">
<!-- Add configuration here as needed -->
</Profile>
</Profiles>
```
> [!TIP]
> The `Profile Id` must be unique within the XML file. You can generate a GUID with the PowerShell cmdlet `New-Guid`.
You can define a `Defaultprofile` that is used when no other profile is associated to a user account. This ensures that every user using the device uses the same application. Example:
```xml
<Profiles>
<DefaultProfile>
<!-- Add configuration here as needed -->
</DefaultProfile>
</Profiles>
```
### Shell
Each profile defines a `Shell` element, which contains details about the application to execute. The `Shell` element has the following properties:
| Property| Description | Details |
|-|-|-|
|`Shell`| Application that is used as a Windows shell. |- For Universal Windows Platform (UWP) apps, you must provide the App User Model ID (AUMID). Learn how to [Find the Application User Model ID of an installed app](../../store/find-aumid.md).<br>- For desktop apps, specify the full path of the executable, which can contain system environment variables in the form of `%variableName%`. You can also specify any parameters that the app might require. |
|`V2:AppType`| Defines the type of application. |Allowed values are `Desktop` and `UWP`.|
|`V2:AllAppsFullScreen` | Boolean value that defines if all applications are executed in full screen. |- When set to `True`, Shell Launcher runs every app in full screen, or maximized for desktop apps.<br>- When set to `False` or not set, only the custom shell app runs in full screen; other apps launched by the user run in windowed mode.|
Example:
```xml
<Profile Id="{GUID}">
<Shell Shell="" V2:AppType="" V2:AllAppsFullScreen="">
<!-- Add configuration here as needed -->
</Shell>
</Profile>
```
In the next example, the Weather app is executed in full screen.
```xml
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="Microsoft.BingWeather_8wekyb3d8bbwe!App" V2:AppType="UWP">
<DefaultAction Action="RestartShell"/>
</Shell>
</DefaultProfile>
</Profiles>
<Configs/>
</ShellLauncherConfiguration>
```
In the next example, Microsoft Edge is executed in full screen, opening a website. The website is reloaded after 2 minutes of inactivity.
```xml
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
<Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
<DefaultAction Action="RestartShell"/>
</Shell>
</Profile>
```
#### ReturnCodeActions
Shell Launcher defines four actions to handle app exits. You can customize Shell Launcher and use the actions based on different exit code. Here are the `ReturnCodeActions` enums:
- `RestartShell`
- `RestartDevice`
- `ShutdownDevice`
- `DoNothing`
The actions can be used as default action, or mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to learn how to use exit codes with Shell Launcher WMI.
You can specify at most four custom actions mapping to four exit codes, and one default action for all other exit codes. When an app exits, and if the exit code isn't found in the custom action mapping, or there's no default action defined, nothing happens. For this reason, you should at least define `DefaultAction`.
Example:
```xml
<Profile Id="{GUID}">
<Shell Shell="" V2:AppType="" V2:AllAppsFullScreen="">
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell"/>
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/>
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/>
<ReturnCodeAction ReturnCode="1" Action="DoNothing"/>
</ReturnCodeActions>
<DefaultAction Action="RestartDevice"/>
</Shell>
</Profile>
```
## Configs
Under `Configs`, define one or more user accounts and their association with a profile.
Individual accounts are specified using `<Account Name=""/>`.
> [!IMPORTANT]
> Before applying the Shell Launcher configuration, make sure the specified user account is available on the device, otherwise it fails.
>
> For both domain and Microsoft Entra accounts, as long as the device is Active Directory joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for Shell Launcher.
### Local user
Local account can be entered as `devicename\user`, `.\user`, or just `user`.
```xml
<Config>
<Account Name="Learn Example"/>
<Profile Id="{GUID}"/>
</Config>
```
### Active Directory user
Domain accounts must be entered using the format `domain\samAccountName`.
```xml
<Config>
<Account Name="contoso\user"/>
<Profile Id="{GUID}"/>
</Config>
```
### Microsoft Entra user
Microsoft Entra accounts must be specified with the format: `AzureAD\{UPN}`. `AzureAD` must be provided *as is*, then follow with the Microsoft Entra user principal name (UPN).
```xml
<Config>
<Account Name="azuread\user@contoso.onmicrosoft.com"/>
<Profile Id="{GUID}"/>
</Config>
```
When the user account signs in, the associated Shell Launcher profile is applied, loading the application specified in the profile.
### Autologon account
With `<AutoLogonAccount>`, Shell Launcher creates and manages a user account to automatically sign in after a device restarts. The account is a local standard user named `Kiosk`.
Example:
```xml
<Configs>
<Config>
<!--account managed by Shell Launcher-->
<AutoLogonAccount/>
<Profile Id="{GUID}"/>
</Config>
<Configs>
<!--local account-->
<Account Name="Learn Example"/>
<Profile ID="{GUID}"/>
</Configs>
<Configs>
<!--Microsoft Entra account-->
<Account Name="azuread\kiosk@contoso.com"/>
<Profile ID="{GUID}"/>
</Configs>
</Configs>
```
## Example
Here's a complete example of a Shell Launcher configuration file, with two profiles and three configs:
```xml
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration" xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="%SystemRoot%\explorer.exe" />
</DefaultProfile>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F79}" Name="Weather">
<Shell Shell="Microsoft.BingWeather_8wekyb3d8bbwe!App" V2:AppType="UWP">
<DefaultAction Action="RestartShell" />
</Shell>
</Profile>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" Name="Edge">
<Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell" />
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice" />
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice" />
</ReturnCodeActions>
<DefaultAction Action="RestartShell" />
</Shell>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount />
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" />
</Config>
<Config>
<Account Name="azuread\kiosk1@contoso.onmicrosoft.com" />
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F79}" />
</Config>
<Config>
<Account Name="azuread\kiosk2@contoso.onmicrosoft.com" />
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" />
</Config>
</Configs>
</ShellLauncherConfiguration>
```

13
windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md Normal file
View File

@ -0,0 +1,13 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
Content-Type: application/json
{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Kiosk - Shell Launcher", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "ShellLauncher", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/ShellLauncher", "secretReferenceValueId": null, "isEncrypted": true, "value": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<ShellLauncherConfiguration\nxmlns=\"http://schemas.microsoft.com/ShellLauncher/2018/Configuration\"\nxmlns:V2=\"http://schemas.microsoft.com/ShellLauncher/2019/Configuration\">\n <Profiles>\n <DefaultProfile>\n <Shell Shell=\"%SystemRoot%\\explorer.exe\"/>\n </DefaultProfile>\n <Profile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F78}\">\n <Shell Shell=\"%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2\" V2:AppType=\"Desktop\" V2:AllAppsFullScreen=\"true\">\n <ReturnCodeActions>\n <ReturnCodeAction ReturnCode=\"0\" Action=\"RestartShell\"/>\n <ReturnCodeAction ReturnCode=\"-1\" Action=\"RestartDevice\"/>\n <ReturnCodeAction ReturnCode=\"255\" Action=\"ShutdownDevice\"/>\n </ReturnCodeActions>\n <DefaultAction Action=\"RestartShell\"/>\n </Shell>\n </Profile>\n </Profiles>\n <Configs>\n <Config>\n <AutoLogonAccount/>\n <Profile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F78}\"/>\n </Config>\n </Configs>\n</ShellLauncherConfiguration>" } ], }
```

43
windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md Normal file
View File

@ -0,0 +1,43 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
```PowerShell
$shellLauncherConfiguration = @"
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="%SystemRoot%\explorer.exe"/>
</DefaultProfile>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
<Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell"/>
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/>
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/>
</ReturnCodeActions>
<DefaultAction Action="RestartShell"/>
</Shell>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}"/>
</Config>
</Configs>
</ShellLauncherConfiguration>
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
$obj = Set-CimInstance -CimInstance $obj
```

35
windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md Normal file
View File

@ -0,0 +1,35 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
---
```xml
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="%SystemRoot%\explorer.exe"/>
</DefaultProfile>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
<Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell"/>
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/>
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/>
</ReturnCodeActions>
<DefaultAction Action="RestartShell"/>
</Shell>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}"/>
</Config>
</Configs>
</ShellLauncherConfiguration>
```

129
windows/configuration/assigned-access/shell-launcher/index.md Normal file
View File

@ -0,0 +1,129 @@
---
title: What is Shell Launcher?
description: Learn how to configure devices with Shell Launcher.
ms.date: 02/29/2024
ms.topic: overview
---
# What is Shell Launcher?
Shell Launcher is a Windows feature that you can use to replace the default Windows Explorer shell (`Explorer.exe`) with a Windows desktop application or a Universal Windows Platform (UWP) app.
Practical examples include:
- Public browsing
- Interactive digital signage
- ATMs
Shell Launcher controls which application the user sees as the shell after sign-in. It doesn't prevent the user from accessing other desktop applications and system components. From a custom shell, you can launch secondary views displayed on multiple monitors, or launch other apps in full screen on user's demand.
With Shell Launcher, you can use features and methods to control access to other applications or system components. These methods include, but aren't limited to:
- Configuration Service Provider (CSP): you can use a Mobile Device Management (MDM) solution like Microsoft Intune
- Group policy (GPO)
- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)
Shell Launcher is part of the [Assigned Access](../overview.md) feature, which allows you to configure kiosks or restricted user experiences. To learn about the differences between Shell Launcher and the other options offered by Assigned Access, see [Windows kiosks and restricted user experiences](../index.md).
[!INCLUDE [shell-launcher](../../../../includes/licensing/shell-launcher.md)]
## Limitations
Here are some limitations to consider when using Shell Launcher:
- Windows doesn't support setting a custom shell before the out-of-box experience (OOBE). If you do, you can't deploy the resulting image
- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you can't specify `write.exe` in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. `Write.exe` creates a 32-bit `wordpad.exe` process and exits. Since Shell Launcher isn't aware of the newly created `wordpad.exe` process, Shell Launcher takes action based on the exit code of `Write.exe`, such as restarting the custom shell
## Configure a device with Shell Launcher
The configuration of Shell Launcher is done using an XML file. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
- A Mobile Device Management (MDM) solution, like Microsoft Intune
- Provisioning packages
- The MDM Bridge WMI Provider
To learn how to configure the Shell Launcher XML file, see [Create a Shell Launcher configuration file](configuration-file.md).
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
- **Value:** content of the XML configuration file
Assign the policy to a group that contains as members the devices that you want to configure.
#### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
[!INCLUDE [provisioning-package-1](../../../../includes/configure/provisioning-package-1.md)]
- **Path:** `SMISettings/ShellLauncher`
- **Value:** depends on specific settings
[!INCLUDE [provisioning-package-2](../../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)]
```PowerShell
$shellLauncherConfiguration = @"
# content of the XML configuration file
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
Exit 1
}
Write-Output "Successfully applied Shell Launcher configuration"
```
[!INCLUDE [powershell-wmi-bridge-2](../../../../includes/configure/powershell-wmi-bridge-2.md)]
---
> [!TIP]
> For practical examples, see the [Quickstart: configure a kiosk experience with Shell Launcher](quickstart-kiosk.md).
## User experience
After the settings are applied, the users that are configured to use Shell Launcher will execute the custom shell after sign-in.
Depending on your configuration, you can have a user to automatically sign in to the device.
## Next steps
> [!div class="nextstepaction"]
> Learn how to configure the Shell Launcher XML file:
>
> [Create a Shell Launcher configuration file](configuration-file.md)
<!--links-->
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

69
windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md Normal file
View File

@ -0,0 +1,69 @@
---
title: "Quickstart: configure a kiosk experience with Shell Launcher"
description: Learn how to configure a kiosk experience with Shell Launcher, using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
ms.date: 02/05/2024
---
# Quickstart: configure a kiosk experience with Shell Launcher
This quickstart provides practical examples of how to configure a *kiosk experience* on Windows with Shell Launcher. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, and PowerShell. While different solutions are used, the configuration settings and results are the same.
The examples can be modified to fit your specific requirements. For example, you can change the app used, the URL specified when opening Microsoft Edge, or change the name of the user that automatically signs in to Windows.
## Prerequisites
>[!div class="checklist"]
>Here's a list of requirements to complete this quickstart:
>
>- A Windows Enterprise or Education device
>- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM
>- Access to the [psexec tool](/sysinternals/downloads/psexec), if you want to test the configuration using Windows PowerShell
## Configure a kiosk device
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
> [!TIP]
> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags.
>
> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
[!INCLUDE [quickstart-intune](includes/quickstart-intune.md)]
Assign the policy to a group that contains as members the devices that you want to configure.
Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
- **Value:**
[!INCLUDE [quickstart-xml](includes/quickstart-xml.md)]
#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)]
[!INCLUDE [quickstart-ps](includes/quickstart-ps.md)]
[!INCLUDE [powershell-wmi-bridge-2](../../../../includes/configure/powershell-wmi-bridge-2.md)]
---
## User experience
After the settings are applied, reboot the device. A local user account is automatically signed in, opening Microsoft Edge.
## Next steps
> [!div class="nextstepaction"]
> Learn more how to create a Shell Launcher configuration file:
>
> [Create a Shell Launcher configuration file](configuration-file.md)
<!--links-->
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

9
windows/configuration/assigned-access/shell-launcher/toc.yml Normal file
View File

@ -0,0 +1,9 @@
items:
- name: What is Shell Launcher?
href: index.md
- name: "Quickstart: Configure a kiosk with Shell Launcher"
href: quickstart-kiosk.md
- name: Create a Shell Launcher configuration file
href: configuration-file.md
- name: Shell Launcher XSD
href: xsd.md

193
windows/configuration/assigned-access/shell-launcher/xsd.md Normal file
View File

@ -0,0 +1,193 @@
---
title: Shell Launcher XML Schema Definition (XSD)
description: Shell Launcher XSD reference article.
ms.topic: reference
ms.date: 02/15/2024
---
# Shell Launcher XML Schema Definition (XSD)
This reference article contains the latest Shell Launcher XML schema definition (XSD) and the XSD additions for each version of Windows.
## Shell Launcher XSD
Here's the latest Shell Launcher XSD, introduced in Windows 11:
```xml
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:default="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration" targetNamespace="http://schemas.microsoft.com/ShellLauncher/2018/Configuration">
<xs:import namespace="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"/>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="DefaultProfile" type="default_profile_t"/>
<xs:element name="Profile" type="profile_t"/>
</xs:choice>
<xs:element name="Profile" type="profile_t" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="default_profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Shell" type="default_shell_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="default_shell_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="DefaultAction" type="default_action_t" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Shell" type="xs:string" use="required"/>
<xs:attribute ref="V2:AppType"/>
<xs:attribute ref="V2:AllAppsFullScreen"/>
</xs:complexType>
<xs:complexType name="custom_shell_t">
<xs:all minOccurs="1" maxOccurs="1">
<xs:element name="ReturnCodeActions" type="return_code_action_list_t" minOccurs="0" maxOccurs="1">
<xs:unique name="ForbidDuplicatedReturnCodes">
<xs:selector xpath="default:ReturnCodeAction"/>
<xs:field xpath="@ReturnCode"/>
</xs:unique>
</xs:element>
<xs:element name="DefaultAction" type="default_action_t" minOccurs="0" maxOccurs="1"/>
</xs:all>
<xs:attribute name="Shell" type="xs:string" />
<xs:attribute ref="V2:AppType"/>
<xs:attribute ref="V2:AllAppsFullScreen"/>
</xs:complexType>
<xs:complexType name="default_action_t">
<xs:attribute name="Action" type="system_action_t" use="required"/>
</xs:complexType>
<xs:simpleType name="system_action_t">
<xs:restriction base="xs:string">
<xs:enumeration value="RestartShell" />
<xs:enumeration value="RestartDevice" />
<xs:enumeration value="ShutdownDevice" />
<xs:enumeration value="DoNothing" />
</xs:restriction>
</xs:simpleType>
<xs:complexType name="profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Shell" type="custom_shell_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
</xs:complexType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="return_code_action_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="ReturnCodeAction" type="return_code_action_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="return_code_action_t">
<xs:attribute name="ReturnCode" type="xs:integer" use="required"/>
<xs:attribute name="Action" type="system_action_t" use="required"/>
</xs:complexType>
<xs:complexType name="config_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Config" type="config_t" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="config_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="Account" type="account_t" minOccurs="1" maxOccurs="1">
<xs:key name="mutexNameOrSID">
<xs:selector xpath="."/>
<xs:field xpath="@Name|@Sid"/>
</xs:key>
</xs:element>
<xs:element name="AutoLogonAccount" type="autologon_account_t" minOccurs="1" maxOccurs="1"/>
</xs:choice>
<xs:element name="Profile" type="profile_id_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="account_t">
<xs:attribute name="Name" type="xs:string" use="optional"/>
<xs:attribute name="Sid" type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="autologon_account_t">
<xs:attribute name="HiddenId" type="guid_t" fixed="{50021E57-1CE4-49DF-99A9-8DB659E2C2DD}"/>
</xs:complexType>
<xs:complexType name="profile_id_t">
<xs:attribute name="Id" type="guid_t" use="required"/>
</xs:complexType>
<!--below is the definition of the config xml content-->
<xs:element name="ShellLauncherConfiguration">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Profiles" type="profile_list_t" minOccurs="1" maxOccurs="1">
<xs:unique name="ForbidDuplicatedProfiles">
<xs:selector xpath="default:Profile"/>
<xs:field xpath="@Id"/>
</xs:unique>
</xs:element>
<xs:element name="Configs" type="config_list_t" minOccurs="0" maxOccurs="1">
<xs:unique name="ForbidDuplicatedConfigs_Name">
<xs:selector xpath="default:Config/default:Account"/>
<xs:field xpath="@Name"/>
</xs:unique>
<xs:unique name="ForbidDuplicatedConfigs_Sid">
<xs:selector xpath="default:Config/default:Account"/>
<xs:field xpath="@Sid"/>
</xs:unique>
<xs:unique name="ForbidDuplicatedAutoLogonAccount">
<xs:selector xpath="default:Config/default:AutoLogonAccount"/>
<xs:field xpath="@HiddenId"/>
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
## Windows 10, version 1903 additions
In Windows 10, version 1903, Shell Launcher introduced the support of both UWP and desktop apps as the custom shell.
Here's the Shell Launcher XSD for the features added in Windows 10, version 1903:
```xml
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"
xmlns:default="http://schemas.microsoft.com/ShellLauncher/2019/Configuration" targetNamespace="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<xs:attribute name="AppType">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="UWP"/>
<xs:enumeration value="Desktop"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="AllAppsFullScreen" type="xs:boolean"/>
</xs:schema>
```

33
windows/configuration/assigned-access/toc.yml Normal file
View File

@ -0,0 +1,33 @@
items:
- name: Overview
href: index.md
- name: Assigned Access
items:
- name: What is Assigned Access?
href: overview.md
- name: Quickstarts
items:
- name: Configure a kiosk with Assigned Access
href: quickstart-kiosk.md
- name: Configure a restricted user experience with Assigned Access
href: quickstart-restricted-user-experience.md
- name: Create an Assigned Access configuration file
href: configuration-file.md
- name: Reference
items:
- name: Assigned Access XSD
href: xsd.md
- name: Assigned Access XML examples
href: examples.md
- name: Assigned Access policy settings
href: policy-settings.md
- name: Shell Launcher
href: shell-launcher/toc.yml
- name: Recommendations
href: recommendations.md
- name: Assigned Access CSP 🔗
href: /windows/client-management/mdm/assignedaccess-csp
- name: Troubleshoot 🔗
href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
- name: Configure Microsoft Edge kiosk mode 🔗
href: /deployedge/microsoft-edge-configure-kiosk-mode

334
windows/configuration/assigned-access/xsd.md Normal file
View File

@ -0,0 +1,334 @@
---
title: Assigned Access XML Schema Definition (XSD)
description: Assigned Access XSD reference article.
ms.topic: reference
ms.date: 02/15/2024
---
# Assigned Access XML Schema Definition (XSD)
This reference article contains the latest Assigned Access XML schema definition (XSD) and the XSD additions for each version of Windows.
## Assigned Access XSD
Here's the latest Assigned Access XSD, introduced in Windows 11:
```xml
<xs:schema
elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config">
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/201810/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2021/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2022/config"/>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1">
<xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="kioskmodeapp_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attributeGroup ref="ClassicApp_attributeGroup"/>
</xs:complexType>
<xs:attributeGroup name="ClassicApp_attributeGroup">
<xs:attribute ref="v4:ClassicAppPath"/>
<xs:attribute ref="v4:ClassicAppArguments" use="optional"/>
</xs:attributeGroup>
<xs:complexType name="profile_t">
<xs:choice>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1"/>
<xs:element ref="rs5:FileExplorerNamespaceRestrictions" minOccurs="0" maxOccurs="1"/>
<xs:element name="StartLayout" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element ref="v5:StartPins" minOccurs="0" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
<xs:element ref="v5:TaskbarLayout" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1">
<xs:key name="mutualExclusionAumidOrClassicAppPath">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@v4:ClassicAppPath"/>
</xs:key>
<xs:unique name="mutualExclusionAumidOrClassicAppArgumentsOptional">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@v4:ClassicAppArguments"/>
</xs:unique>
</xs:element>
<xs:element ref="v4:BreakoutSequence" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:choice>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="allappslist_t">
<xs:sequence minOccurs="1">
<xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1">
<xs:unique name="ForbidDupApps">
<xs:selector xpath="default:App"/>
<xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
</xs:unique>
<xs:unique name="OnlyOneAppCanHaveAutoLaunch">
<xs:selector xpath="default:App"/>
<xs:field xpath="@rs5:AutoLaunch"/>
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="allowedapps_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="App" type="app_t" minOccurs="1" maxOccurs="unbounded">
<xs:key name="mutexAumidOrDesktopApp">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
</xs:key>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="app_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attribute name="DesktopAppPath" type="xs:string"/>
<xs:attributeGroup ref="autoLaunch_attributeGroup"/>
</xs:complexType>
<xs:attributeGroup name="autoLaunch_attributeGroup">
<xs:attribute ref="rs5:AutoLaunch"/>
<xs:attribute ref="rs5:AutoLaunchArguments" use="optional"/>
</xs:attributeGroup>
<xs:complexType name="taskbar_t">
<xs:attribute name="ShowTaskbar" type="xs:boolean" use="required"/>
</xs:complexType>
<xs:complexType name="profileId_t">
<xs:attribute name="Id" type="guid_t" use="required"/>
</xs:complexType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="config_list_t">
<xs:sequence minOccurs="1">
<xs:element ref="v3:GlobalProfile" minOccurs="0" maxOccurs="1"/>
<xs:element name="Config" type="config_t" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="config_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:choice>
<xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="AutoLogonAccount" type="autologon_account_t" minOccurs="1" maxOccurs="1"/>
<xs:element name="UserGroup" type="group_t" minOccurs="1" maxOccurs="1"/>
<xs:element name="SpecialGroup" type="specialGroup_t" minOccurs="1" maxOccurs="1" />
</xs:choice>
<xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="autologon_account_t">
<xs:attribute name="HiddenId" type="guid_t" fixed="{74331115-F68A-4DF9-8D2C-52BA2CE2ADB1}"/>
<xs:attribute ref="rs5:DisplayName" use="optional" />
</xs:complexType>
<xs:complexType name="group_t">
<xs:attribute name="Name" type="xs:string" use="required"/>
<xs:attribute name="Type" type="groupType_t" use="required"/>
</xs:complexType>
<xs:complexType name="specialGroup_t">
<xs:attribute name="Name" type="specialGroupType_t" use="required"/>
</xs:complexType>
<xs:simpleType name="groupType_t">
<xs:restriction base="xs:string">
<xs:enumeration value="LocalGroup"/>
<xs:enumeration value="ActiveDirectoryGroup"/>
<xs:enumeration value="AzureActiveDirectoryGroup"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="specialGroupType_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Visitor"/>
<xs:enumeration value="DeviceOwner"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="fileExplorerNamespaceRestrictions_t">
<xs:sequence minOccurs="1">
<xs:element name="AllowedNamespace" type="allowedFileExplorerNamespace_t"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="allowedFileExplorerNamespace_t">
<xs:attribute name="Name" type="allowedFileExplorerNamespaceValues_t"/>
</xs:complexType>
<xs:simpleType name="allowedFileExplorerNamespaceValues_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Downloads"/>
</xs:restriction>
</xs:simpleType>
<!--below is the definition of the config xml content-->
<xs:element name="AssignedAccessConfiguration">
<xs:complexType>
<xs:all minOccurs="1">
<xs:element name="Profiles" type="profile_list_t">
<xs:unique name="duplicateRolesForbidden">
<xs:selector xpath="default:Profile"/>
<xs:field xpath="@Id"/>
</xs:unique>
</xs:element>
<xs:element name="Configs" type="config_list_t">
<xs:unique name="duplicateAutoLogonAccountForbidden">
<xs:selector xpath=".//default:AutoLogonAccount"/>
<xs:field xpath="@HiddenId"/>
</xs:unique>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
</xs:schema>
```
## Windows 11, version 22H2 additions
Here's the Assigned Access XSD for the features added in Windows 11:
```xml
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
vc:minVersion="1.1"
xmlns="http://schemas.microsoft.com/AssignedAccess/2022/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2022/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2022/config"
>
<xs:element name = "StartPins" type = "xs:string"/>
<xs:element name = "TaskbarLayout" type="xs:string"/>
</xs:schema>
```
## Windows 11, version 21H2 additions
Here's the Assigned Access XSD for the features added in Windows 10, version 21H2:
```xml
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
vc:minVersion="1.1"
xmlns="http://schemas.microsoft.com/AssignedAccess/2021/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2021/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
<xs:attribute name="ClassicAppPath" type="xs:string"/>
<xs:attribute name="ClassicAppArguments" type="xs:string"/>
<xs:element name="BreakoutSequence" type="BreakoutSequence_t" />
<xs:complexType name="BreakoutSequence_t">
<xs:attribute name="Key" type="xs:string" use="required"/>
</xs:complexType>
</xs:schema>
```
## Windows 10, version 1909 additions
Here's the Assigned Access XSD for the features added in Windows 10, version 1909:
```xml
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning" vc:minVersion="1.1"
xmlns:v5="http://schemas.microsoft.com/AssignedAccess/202010/config" targetNamespace="http://schemas.microsoft.com/AssignedAccess/2020/config">
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/202010/config" />
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="globalProfile_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element ref="v5:Exclusions" minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="Id" type="guid_t" />
</xs:complexType>
<xs:element name="AllowRemovableDrives"/>
<xs:element name="NoRestriction" />
<xs:element name="GlobalProfile" type="globalProfile_t" />
</xs:schema>
```
## Windows 10, version 1809 additions
Here's the Assigned Access XSD for the features added in Windows 10, version 1809:
```xml
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" targetNamespace="http://schemas.microsoft.com/AssignedAccess/201810/config">
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/>
<xs:complexType name="fileExplorerNamespaceRestrictions_t">
<xs:choice>
<xs:sequence minOccurs="0">
<xs:element name="AllowedNamespace" type="allowedFileExplorerNamespace_t" minOccurs="0"/>
<xs:element ref="v3:AllowRemovableDrives" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:element ref="v3:NoRestriction" minOccurs="0" maxOccurs="1" />
</xs:choice>
</xs:complexType>
<xs:complexType name="allowedFileExplorerNamespace_t">
<xs:attribute name="Name" type="allowedFileExplorerNamespaceValues_t" use="required"/>
</xs:complexType>
<xs:simpleType name="allowedFileExplorerNamespaceValues_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Downloads"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="FileExplorerNamespaceRestrictions" type="fileExplorerNamespaceRestrictions_t" />
<xs:attribute name="AutoLaunch" type="xs:boolean"/>
<xs:attribute name="AutoLaunchArguments" type="xs:string"/>
<xs:attribute name="DisplayName" type="xs:string"/>
</xs:schema>
```

54
windows/configuration/docfx.json
View File

@ -43,8 +43,6 @@
"uhfHeaderId": "MSDocsHeader-Windows", "uhfHeaderId": "MSDocsHeader-Windows",
"ms.subservice": "itpro-configure", "ms.subservice": "itpro-configure",
"ms.service": "windows-client", "ms.service": "windows-client",
"ms.author": "paoloma",
"author": "paolomatarazzo",
"manager": "aaroncz", "manager": "aaroncz",
"feedback_system": "Standard", "feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
@ -78,16 +76,56 @@
"ue-v/**/*.*": "None" "ue-v/**/*.*": "None"
}, },
"author":{ "author":{
"wcd//**/*.md": "aczechowski", "accessibility//**/*.md": "paolomatarazzo",
"wcd//**/*.yml": "aczechowski", "accessibility//**/*.yml": "paolomatarazzo",
"assigned-access//**/*.md": "paolomatarazzo",
"assigned-access//**/*.yml": "paolomatarazzo",
"cellular//**/*.md": "paolomatarazzo",
"cellular//**/*.yml": "paolomatarazzo",
"lock-screen//**/*.md": "paolomatarazzo",
"lock-screen//**/*.yml": "paolomatarazzo",
"provisioning-packages//**/*.md": "vinaypamnani-msft",
"provisioning-packages//**/*.yml": "vinaypamnani-msft",
"shared-pc//**/*.md": "paolomatarazzo",
"shared-pc//**/*.yml": "paolomatarazzo",
"start//**/*.md": "paolomatarazzo",
"start//**/*.yml": "paolomatarazzo",
"store//**/*.md": "paolomatarazzo",
"store//**/*.yml": "paolomatarazzo",
"taskbar//**/*.md": "paolomatarazzo",
"taskbar//**/*.yml": "paolomatarazzo",
"tips//**/*.md": "paolomatarazzo",
"tips//**/*.yml": "paolomatarazzo",
"ue-v//**/*.md": "aczechowski", "ue-v//**/*.md": "aczechowski",
"ue-v//**/*.yml": "aczechowski" "ue-v//**/*.yml": "aczechowski",
"wcd//**/*.md": "vinaypamnani-msft",
"wcd//**/*.yml": "vinaypamnani-msft"
}, },
"ms.author":{ "ms.author":{
"wcd//**/*.md": "aaroncz", "accessibility//**/*.md": "paoloma",
"wcd//**/*.yml": "aaroncz", "accessibility//**/*.yml": "paoloma",
"assigned-access//**/*.md": "paoloma",
"assigned-access//**/*.yml": "paoloma",
"cellular//**/*.md": "paoloma",
"cellular//**/*.yml": "paoloma",
"lock-screen//**/*.md": "paoloma",
"lock-screen//**/*.yml": "paoloma",
"provisioning-packages//**/*.md": "vinpa",
"provisioning-packages//**/*.yml": "vinpa",
"shared-pc//**/*.md": "paoloma",
"shared-pc//**/*.yml": "paoloma",
"start//**/*.md": "paoloma",
"start//**/*.yml": "paoloma",
"store//**/*.md": "paoloma",
"store//**/*.yml": "paoloma",
"taskbar//**/*.md": "paoloma",
"taskbar//**/*.yml": "paoloma",
"tips//**/*.md": "paoloma",
"tips//**/*.yml": "paoloma",
"ue-v//**/*.md": "aaroncz", "ue-v//**/*.md": "aaroncz",
"ue-v//**/*.yml": "aaroncz" "ue-v//**/*.yml": "aaroncz",
"wcd//**/*.md": "vinpa",
"wcd//**/*.yml": "vinpa"
}, },
"ms.reviewer": { "ms.reviewer": {
"kiosk//**/*.md": "sybruckm", "kiosk//**/*.md": "sybruckm",

88
windows/configuration/images/icons/explorer.svg Normal file
View File

@ -0,0 +1,88 @@
<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0_37_2817)">
<path d="M17.116 3H7.14404L6.4748 2.16348C6.30918 1.95645 6.09912 1.78933 5.86016 1.67448C5.62121 1.55963 5.35948 1.5 5.09436 1.5H0.89175C0.657331 1.50001 0.432516 1.59314 0.266759 1.7589C0.101002 1.92466 0.00787898 2.14948 0.007875 2.3839V3H0V15.6272C0.00147129 15.8601 0.0954272 16.083 0.261198 16.2466C0.42697 16.4103 0.650977 16.5015 0.883943 16.5H17.116C17.349 16.5015 17.573 16.4103 17.7388 16.2466C17.9046 16.0829 17.9985 15.8601 18 15.6272V3.87282C17.9985 3.63986 17.9045 3.41704 17.7388 3.25335C17.573 3.08967 17.349 2.99854 17.116 3Z" fill="url(#paint0_linear_37_2817)"/>
<mask id="mask0_37_2817" style="mask-type:alpha" maskUnits="userSpaceOnUse" x="0" y="1" width="18" height="16">
<path d="M17.116 3H7.14404L6.4748 2.16348C6.30918 1.95645 6.09912 1.78933 5.86016 1.67448C5.62121 1.55963 5.35948 1.5 5.09436 1.5H0.89175C0.657331 1.50001 0.432516 1.59314 0.266759 1.7589C0.101002 1.92466 0.00787898 2.14948 0.007875 2.3839V3H0V15.6272C0.00147129 15.8601 0.0954272 16.083 0.261198 16.2466C0.42697 16.4103 0.650977 16.5015 0.883943 16.5H17.116C17.349 16.5015 17.573 16.4103 17.7388 16.2466C17.9046 16.0829 17.9985 15.8601 18 15.6272V3.87282C17.9985 3.63986 17.9045 3.41704 17.7388 3.25335C17.573 3.08967 17.349 2.99854 17.116 3Z" fill="url(#paint1_linear_37_2817)"/>
</mask>
<g mask="url(#mask0_37_2817)">
<g filter="url(#filter0_dd_37_2817)">
<path d="M15.375 4.5H1.125C0.50368 4.5 0 5.00368 0 5.625V8.625C0 9.24632 0.50368 9.75 1.125 9.75H15.375C15.9963 9.75 16.5 9.24632 16.5 8.625V5.625C16.5 5.00368 15.9963 4.5 15.375 4.5Z" fill="#C4C4C4"/>
</g>
</g>
<path d="M7.72545 3.75004C7.43133 3.74413 7.1429 3.83149 6.9015 3.99961C6.45374 4.32633 5.91378 4.50239 5.3595 4.50238H0.883928C0.649495 4.50238 0.424665 4.59551 0.258896 4.76128C0.0931278 4.92705 0 5.15188 0 5.38631L0 16.3662C1.98897e-05 16.6006 0.0931558 16.8254 0.258922 16.9912C0.424687 17.1569 0.649506 17.25 0.883928 17.25H17.116C17.3505 17.25 17.5753 17.1569 17.7411 16.9912C17.9068 16.8254 18 16.6006 18 16.3662V4.63396C18 4.51788 17.9771 4.40294 17.9327 4.2957C17.8883 4.18845 17.8232 4.09101 17.7411 4.00893C17.659 3.92684 17.5616 3.86174 17.4543 3.81732C17.3471 3.7729 17.2321 3.75003 17.116 3.75004H7.72545Z" fill="url(#paint2_linear_37_2817)"/>
<path opacity="0.3" d="M17.1161 3.75076H7.72883C7.44177 3.74115 7.15906 3.82284 6.92137 3.98408C6.43763 4.34022 5.84803 4.52305 5.24767 4.50308H0.883943C0.767861 4.50308 0.652915 4.52594 0.54567 4.57037C0.438425 4.61479 0.340979 4.6799 0.258898 4.76199C0.176816 4.84407 0.111706 4.94152 0.0672838 5.04876C0.0228621 5.15601 -9.84791e-07 5.27095 1.27287e-10 5.38703L1.27287e-10 6.13703C-1.96976e-06 6.02095 0.0228605 5.90601 0.0672821 5.79876C0.111704 5.69152 0.176814 5.59407 0.258896 5.51199C0.340978 5.42991 0.438424 5.3648 0.54567 5.32037C0.652916 5.27595 0.767861 5.25309 0.883943 5.25309H5.37891C6.01545 5.25927 6.63978 5.07825 7.17428 4.73251C7.4098 4.57627 7.6873 4.49544 7.96988 4.50076H17.116C17.2321 4.50075 17.3471 4.5236 17.4543 4.56802C17.5616 4.61243 17.659 4.67754 17.7411 4.75962C17.8232 4.8417 17.8883 4.93914 17.9327 5.04639C17.9771 5.15363 18 5.26858 18 5.38466V4.63466C18 4.51858 17.9771 4.40364 17.9327 4.2964C17.8883 4.18916 17.8232 4.09172 17.7411 4.00964C17.6591 3.92756 17.5616 3.86246 17.4544 3.81804C17.3471 3.77362 17.2322 3.75076 17.1161 3.75076V3.75076Z" fill="url(#paint3_linear_37_2817)"/>
<mask id="mask1_37_2817" style="mask-type:alpha" maskUnits="userSpaceOnUse" x="0" y="3" width="18" height="15">
<path d="M7.72545 3.75004C7.43133 3.74413 7.1429 3.83149 6.9015 3.99961C6.45374 4.32633 5.91378 4.50239 5.3595 4.50238H0.883928C0.649495 4.50238 0.424665 4.59551 0.258896 4.76128C0.0931278 4.92705 0 5.15188 0 5.38631L0 16.3662C1.98897e-05 16.6006 0.0931558 16.8254 0.258922 16.9912C0.424687 17.1569 0.649506 17.25 0.883928 17.25H17.116C17.3505 17.25 17.5753 17.1569 17.7411 16.9912C17.9068 16.8254 18 16.6006 18 16.3662V4.63396C18 4.51788 17.9771 4.40294 17.9327 4.2957C17.8883 4.18845 17.8232 4.09101 17.7411 4.00893C17.659 3.92684 17.5616 3.86174 17.4543 3.81732C17.3471 3.7729 17.2321 3.75003 17.116 3.75004H7.72545Z" fill="url(#paint4_linear_37_2817)"/>
</mask>
<g mask="url(#mask1_37_2817)">
<g filter="url(#filter1_dd_37_2817)">
<path d="M5.25 12H12.75C13.3467 12 13.919 12.2371 14.341 12.659C14.7629 13.081 15 13.6533 15 14.25V17.25H3V14.25C3 13.6533 3.23705 13.081 3.65901 12.659C4.08097 12.2371 4.65326 12 5.25 12V12Z" fill="url(#paint5_linear_37_2817)"/>
</g>
</g>
<path d="M5.25 12H12.75C13.3467 12 13.919 12.2371 14.341 12.659C14.7629 13.081 15 13.6533 15 14.25V17.25H3V14.25C3 13.6533 3.23705 13.081 3.65901 12.659C4.08097 12.2371 4.65326 12 5.25 12V12Z" fill="url(#paint6_linear_37_2817)"/>
<path d="M12.375 14.25H5.625C5.41789 14.25 5.25 14.4179 5.25 14.625C5.25 14.8321 5.41789 15 5.625 15H12.375C12.5821 15 12.75 14.8321 12.75 14.625C12.75 14.4179 12.5821 14.25 12.375 14.25Z" fill="#114A8B"/>
</g>
<defs>
<filter id="filter0_dd_37_2817" x="-1.5" y="3" width="19.5" height="8.25" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="0.25"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.1 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_37_2817"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="0.75"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.2 0"/>
<feBlend mode="normal" in2="effect1_dropShadow_37_2817" result="effect2_dropShadow_37_2817"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_37_2817" result="shape"/>
</filter>
<filter id="filter1_dd_37_2817" x="1.5" y="10.5" width="15" height="8.25" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="0.25"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.1 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_37_2817"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="0.75"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.2 0"/>
<feBlend mode="normal" in2="effect1_dropShadow_37_2817" result="effect2_dropShadow_37_2817"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_37_2817" result="shape"/>
</filter>
<linearGradient id="paint0_linear_37_2817" x1="13.1828" y1="16.9947" x2="4.5833" y2="2.10007" gradientUnits="userSpaceOnUse">
<stop offset="0.1135" stop-color="#D18B00"/>
<stop offset="0.6162" stop-color="#E09F00"/>
</linearGradient>
<linearGradient id="paint1_linear_37_2817" x1="13.1828" y1="16.9947" x2="4.5833" y2="2.10007" gradientUnits="userSpaceOnUse">
<stop offset="0.1135" stop-color="#D18B00"/>
<stop offset="0.6162" stop-color="#E09F00"/>
</linearGradient>
<linearGradient id="paint2_linear_37_2817" x1="13.9722" y1="19.1122" x2="4.62611" y2="2.92425" gradientUnits="userSpaceOnUse">
<stop stop-color="#F5B300"/>
<stop offset="0.5" stop-color="#FFCB3C"/>
<stop offset="1" stop-color="#FFD762"/>
</linearGradient>
<linearGradient id="paint3_linear_37_2817" x1="1.27287e-10" y1="4.94352" x2="18" y2="4.94352" gradientUnits="userSpaceOnUse">
<stop stop-color="white"/>
<stop offset="1" stop-color="white" stop-opacity="0"/>
</linearGradient>
<linearGradient id="paint4_linear_37_2817" x1="13.9722" y1="19.1122" x2="4.62611" y2="2.92425" gradientUnits="userSpaceOnUse">
<stop stop-color="#F5B300"/>
<stop offset="0.5" stop-color="#FFCB3C"/>
<stop offset="1" stop-color="#FFD762"/>
</linearGradient>
<linearGradient id="paint5_linear_37_2817" x1="10.7628" y1="18.5014" x2="6.59164" y2="11.2768" gradientUnits="userSpaceOnUse">
<stop stop-color="#0062B4"/>
<stop offset="1" stop-color="#1493DF"/>
</linearGradient>
<linearGradient id="paint6_linear_37_2817" x1="10.7628" y1="18.5014" x2="6.59164" y2="11.2768" gradientUnits="userSpaceOnUse">
<stop stop-color="#0062B4"/>
<stop offset="1" stop-color="#1493DF"/>
</linearGradient>
<clipPath id="clip0_37_2817">
<rect width="18" height="18" fill="white"/>
</clipPath>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 8.5 KiB

9
windows/configuration/images/icons/group-policy.svg Normal file
View File

@ -0,0 +1,9 @@
<svg width="17" height="18" viewBox="0 0 17 18" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<rect width="17" height="18" fill="url(#pattern0)"/>
<defs>
<pattern id="pattern0" patternContentUnits="objectBoundingBox" width="1" height="1">
<use xlink:href="#image0_92_347" transform="matrix(0.0227273 0 0 0.0217391 -0.0454545 -0.0869565)"/>
</pattern>
<image id="image0_92_347" width="47" height="52" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAC8AAAA0CAYAAAAaNmH0AAAACXBIWXMAABYlAAAWJQFJUiTwAAAAB3RJTUUH6AEEFgALC7iL4gAABVhJREFUaAXtWb+LJEUUfruMSzde0CMbzIiBAwZusMEazV4gOMcli4IuCIoayIogmohmF8sGsoEYKfgfCCbeRWKmqaCg4WU3EwzbDQ50sze4fq+660f3dFdV98zurWDBbr+pevXe976qelVdvXV5eUlN5eLiQjTt7Ow0qTzR+u0n6n1N5/+DX5PAzt17Hj2fPju999PJe6+Os2Xqob5hlSVRukyE0TAIaPD80Zb0sOVYsPtff/Xlt5NXDsZ7LwyJYIgok32v/JnBFf+lyyl8xfCf0G9/nNPx21+IAFzM/378xoSGuxEh6KIoQVZczRNEMU3pIqEQKFNEkS3O6WD/WeXPBZ76twIAB2CnprK5ESFbhrADtklP1YwDQjCyWCH9eP97Oro7uXbgRAGmS0zxPKFk+hcl9EiAniYxiOzTwTiHbwU/OTzMWZehXuMzTjKazaeUJo8w12cIJqV4gbo/H9LRmx7g8wV6jYgNVwmmRxzHgvGgx9M2ohCPe6dnKttYmTdsXbvITB+9dgKgJ42+W4PPeNXDcG0RqbS2pbEyirAwmdkOxQEeyYoBGVrJPKbpTK94bueURo85H1eCcgUThPTS/oCiqA68sGoNyYBl1VONUdRHMoAzAYwdSMccaKT0WKiEUmrjH5wMAwTQtbQGHyDvD/B3pYWJcY0aVG7oqdI9ZZi81swn2Cg4B5dKwVK2rK8v6Zo/MP1Gz/U77yWe4DWoPNvgtwkU4IWGMdTV3yZmKQecuQY4fsiKlk9P8NrqYDdoyA5ap40UtEagrbfv2gtpHYfa9fpSa/BigzKmh4TAJ77VoqfbahvXYBRv4QFCupTW4BOc9KZzA1QBWoB/rDO7kGoD0jDDMKS9F3mT0nVtJA/wBlBY5jw/rFtiAJpW6x3gOdfpl5w2sHNdD/CaTe4itvJGprrmjbIP3zBu6CbF8MsjXheQB/Plbgk2qAwvBbx9r/BVnSb4bYPAWWvIeb7jcaM1eAbOO6zKLgZgcTWC06V3eSqkPvaNrpOtNXj7JlVZDEZgtQHBe/2CtY2XttQCfGEQNHVlSrutSn5gq708wcO41IS4cgCrWpW/vZgHFdI293P1kbbxNLsZ1c3iDBtUXGxSat6zOpyuXAc65n8gNimMZO2bVDMG2dIaPM/RfjG10ypL4qJImuZgtFwniTNSawTakn/XAki+SW141q8E6bcG/MAL434GNS9dJX9irODr4CYJpgNf3XIxGPM5iOWdjP/wPsR8D/hkuVLqvJeVrOCFqnxjKjR5k5oiAJLXHEUAwpW4/jAcGMEZtUrkGzBxkatqWHCDlupO8GwK155SnyLeEQVTHsPrAN98qtT+lOMawQHeMFIA4QxRP8w11n2rzCAdiEyTdlXTqMG+aeBK5JLfZg928Kofj8DKGVK1blRQwN3+rOBTLNYIl6o4QwKfMYU2ijY3plYQEOWvlG5/VvDEwDNOLTAks0sX4KYXxaxhqHgBZ9D5zQRYl+nYUKuKPfmJHg3bn3720S93JrfHrLQ3GuFFgW+zur3ZVx3ZfvONhPiYMH+I01Ym0meandu6iDbJyfZb77z+zScfvju+fXigO6FVDachaYXNSMw4f2tN/j4XaTmlZ5znIvYswf9zdvr5B8NdZrpprjXVrxnAEvQAvNi1scb4uJ3EYN3jg4MET7TAR6seho0x1s3LNTHauvOuzZ8oYz578NriNRAMbF1EW+kL+M8/fHw5GuqJ4uy9CQXQx6zj8hlfXPABDTYDgD9+/zv14azJjWYeGvcf/Dq78/LIHXKTtTXqObnECxDX61MaRF6WSsx79bhBSjf40snN0n8a/L87FqtbB9OY7gAAAABJRU5ErkJggg=="/>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.4 KiB

9
windows/configuration/images/icons/registry.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

19
windows/configuration/images/icons/rocket.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 2.4 MiB

50
windows/configuration/index.yml
View File

@ -11,7 +11,7 @@ metadata:
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
manager: aaroncz manager: aaroncz
ms.date: 02/06/2024 ms.date: 03/04/2024
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -22,9 +22,9 @@ landingContent:
- linkListType: how-to-guide - linkListType: how-to-guide
links: links:
- text: Customize the Windows Start menu layout - text: Customize the Windows Start menu layout
url: start/customize-start-menu-layout-windows-11.md url: start/customize-and-export-start-layout.md
- text: Customize the Windows taskbar - text: Customize the Windows taskbar
url: taskbar/customize-taskbar-windows-11.md url: taskbar/index.md
- text: Configure Windows Spotlight on the lock screen - text: Configure Windows Spotlight on the lock screen
url: lock-screen/windows-spotlight.md url: lock-screen/windows-spotlight.md
- text: Accessibility information for IT pros - text: Accessibility information for IT pros
@ -32,29 +32,51 @@ landingContent:
- title: Configure a Windows kiosk - title: Configure a Windows kiosk
linkLists: linkLists:
- linkListType: concept
links:
- text: What is Assigned Access?
url: assigned-access/overview.md
- text: What is Shell Launcher?
url: assigned-access/shell-launcher/index.md
- linkListType: how-to-guide - linkListType: how-to-guide
links: links:
- text: Configure kiosks and digital signs - text: Configure kiosks and restricted user experiences
url: kiosk/kiosk-methods.md url: assigned-access/index.md
- text: Set up a single-app kiosk - linkListType: quickstart
url: kiosk/kiosk-single-app.md links:
- text: Set up a multi-app kiosk for Windows 11 - text: Configure a kiosk with Assigned Access
url: kiosk/lock-down-windows-11-to-specific-apps.md url: assigned-access/quickstart-kiosk.md
- text: Manage multi-user and guest devices - text: Configure a kiosk with Shell Launcher
url: shared-devices-concepts.md url: assigned-access/shell-launcher/quickstart-kiosk.md
- text: Configure a restricted user experience with Assigned Access
url: assigned-access/quickstart-restricted-user-experience.md
- linkListType: reference
links:
- text: Assigned Access XML Schema Definition (XSD)
url: assigned-access/xsd.md
- text: Shell Launcher XML Schema Definition (XSD)
url: assigned-access/shell-launcher/xsd.md
- title: Configure shared devices - title: Configure shared devices
linkLists: linkLists:
- linkListType: concept
links:
- text: Shared devices concepts
url: /windows/configuration/shared-pc/shared-devices-concepts
- linkListType: how-to-guide - linkListType: how-to-guide
links: links:
- text: Manage multi-user and guest devices - text: Configure a shared or guest Windows device
url: shared-devices-concepts.md url: /windows/configuration/shared-pc/set-up-shared-or-guest-pc
- linkListType: reference
links:
- text: Shared PC technical reference
url: /windows/configuration/shared-pc/shared-pc-technical
- title: Use provisioning packages - title: Use provisioning packages
linkLists: linkLists:
- linkListType: how-to-guide - linkListType: how-to-guide
links: links:
- text: Provisioning packages for Windows - text: Provisioning packages overview
url: provisioning-packages/provisioning-packages.md url: provisioning-packages/provisioning-packages.md
- text: Install Windows Configuration Designer - text: Install Windows Configuration Designer
url: provisioning-packages/provisioning-install-icd.md url: provisioning-packages/provisioning-install-icd.md

143
windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md
View File

@ -1,143 +0,0 @@
---
title: Find the Application User Model ID of an installed app
description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device.
ms.topic: article
ms.date: 12/31/2017
---
# Find the Application User Model ID of an installed app
To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. You can find the AUMID by using Windows PowerShell, File Explorer, or the registry.
## To find the AUMID by using Windows PowerShell
To get the names and AUMIDs for all apps installed for the current user, open a Windows PowerShell command prompt and enter the following command:
```powershell
Get-StartApps
```
To get the names and AUMIDs for Windows Store apps installed for another user, open a Windows PowerShell command prompt and enter the following commands:
```powershell
$installedapps = Get-AppxPackage
$aumidList = @()
foreach ($app in $installedapps)
{
foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
{
$aumidList += $app.packagefamilyname + "!" + $id
}
}
$aumidList
```
You can add the `-user <username>` or the `-allusers` parameters to the **Get-AppxPackage** cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters.
## To find the AUMID by using File Explorer
To get the names and AUMIDs for all apps installed for the current user, perform the following steps:
1. Open **Run**, enter **shell:Appsfolder**, and select **OK**.
1. A File Explorer window opens. Press **Alt** > **View** > **Choose details**.
1. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.)
![Image of the Choose Details options.](images/aumid-file-explorer.png)
## To find the AUMID of an installed app for the current user by using the registry
Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device.
At a command prompt, type the following command:
```cmd
reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"
```
### Example to get AUMIDs of the installed apps for the specified user
The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user.
```powershell
function listAumids( $userAccount ) {
if ($userAccount -eq "allusers")
{
# Find installed packages for all accounts. Must be run as an administrator in order to use this option.
$installedapps = Get-AppxPackage -allusers
}
elseif ($userAccount)
{
# Find installed packages for the specified account. Must be run as an administrator in order to use this option.
$installedapps = Get-AppxPackage -user $userAccount
}
else
{
# Find installed packages for the current account.
$installedapps = Get-AppxPackage
}
$aumidList = @()
foreach ($app in $installedapps)
{
foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
{
$aumidList += $app.packagefamilyname + "!" + $id
}
}
return $aumidList
}
```
The following Windows PowerShell commands demonstrate how you can call the listAumids function after you've created it.
```powershell
# Get a list of AUMIDs for the current account:
listAumids
# Get a list of AUMIDs for an account named "CustomerAccount":
listAumids("CustomerAccount")
# Get a list of AUMIDs for all accounts on the device:
listAumids("allusers")
```
### Example to get the AUMID of any application in the Start menu
The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu.
```powershell
function Get-AppAUMID {
param (
[string]$AppName
)
$Apps = (New-Object -ComObject Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items()
if ($AppName){
$Result = $Apps | Where-Object { $_.name -like "*$AppName*" } | Select-Object name,@{n="AUMID";e={$_.path}}
if ($Result){
Return $Result
}
else {"Unable to locate {0}" -f $AppName}
}
else {
$Result = $Apps | Select-Object name,@{n="AUMID";e={$_.path}}
Return $Result
}
}
```
The following Windows PowerShell commands demonstrate how you can call the Get-AppAUMID function after you've created it.
```powershell
# Get the AUMID for OneDrive
Get-AppAUMID -AppName OneDrive
# Get the AUMID for Microsoft Word
Get-AppAUMID -AppName Word
# List all apps and their AUMID in the Start menu
Get-AppAUMID
```

146
windows/configuration/kiosk/guidelines-for-assigned-access-app.md
View File

@ -1,146 +0,0 @@
---
title: Guidelines for choosing an app for assigned access
description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
ms.topic: article
ms.date: 12/31/2017
---
# Guidelines for choosing an app for assigned access (kiosk mode)
Use assigned access to restrict users to use only one application, so that the device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
## General guidelines
- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps).
- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this change happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch.
- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) can't be used as kiosk apps.
## Guidelines for Windows apps that launch other apps
Some apps can launch other apps. Assigned access prevents Windows apps from launching other apps.
Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality.
## Guidelines for web browsers
Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website.
>[!NOTE]
>Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs.
>
>Kiosk Browser can't access intranet websites.
**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11.
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
1. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps)
1. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](../provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions.
>[!NOTE]
>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
### Kiosk Browser settings
| Kiosk Browser settings | Use this setting to |
|--|--|
| Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards. <br><br>For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs. |
| Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards. <br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. |
| Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. |
| Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. |
| Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. |
| Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. |
| Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. |
To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer
1. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18)
1. Insert the null character string in between each URL (e.g www.bing.com`&#xF000;`www.contoso.com)
1. Save the XML file
1. Open the project again in Windows Configuration Designer
1. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed
> [!TIP]
>
> To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](/intune/custom-settings-windows-10) with the following information:
>
> - OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton
> - Data type: Integer
> - Value: 1
#### Rules for URLs in Kiosk Browser settings
Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home).
URLs can include:
- A valid port value from 1 to 65,535.
- The path to the resource.
- Query parameters.
More guidelines for URLs:
- If a period precedes the host, the policy filters exact host matches only
- You can't use user:pass fields
- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence
- The policy searches wildcards (*) last
- The optional query is a set of key-value and key-only tokens delimited by '&'
- Key-value tokens are separated by '='
- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching
### Examples of blocked URLs and exceptions
The following table describes the results for different combinations of blocked URLs and blocked URL exceptions.
| Blocked URL rule | Block URL exception rule | Result |
|--|--|--|
| `*` | `contoso.com`<br>`fabrikam.com` | All requests are blocked unless it's to contoso.com, fabrikam.com, or any of their subdomains. |
| `contoso.com` | `mail.contoso.com`<br>`.contoso.com`<br>`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. |
| `youtube.com` | `youtube.com/watch?v=v1`<br>`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). |
The following table gives examples for blocked URLs.
| Entry | Result |
|--|--|
| `contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com |
| `https://*` | Blocks all HTTPS requests to any domain. |
| `mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com |
| `.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. |
| `.www.contoso.com` | Blocks www.contoso.com but not its subdomains. |
| `*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. |
| `*:8080` | Blocks all requests to port 8080. |
| `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. |
| `192.168.1.2` | Blocks requests to 192.168.1.1. |
| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. |
### Other browsers
You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
- [WebView class](/uwp/api/Windows.UI.Xaml.Controls.WebView)
- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
## Secure your information
Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
## App configuration
Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.
Check the guidelines published by your selected app and set up accordingly.
## Develop your kiosk app
Assigned access in Windows client uses the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
## Test your assigned access experience
The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you've selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience.

BIN
windows/configuration/kiosk/images/account-management-details.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/configuration/kiosk/images/add-applications-details.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 6.8 KiB

BIN
windows/configuration/kiosk/images/add-certificates-details.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 6.8 KiB

BIN
windows/configuration/kiosk/images/apprule.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 114 KiB

BIN
windows/configuration/kiosk/images/appwarning.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 3.6 KiB

BIN
windows/configuration/kiosk/images/aumid-file-explorer.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/configuration/kiosk/images/auto-signin.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/configuration/kiosk/images/enable-assigned-access-log.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/configuration/kiosk/images/finish-details.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 7.9 KiB

BIN
windows/configuration/kiosk/images/genrule.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 8.4 KiB

BIN
windows/configuration/kiosk/images/kiosk-account-details.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/configuration/kiosk/images/kiosk-common-details.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/configuration/kiosk/images/kiosk-fullscreen-sm.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/configuration/kiosk/images/kiosk-settings.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/configuration/kiosk/images/kiosk-wizard.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 6.5 KiB

BIN
windows/configuration/kiosk/images/lockdownapps.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 6.5 KiB

BIN
windows/configuration/kiosk/images/multiappassignedaccesssettings.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 5.0 KiB

BIN
windows/configuration/kiosk/images/profile-config.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/configuration/kiosk/images/sample-start.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 92 KiB

BIN
windows/configuration/kiosk/images/set-assignedaccess.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 6.8 KiB

BIN
windows/configuration/kiosk/images/set-up-device-details.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/configuration/kiosk/images/set-up-network-details.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/configuration/kiosk/images/slv2-oma-uri.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/configuration/kiosk/images/vm-kiosk-connect.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/configuration/kiosk/images/vm-kiosk.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 35 KiB

22
windows/configuration/kiosk/kiosk-additional-reference.md
View File

@ -1,22 +0,0 @@
---
title: More kiosk methods and reference information
description: Find more information for configuring, validating, and troubleshooting kiosk configuration.
ms.topic: reference
ms.date: 12/31/2017
---
# More kiosk methods and reference information
## In this section
| Topic | Description |
|--|--|
| [Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | This topic explains how to get the AUMID for an app. |
| [Validate your kiosk configuration](kiosk-validate.md) | This topic explains what to expect on a multi-app kiosk. |
| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience. |
| [Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk. |
| [Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration. |
| [Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps. |
| [Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface. |
| [Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. |
| [Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) | Tips for troubleshooting multi-app kiosk configuration. |

143
windows/configuration/kiosk/kiosk-mdm-bridge.md
View File

@ -1,143 +0,0 @@
---
title: Use MDM Bridge WMI Provider to create a Windows kiosk
description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
ms.topic: article
ms.date: 1/26/2024
zone_pivot_groups: windows-versions-11-10
appliesto:
---
# Use MDM Bridge WMI Provider to create a Windows client kiosk
Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
Here's an example to set AssignedAccess configuration:
1. [Download PsTools][PSTools]
1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
1. In the PowerShell session launched by `psexec.exe`, execute the following script:
::: zone pivot="windows-10"
```PowerShell
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Group1">
<start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</start:Group>
<start:Group Name="Group2">
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
"@)
Set-CimInstance -CimInstance $obj
```
::: zone-end
::: zone pivot="windows-11"
```PowerShell
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
</AllowedApps>
</AllAppsList>
<win11:StartPins>
<![CDATA[
{ "pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
{"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
{"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"}
] }
]]>
</win11:StartPins>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
"@)
Set-CimInstance -CimInstance $obj
```
::: zone-end
For more information, see [Using PowerShell scripting with the WMI Bridge Provider][WIN-1].
<!--links-->
[WIN-1]: /windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider
[PsTools]: https://download.sysinternals.com/files/PSTools.zip

76
windows/configuration/kiosk/kiosk-methods.md
View File

@ -1,76 +0,0 @@
---
title: Configure kiosks and digital signs on Windows 10/11 desktop editions
description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions.
ms.topic: article
ms.date: 12/31/2017
---
# Configure kiosks and digital signs on Windows desktop editions
Organization may want to set up special purpose devices, such as a device in the lobby that customers can use to view product catalogs, or a device displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use:
- Single-app kiosk: runs a single Universal Windows Platform (UWP) application in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app launches automatically. If the kiosk app is closed, it will automatically restart
- Multi-app kiosk: runs one or more applications from the desktop. People using the kiosk see a customized Start menu that shows only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types
A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen.
A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that affects **all** non-administrator users on the device.
Kiosk configurations are based on **Assigned Access**, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.
There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
- **Which type of app will your kiosk run?**
Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md)
- **Which type of kiosk do you need?**
If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#methods-for-a-single-app-kiosk-running-a-uwp-app) or a Windows desktop application. For a kiosk that people can sign in to with their accounts or that runs more than one app, choose a multi-app kiosk
- **Which edition of Windows client will the kiosk run?**
All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode isn't available on Windows Home
- **Which type of user account will be the kiosk account?**
The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method
>[!IMPORTANT]
>Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
[!INCLUDE [assigned-access-kiosk-mode](../../../includes/licensing/assigned-access-kiosk-mode.md)]
## Methods for a single-app kiosk running a UWP app
| You can use this method | For this edition | For this kiosk account type |
|--|--|--|
| [Assigned access in Settings](kiosk-single-app.md) | Pro, Ent, Edu | Local standard user |
| [Assigned access cmdlets](kiosk-single-app.md) | Pro, Ent, Edu | Local standard user |
| [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID |
| [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID |
| [Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID |
## Methods for a single-app kiosk running a Windows desktop application
| You can use this method | For this edition | For this kiosk account type |
|--|--|--|
| [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md) | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID |
| [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID |
| [Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID |
## Methods for a multi-app kiosk
| You can use this method | For this edition | For this kiosk account type |
|--|--|--|
| [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID |
| [Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Microsoft Entra ID |
| [MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID |
## Summary of kiosk configuration methods
| Method | App type | Account type | Single-app kiosk | Multi-app kiosk |
|--|--|--|:-:|:-:|
| [Assigned access in Settings](kiosk-single-app.md) | UWP | Local account | ✅ |
| [Assigned access cmdlets](kiosk-single-app.md) | UWP | Local account | ✅ |
| [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ |
| [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ | ✅ |
| Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | ✅ | ✅ |
| [Shell Launcher](kiosk-shelllauncher.md) | Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ |
| [MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | | ✅ |
>[!NOTE]
>For devices running Windows client Enterprise and Education, you can also use [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) or [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps.

98
windows/configuration/kiosk/kiosk-policies.md
View File

@ -1,98 +0,0 @@
---
title: Policies enforced on kiosk devices
description: Learn about the policies enforced on a device when you configure it as a kiosk.
ms.topic: article
ms.date: 12/31/2017
---
# Policies enforced on kiosk devices
It isn't recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience.
When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.
## Group Policy
The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. These users include local users, domain users, and Microsoft Entra users.
| Setting | Value |
|--|--|
| Remove access to the context menus for the task bar | Enabled |
| Clear history of recently opened documents on exit | Enabled |
| Prevent users from customizing their Start Screen | Enabled |
| Prevent users from uninstalling applications from Start | Enabled |
| Remove Run menu from Start Menu | Enabled |
| Disable showing balloon notifications as toast | Enabled |
| Do not allow pinning items in Jump Lists | Enabled |
| Do not allow pinning programs to the Taskbar | Enabled |
| Do not display or track items in Jump Lists from remote locations | Enabled |
| Remove Notifications and Action Center | Enabled |
| Lock all taskbar settings | Enabled |
| Lock the Taskbar | Enabled |
| Prevent users from adding or removing toolbars | Enabled |
| Prevent users from resizing the taskbar | Enabled |
| Remove frequent programs list from the Start Menu | Enabled |
| Remove Pinned programs from the taskbar | Enabled |
| Remove the Security and Maintenance icon | Enabled |
| Turn off all balloon notifications | Enabled |
| Turn off feature advertisement balloon notifications | Enabled |
| Turn off toast notifications | Enabled |
| Remove Task Manager | Enabled |
| Remove Change Password option in Security Options UI | Enabled |
| Remove Sign Out option in Security Options UI | Enabled |
| Remove All Programs list from the Start Menu | Enabled - Remove and disable setting |
| Prevent access to drives from My Computer | Enabled - Restrict all drives |
>[!NOTE]
>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
## MDM policy
Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (that is, system-wide impact).
| Setting | Value | System-wide |
|--|--|--|
| [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes |
| [Start/AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
| Start/HidePeopleBar | 1 - True (hide) | No |
| [Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes |
| [WindowsInkWorkspace/AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes |
| [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No |
| [WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | &lt;Enabled/&gt; | Yes |
<!--
## Start Menu
Remove access to the context menus for the task bar
Clear history of recently opened documents on exit
Prevent users from customizing their Start Screen
Prevent users from uninstalling applications from Start
Remove All Programs list from the Start menu
Remove Run menu from Start Menu
## Desktop
Hide and disable all items on the desktop
## Task bar
Disable showing balloon notificationss as toast
Do not allow pinning items in Jump Lists
Do not allow pinning programs to the Taskbar
Do not display or track items in Jump Lists from remote locations
Remove Notification Center
Remove Control Center
Lock all taskbar settings
Lock the Taskbar
Prevent users from adding or removing toolbars
Prevent users from moving taskbar to another screen dock location
Prevent users from rearranging toolbars
Prevent users from resizing the taskbar
Remove frequent programs list from the Start Menu
Remove the Security and Maintenance icon
Turn off all balloon notifications
Turn off feature advertisement balloon notifications
Hide the Task View button
-->

286
windows/configuration/kiosk/kiosk-prepare.md
View File

@ -1,286 +0,0 @@
---
title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Docs
description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes.
ms.topic: article
ms.date: 12/31/2017
---
# Prepare a device for kiosk configuration
## Before you begin
- [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
- Kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that's set up as a kiosk.
- For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account.
Assigned access can be configured using Windows Management Instrumentation (WMI) or configuration service provider (CSP). Assigned access runs an application using a domain user or service account, not a local account. Using a domain user or service accounts has risks, and might allow an attacker to gain access to domain resources that are accessible to any domain account. When using domain accounts with assigned access, proceed with caution. Consider the domain resources potentially exposed by using a domain account.
- MDM providers, such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), use the configuration service providers (CSP) exposed by the Windows OS to manage settings on devices. In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
- [Endpoint Management at Microsoft](/mem/endpoint-manager-getting-started)
- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
- [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
## Configuration recommendations
For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
- **Hide update notifications**. Starting with Windows 10 version 1809, you can hide notifications from showing on the devices. To enable this feature, you have the following options:
- **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Display options for update notifications`
- **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
- **Use the registry**:
1. Open Registry Editor (regedit).
1. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`.
1. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`.
1. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter:
- `1`: Hides all notifications except restart warnings.
- `2`: Hides all notifications, including restart warnings.
- **Enable and schedule automatic updates**. To enable this feature, you have the following options:
- **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates`. Select `4 - Auto download and schedule the install`.
- **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
You can also schedule automatic updates, including **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. Installations can take between 30 minutes and 2 hours, depending on the device. Schedule updates to occur when a block of 3-4 hours is available.
- **Enable automatic restart at the scheduled time**. To enable this feature, you have the following options:
- **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time`. Select `4 - Auto download and schedule the install`.
- **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor:
1. Open Registry Editor (regedit).
1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`.
1. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`.
- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting.
Applies to Windows 10 only. Currently, Tablet mode isn't supported on Windows 11.
Your options:
- Use the **Settings** app:
1. Open the **Settings** app.
1. Go to **System** > **Tablet mode**.
1. Configure the settings you want.
- Use the **Action Center**:
1. On your device, swipe in from the left.
1. Select **Tablet mode**.
- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options:
- **Use an MDM provider**: In Intune, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature.
- **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen).
- **Disable the hardware power button**: To enable this feature, you have the following options:
- **Use the Settings app**:
1. Open the **Settings** app.
1. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**.
1. Select **Do nothing**.
1. **Save changes**.
- **Use Group Policy**: Your options:
- `Computer Configuration\Administrative Templates\System\Power Management\Button Settings`: Set `Select Power Button Action on Battery` and `Select Power Button Action on Plugged In` to **Take no action**.
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them.
- `Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system`: Remove the users or groups from this policy.
To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group.
- **Use an MDM provider**: In Intune, you have some options:
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
- `Power\Select Power Button Action on Battery`: Set to **Take no action**.
- `Power\Select Power Button Action on Plugged In`: Set to **Take no action**.
- `Start\Hide Power Button`: Set to **Enabled**. This policy hides the button, but doesn't disable it.
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following setting:
- `\Start menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them.
When looking at settings, check the supported OS for each setting to make sure it applies.
- [Start settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#start): This option shows this setting, and all the Start menu settings you can manage.
- **Remove the power button from the sign-in screen**. To enable this feature, you have the following options:
- **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**.
- **Use MDM**: In Intune, you have the following option:
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
- `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**.
- **Disable the camera**: To enable this feature, you have the following options:
- **Use the Settings app**:
1. Open the **Settings** app.
1. Go to **Privacy** > **Camera**.
1. Select **Allow apps use my camera** > **Off**.
- **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**.
- **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Intune, you have the following options:
- [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): This option shows this setting, and more settings you can manage.
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
- `Camera\Allow camera`: Set to **Not allowed**.
- **Turn off app notifications on the lock screen**: To enable this feature, you have the following options:
- **Use the Settings app**:
1. Open the **Settings** app.
1. Go to **System** > **Notifications & actions**.
1. In **Show notifications on the lock screen**, select **Off**.
- **Use Group policy**:
- `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
- **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Intune, you have the following options:
- [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage.
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
- `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
- `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
When looking at settings, check the supported OS for each setting to make sure it applies.
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
- `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
- `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
- **Disable removable media**: To enable this feature, you have the following options:
- **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation.
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
- **Use an MDM provider**: In Intune, you have the following options:
- [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage.
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
- `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
When looking at settings, check the supported OS for each setting to make sure it applies.
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
- `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
## Enable logging
Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot.":::
## Automatic logon
You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in.
> [!NOTE]
> If you are using a Windows client device restriction CSP to set "Preferred Microsoft Entra tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
> [!TIP]
> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
How to edit the registry to have an account sign in automatically:
1. Open Registry Editor (regedit.exe).
> [!NOTE]
> If you are not familiar with Registry Editor, [learn how to modify the Windows registry](/troubleshoot/windows-server/performance/windows-registry-advanced-users).
1. Go to
**HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon**
1. Set the values for the following keys.
- *AutoAdminLogon*: set value as **1**.
- *DefaultUserName*: set value as the account that you want signed in.
- *DefaultPassword*: set value as the password for the account.
> [!NOTE]
> If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**.
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, don't add this key.
1. Close Registry Editor. The next time the computer restarts, the account will sign in automatically.
> [!TIP]
> You can also configure automatic sign-in [using the Autologon tool from Sysinternals](/sysinternals/downloads/autologon).
> [!NOTE]
> If you are also using [Custom Logon](/windows-hardware/customize/enterprise/custom-logon) with **HideAutoLogonUI** enabled, you might experience a black screen after a password expires. We recommend that you consider [setting the password to never expire](/windows-hardware/customize/enterprise/troubleshooting-custom-logon#the-device-displays-a-black-screen-when-a-password-expiration-screen-is-displayed).
## Interactions and interoperability
The following table describes some features that have interoperability issues we recommend that you consider when running assigned access.
- **Accessibility**: Assigned access doesn't change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:
| Key combination | Blocked behavior |
| --- | --- |
| Left Alt + Left Shift + Print Screen | Open High Contrast dialog box. |
| Left Alt + Left Shift + Num Lock | Open Mouse Keys dialog box. |
| Windows logo key + U | Open Ease of Access Center. |
- **Assigned access Windows PowerShell cmdlets**: In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/)
- **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for assigned access users.
<kbd>Alt</kbd> + <kbd>F4</kbd>, <kbd>Alt</kbd> + <kbd>Shift</kbd> + <kbd>Tab</kbd>, <kbd>Alt</kbd> + <kbd>Tab</kbd> aren't blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.
Ctrl + Alt + Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings).
| Key combination | Blocked behavior for assigned access users |
| --- | --- |
| <kbd>Alt</kbd> + <kbd>Esc</kbd> | Cycle through items in the reverse order from which they were opened. |
| <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Esc</kbd> | Cycle through items in the reverse order from which they were opened. |
| <kbd>Ctrl</kbd> + <kbd>Esc</kbd> | Open the Start screen. |
| <kbd>Ctrl</kbd> + <kbd>F4</kbd> | Close the window. |
| <kbd>Ctrl</kbd> + <kbd>Shift</kbd + <kbd>Esc</kbd> | Open Task Manager. |
| <kbd>Ctrl</kbd> + <kbd>Tab</kbd> | Switch windows within the application currently open. |
| LaunchApp1 | Open the app that is assigned to this key. |
| LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator. |
| LaunchMail | Open the default mail client. |
| Windows logo key | Open the Start screen. |
Keyboard Filter settings apply to other standard accounts.
- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter).
[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education.
- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access.
For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access.
For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter).
- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead.
If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess).
- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.
For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
## Testing your kiosk in a virtual machine (VM)
Customers sometimes use virtual machines (VMs) to test configurations before deploying those configurations to physical devices. If you use a VM to test your single-app kiosk configuration, you need to know how to connect to the VM properly.
A single-app kiosk configuration runs an app above the lock screen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V.
When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** isn't selected in the **View** menu; that means it's a basic session.
:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used.":::
To connect to a VM in a basic session, don't select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog:
:::image type="content" source="images/vm-kiosk-connect.png" alt-text="Don't select the connect button. Use the close X in the top corner to connect to a VM in basic session.":::

273
windows/configuration/kiosk/kiosk-shelllauncher.md
View File

@ -1,273 +0,0 @@
---
title: Use Shell Launcher to create a kiosk experience
description: Learn how to configure Shell Launcher to change the default Windows shell when a user signs in to a device.
ms.topic: how-to
ms.date: 12/31/2017
---
# Use Shell Launcher to create a Windows client kiosk
Shell Launcher is a Windows feature that executes an application as the user interface, replacing the default Windows Explorer (`explorer.exe`).
>[!NOTE]
>Shell Launcher controls which application the user sees as the shell after sign-in. It doesn't prevent the user from accessing other desktop applications and system components.
>
>Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher. These methods include, but are not limited to:
>- [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250) - example: Prevent access to registry editing tools
>- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies
>- [Mobile Device Management](/windows/client-management/mdm) - Enterprise management of device security policies
You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). Starting with Windows 10 version 1803+, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
Shell Launcher replaces `explorer.exe` with `customshellhost.exe`. This executable file can launch a Windows desktop application or a UWP app.
In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers additional enhancements:
- You can use a custom Windows desktop application that can then launch UWP apps, such as **Settings** and **Touch Keyboard**.
- From a custom UWP shell, you can launch secondary views and run on multiple monitors.
- The custom shell app runs in full screen, and can run other apps in full screen on user's demand.
For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2).
## Requirements
>[!WARNING]
>
>- Windows 10 doesn't support setting a custom shell prior to OOBE. If you do, you won't be able to deploy the resulting image.
>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.
- A domain, Microsoft Entra ID, or local user account.
- A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
[See the technical reference for the shell launcher component.](/windows-hardware/customize/enterprise/shell-launcher)
## Enable Shell Launcher feature
To set a custom shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell or MDM.
**To turn on Shell Launcher in Windows features**
1. Go to Control Panel &gt; **Programs and features** &gt; **Turn Windows features on or off**.
1. Expand **Device Lockdown**.
1. Select **Shell Launcher** and **OK**.
Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or you can use the Deployment Image Servicing and Management (DISM.exe) tool.
**To turn on Shell Launcher using DISM**
1. Open a command prompt as an administrator.
1. Enter the following command.
```
Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
```
## Configure a custom shell in MDM
You can use XML and a [custom OMA-URI setting](#custom-oma-uri-setting) to configure Shell Launcher in MDM.
### XML for Shell Launcher configuration
The following XML sample works for **Shell Launcher v1**:
```xml
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration">
<Profiles>
<Profile ID="{24A7309204F3F-44CC-8375-53F13FE213F7}">
<Shell Shell="%ProgramFiles%\Internet Explorer\iexplore.exe -k www.bing.com" />
</Profile>
</Profiles>
<Configs>
<!--local account-->
<Account Name="ShellLauncherUser"/>
<Profile ID="{24A7309204F3F-44CC-8375-53F13FE213F7}"/>
</Configs>
</ShellLauncherConfiguration>
```
For **Shell Launcher v2**, you can use UWP app type for `Shell` by specifying the v2 namespace, and use `v2:AppType` to specify the type, as shown in the following example. If `v2:AppType` isn't specified, it implies the shell is Win32 app.
```xml
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:v2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="ShellLauncherV2DemoUwp_5d7tap497jwe8!App" v2:AppType="UWP" v2:AllAppsFullScreen="true">
<DefaultAction Action="RestartShell"/>
</Shell>
</DefaultProfile>
</Profiles>
<Configs/>
</ShellLauncherConfiguration>
```
>[!TIP]
>In the XML for Shell Launcher v2, note the **AllAppsFullScreen** attribute. When set to **True**, Shell Launcher will run every app in full screen, or maximized for desktop apps. When this attribute is set to **False** or not set, only the custom shell app runs in full screen; other apps launched by the user will run in windowed mode.
[Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
### Custom OMA-URI setting
In your MDM service, you can create a [custom OMA-URI setting](/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v1. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting determines whether you apply Shell Launcher v1 or v2.)
The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`.
For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`.
![Screenshot of custom OMA-URI settings.](images/slv2-oma-uri.png)
After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups.
## Configure a custom shell using PowerShell
For scripts for Shell Launcher v2, see [Shell Launcher v2 Bridge WMI sample scripts](https://github.com/Microsoft/Windows-iotcore-samples/blob/develop/Samples/ShellLauncherV2/SampleBridgeWmiScripts/README.md).
For Shell Launcher v1, modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you'll want to change the script for your purposes. Save your script with the extension.ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
```powershell
# Check if shell launcher license is enabled
function Check-ShellLauncherLicenseEnabled
{
[string]$source = @"
using System;
using System.Runtime.InteropServices;
static class CheckShellLauncherLicense
{
const int S_OK = 0;
public static bool IsShellLauncherLicenseEnabled()
{
int enabled = 0;
if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
enabled = 0;
}
return (enabled != 0);
}
static class NativeMethods
{
[DllImport("Slc.dll")]
internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
}
}
"@
$type = Add-Type -TypeDefinition $source -PassThru
return $type[0]::IsShellLauncherLicenseEnabled()
}
[bool]$result = $false
$result = Check-ShellLauncherLicenseEnabled
"`nShell Launcher license enabled is set to " + $result
if (-not($result))
{
"`nThis device doesn't have required license to use Shell Launcher"
exit
}
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
try {
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
} catch [Exception] {
write-host $_.Exception.Message;
write-host "Make sure Shell Launcher feature is enabled"
exit
}
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
# Examples. You can change these examples to use the program that you want to use as the shell.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Enable Shell Launcher
$ShellLauncherClass.SetEnabled($TRUE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
# Disable Shell Launcher
$ShellLauncherClass.SetEnabled($FALSE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
## default action, custom action, exit code
Shell launcher defines four actions to handle app exits, you can customize shell launcher and use these actions based on different exit code.
| Value | Description |
|--|--|
| 0 | Restart the shell |
| 1 | Restart the device |
| 2 | Shut down the device |
| 3 | Do nothing |
These actions can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI.
To configure these actions with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most four custom actions mapping to four exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommended to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
``` xml
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell"/>
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/>
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/>
<ReturnCodeAction ReturnCode="1" Action="DoNothing"/>
</ReturnCodeActions>
<DefaultAction Action="RestartDevice"/>
```

Some files were not shown because too many files have changed in this diff Show More