Merge remote-tracking branch 'refs/remotes/origin/jd5kiosk' into rs5

2025-05-15 14:57:23 +00:00 · 2018-08-13 13:17:05 -07:00 · 2018-08-13 13:17:05 -07:00 · ddabc24f86
commit ddabc24f86
parent 64efb3f40b e9ea8061db
2 changed files with 268 additions and 137 deletions
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@ -24,11 +24,14 @@ ms.topic: article
 ## Full XML sample
 >[!NOTE]
->Updated for Windows 10, version 1803. 
+>Updated for Windows 10, version 1809. 
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
-<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
+<AssignedAccessConfiguration 
    xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
    >
    <Profiles>
        <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
            <AllAppsList>
@ -44,6 +47,9 @@ ms.topic: article
                    <App DesktopAppPath="%SystemDrive%\LOB\MyLOB.exe" />
                </AllowedApps>
            </AllAppsList>
            <rs5:FileExplorerNamespaceRestrictions>
                <rs5:AllowedNamespace Name="Downloads"/>
            </rs5:FileExplorerNamespaceRestrictions>
            <StartLayout>
                <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
                      <LayoutOptions StartTileGroupCellWidth="6" />
@ -80,7 +86,7 @@ ms.topic: article
                    <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!F12" />
                    <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
                    <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!PdfReader" />
-                    <App DesktopAppPath="%SystemRoot%\system32\notepad.exe" />
+                    <App DesktopAppPath="%SystemRoot%\system32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt"/>
                </AllowedApps>
            </AllAppsList>
            <StartLayout>
@ -117,7 +123,7 @@ ms.topic: article
            <DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
        </Config>
        <Config>
-            <AutoLogonAccount />
+            <AutoLogonAccount rs5:DisplayName="Hello World"/>
            <DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
        </Config>
        <Config>
@ -134,7 +140,6 @@ ms.topic: article
        </Config>
    </Configs>
 </AssignedAccessConfiguration>
 ```
 ## Kiosk only sample XML
@ -142,6 +147,7 @@ ms.topic: article
 <?xml version="1.0" encoding="utf-8" ?>
 <AssignedAccessConfiguration
    xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
    >
    <Profiles>
        <Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
@ -161,7 +167,7 @@ ms.topic: article
 ## XSD for AssignedAccess configuration XML
 >[!NOTE]
->Updated for Windows 10, version 1803.
+>Updated for Windows 10, version 1800.
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
@ -170,136 +176,206 @@ ms.topic: article
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
    targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
    >
-    <xs:complexType name="profile_list_t">
+  <xs:import namespace="http://schemas.microsoft.com/AssignedAccess/201810/config"/>
-        <xs:sequence minOccurs="1" >
+
-            <xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded"/>
+  <xs:complexType name="profile_list_t">
-        </xs:sequence>
+    <xs:sequence minOccurs="1" >
      <xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded"/>
    </xs:sequence>
  </xs:complexType>
  <xs:complexType name="kioskmodeapp_t">
    <xs:attribute name="AppUserModelId" type="xs:string"/>
  </xs:complexType>
  <xs:complexType name="profile_t">
    <xs:choice>
      <xs:sequence minOccurs="1" maxOccurs="1">
        <xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1"/>
        <xs:element ref="rs5:FileExplorerNamespaceRestrictions" minOccurs="0" maxOccurs="1"/>
        <xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
        <xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
      </xs:sequence>
      <xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1"/>
    </xs:choice>
    <xs:attribute name="Id" type="guid_t" use="required"/>
    <xs:attribute name="Name" type="xs:string" use="optional"/>
  </xs:complexType>
  <xs:complexType name="allappslist_t">
    <xs:sequence minOccurs="1" >
      <xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1">
        <xs:unique name="ForbidDupApps">
          <xs:selector xpath="default:App"/>
          <xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
        </xs:unique>
        <xs:unique name="OnlyOneAppCanHaveAutoLaunch">
          <xs:selector xpath="default:App"/>
          <xs:field xpath="@rs5:AutoLaunch"/>
        </xs:unique>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
  <xs:complexType name="allowedapps_t">
    <xs:sequence minOccurs="1" maxOccurs="1">
      <xs:element name="App" type="app_t" minOccurs="1" maxOccurs="unbounded">
        <xs:key name="mutexAumidOrDesktopApp">
          <xs:selector xpath="."/>
          <xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
        </xs:key>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
  <xs:complexType name="app_t">
    <xs:attribute name="AppUserModelId" type="xs:string"/>
    <xs:attribute name="DesktopAppPath" type="xs:string"/>
    <xs:attributeGroup ref="autoLaunch_attributeGroup"/>
  </xs:complexType>
  <xs:attributeGroup name="autoLaunch_attributeGroup">
    <xs:attribute ref="rs5:AutoLaunch"/>
    <xs:attribute ref="rs5:AutoLaunchArguments" use="optional"/>
  </xs:attributeGroup>
  <xs:complexType name="taskbar_t">
    <xs:attribute name="ShowTaskbar" type="xs:boolean" use="required"/>
  </xs:complexType>
  <xs:complexType name="profileId_t">
    <xs:attribute name="Id" type="guid_t" use="required"/>
  </xs:complexType>
  <xs:simpleType name="guid_t">
    <xs:restriction base="xs:string">
      <xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
    </xs:restriction>
  </xs:simpleType>
  <xs:complexType name="config_list_t">
    <xs:sequence minOccurs="1" >
      <xs:element name="Config" type="config_t" minOccurs="1" maxOccurs="unbounded"/>
    </xs:sequence>
  </xs:complexType>
  <xs:complexType name="config_t">
    <xs:sequence minOccurs="1" maxOccurs="1">
      <xs:choice>
        <xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
        <xs:element name="AutoLogonAccount" type="autologon_account_t" minOccurs="1" maxOccurs="1"/>
        <xs:element name="UserGroup" type="group_t" minOccurs="1" maxOccurs="1"/>
        <xs:element name="SpecialGroup" type="specialGroup_t" minOccurs="1" maxOccurs="1" />
      </xs:choice>
      <xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
    </xs:sequence>
  </xs:complexType>
  <xs:complexType name="autologon_account_t">
    <xs:attribute name="HiddenId" type="guid_t" fixed="{74331115-F68A-4DF9-8D2C-52BA2CE2ADB1}"/>
    <xs:attribute ref="rs5:DisplayName" use="optional" />
  </xs:complexType>
  <xs:complexType name="group_t">
    <xs:attribute name="Name" type="xs:string" use="required"/>
    <xs:attribute name="Type" type="groupType_t" use="required"/>
  </xs:complexType>
  <xs:complexType name="specialGroup_t">
    <xs:attribute name="Name" type="specialGroupType_t" use="required"/>
  </xs:complexType>
  <xs:simpleType name="groupType_t">
    <xs:restriction base="xs:string">
      <xs:enumeration value="LocalGroup"/>
      <xs:enumeration value="ActiveDirectoryGroup"/>
      <xs:enumeration value="AzureActiveDirectoryGroup"/>
    </xs:restriction>
  </xs:simpleType>
  <xs:simpleType name="specialGroupType_t">
    <xs:restriction base="xs:string">
      <xs:enumeration value="Visitor"/>
    </xs:restriction>
  </xs:simpleType>
  <xs:complexType name="fileExplorerNamespaceRestrictions_t">
    <xs:sequence minOccurs="1">
      <xs:element name="AllowedNamespace" type="allowedFileExplorerNamespace_t"/>
    </xs:sequence>
  </xs:complexType>
  <xs:complexType name="allowedFileExplorerNamespace_t">
    <xs:attribute name="Name" type="allowedFileExplorerNamespaceValues_t"/>
  </xs:complexType>
  <xs:simpleType name="allowedFileExplorerNamespaceValues_t">
    <xs:restriction base="xs:string">
      <xs:enumeration value="Downloads"/>
    </xs:restriction>
  </xs:simpleType>
  <!--below is the definition of the config xml content-->
  <xs:element name="AssignedAccessConfiguration">
    <xs:complexType>
      <xs:all minOccurs="1">
        <xs:element name="Profiles" type="profile_list_t">
          <xs:unique name="duplicateRolesForbidden">
            <xs:selector xpath="default:Profile"/>
            <xs:field xpath="@Id"/>
          </xs:unique>
        </xs:element>
        <xs:element name="Configs" type="config_list_t">
          <xs:unique name="duplicateAutoLogonAccountForbidden">
            <xs:selector xpath=".//default:AutoLogonAccount"/>
            <xs:field xpath="@HiddenId"/>
          </xs:unique>
        </xs:element>
      </xs:all>
    </xs:complexType>
-    
+  </xs:element>
-    <xs:complexType name="kioskmodeapp_t">
+</xs:schema>
-        <xs:attribute name="AppUserModelId" type="xs:string"/>
+```
-    </xs:complexType>
+
-
+## XSD schema for new elements in Windows 10, version 1809
-    <xs:complexType name="profile_t">
+
-        <xs:choice>
+```xml
-            <xs:sequence minOccurs="1" maxOccurs="1">
+<?xml version="1.0" encoding="utf-8"?>
-                <xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1"/>
+<xs:schema
-                <xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
+    elementFormDefault="qualified"
-                <xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
+    xmlns:xs="http://www.w3.org/2001/XMLSchema"
-            </xs:sequence>
+    xmlns="http://schemas.microsoft.com/AssignedAccess/201810/config"
-            <xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1"/>
+    xmlns:default="http://schemas.microsoft.com/AssignedAccess/201810/config"
-        </xs:choice>
+    targetNamespace="http://schemas.microsoft.com/AssignedAccess/201810/config"
-        <xs:attribute name="Id" type="guid_t" use="required"/>
+    >
-        <xs:attribute name="Name" type="xs:string" use="optional"/>
+
-    </xs:complexType>
+  <xs:complexType name="fileExplorerNamespaceRestrictions_t">
-
+    <xs:sequence minOccurs="1">
-    <xs:complexType name="allappslist_t">
+      <xs:element name="AllowedNamespace" type="allowedFileExplorerNamespace_t"/>
-        <xs:sequence minOccurs="1" >
+    </xs:sequence>
-            <xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1">
+  </xs:complexType>
-                <xs:unique name="ForbidDupApps">
+
-                    <xs:selector xpath="default:App"/>
+  <xs:complexType name="allowedFileExplorerNamespace_t">
-                    <xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
+    <xs:attribute name="Name" type="allowedFileExplorerNamespaceValues_t"/>
-                </xs:unique>
+  </xs:complexType>
-            </xs:element>
+
-        </xs:sequence>
+  <xs:simpleType name="allowedFileExplorerNamespaceValues_t">
-    </xs:complexType>
+    <xs:restriction base="xs:string">
-
+      <xs:enumeration value="Downloads"/>
-    <xs:complexType name="allowedapps_t">
+    </xs:restriction>
-        <xs:sequence minOccurs="1" maxOccurs="1">
+  </xs:simpleType>
-            <xs:element name="App" type="app_t" minOccurs="1" maxOccurs="unbounded">
+
-                <xs:key name="mutexAumidOrDesktopApp">
+  <xs:element name="FileExplorerNamespaceRestrictions" type="fileExplorerNamespaceRestrictions_t" />
-                    <xs:selector xpath="."/>
+
-                    <xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
+  <xs:attribute name="AutoLaunch" type="xs:boolean"/>
-                </xs:key>
+
-            </xs:element>
+  <xs:attribute name="AutoLaunchArguments" type="xs:string"/>
-        </xs:sequence>
+
-    </xs:complexType>
+  <xs:attribute name="DisplayName" type="xs:string"/>
-
+
    <xs:complexType name="app_t">
        <xs:attribute name="AppUserModelId" type="xs:string"/>
        <xs:attribute name="DesktopAppPath" type="xs:string"/>
    </xs:complexType>
    <xs:complexType name="taskbar_t">
        <xs:attribute name="ShowTaskbar" type="xs:boolean" use="required"/>
    </xs:complexType>
    <xs:complexType name="profileId_t">
        <xs:attribute name="Id" type="guid_t" use="required"/>
    </xs:complexType>
    <xs:simpleType name="guid_t">
        <xs:restriction base="xs:string">
            <xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
        </xs:restriction>
    </xs:simpleType>
    <xs:complexType name="config_list_t">
        <xs:sequence minOccurs="1" >
            <xs:element name="Config" type="config_t" minOccurs="1" maxOccurs="unbounded"/>
        </xs:sequence>
    </xs:complexType>
    <xs:complexType name="config_t">
        <xs:sequence minOccurs="1" maxOccurs="1">
            <xs:choice>
                <xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
                <xs:element name="AutoLogonAccount" type="autologon_account_t" minOccurs="1" maxOccurs="1"/>
                <xs:element name="UserGroup" type="group_t" minOccurs="1" maxOccurs="1"/>
                <xs:element name="SpecialGroup" type="specialGroup_t" minOccurs="1" maxOccurs="1" />
            </xs:choice>
            <xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
        </xs:sequence>
    </xs:complexType>
    <xs:complexType name="autologon_account_t">
        <xs:attribute name="HiddenId" type="guid_t" fixed="{74331115-F68A-4DF9-8D2C-52BA2CE2ADB1}"/>
    </xs:complexType>
    <xs:complexType name="group_t">
        <xs:attribute name="Name" type="xs:string" use="required"/>
        <xs:attribute name="Type" type="groupType_t" use="required"/>
    </xs:complexType>
    <xs:complexType name="specialGroup_t">
        <xs:attribute name="Name" type="specialGroupType_t" use="required"/>
    </xs:complexType>
    <xs:simpleType name="groupType_t">
        <xs:restriction base="xs:string">
            <xs:enumeration value="LocalGroup"/>
            <xs:enumeration value="ActiveDirectoryGroup"/>
            <xs:enumeration value="AzureActiveDirectoryGroup"/>
        </xs:restriction>
    </xs:simpleType>
    <xs:simpleType name="specialGroupType_t">
        <xs:restriction base="xs:string">
            <xs:enumeration value="Visitor"/>
        </xs:restriction>
    </xs:simpleType>
    <!--below is the definition of the config xml content-->
    <xs:element name="AssignedAccessConfiguration">
        <xs:complexType>
            <xs:all minOccurs="1">
                <xs:element name="Profiles" type="profile_list_t">
                    <xs:unique name="duplicateRolesForbidden">
                        <xs:selector xpath="default:Profile"/>
                        <xs:field xpath="@Id"/>
                    </xs:unique>
                </xs:element>
                <xs:element name="Configs" type="config_list_t">
                    <xs:unique name="duplicateAutoLogonAccountForbidden">
                        <xs:selector xpath=".//default:AutoLogonAccount"/>
                        <xs:field xpath="@HiddenId"/>
                    </xs:unique>
                </xs:element>
            </xs:all>
        </xs:complexType>
    </xs:element>
 </xs:schema>
 ```
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@ -22,13 +22,17 @@ ms.topic: article
 -   Windows 10 Pro, Enterprise, and Education
-A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also:
+A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. 
 The following table lists changes to multi-app kiosk in recent updates. 
 New features and improvements | In update
 --- | ---
 - Configure [a single-app kiosk profile](#profile) in your XML file<br><br>- Assign [group accounts to a config profile](#config-for-group-accounts)<br><br>- Configure [an account to sign in automatically](#config-for-autologon-account)  | Windows 10, version 1803
 - Explicitly allow some known folders when user opens file dialog box<br><br>- Automatically launch an app when the user signs in<br><br>- Configure a display name for the autologon account | Windows 10, version 1809<br><br>**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `http://schemas.microsoft.com/AssignedAccess/201810/config`.
 - Configure [a single-app kiosk profile](#profile) in your XML file.
 - Assign [group accounts to a config profile](#config-for-group-accounts).
 - Configure [an account to sign in automatically](#config-for-autologon-account).
 The benefit of a kiosk with desktop that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. 
 >[!WARNING]
 >The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
@ -104,7 +108,10 @@ You can start your file by pasting the following XML (or any other examples in t
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
-<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
+<AssignedAccessConfiguration 
    xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
    >
    <Profiles>
        <Profile Id="">
            <AllAppsList>
@ -136,6 +143,8 @@ A lockdown profile section in the XML has the following entries:
 - [**AllowedApps**](#allowedapps)  
 - [**FileExplorerNamespaceRestrictions**](#fileexplorernamespacerestrctions)
 - [**StartLayout**](#startlayout)
 - [**Taskbar**](#taskbar)
@ -160,22 +169,22 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
 ##### AllowedApps
-**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. 
+**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. 
 Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration.
 >[!NOTE]
 >You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
 - For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout). 
 - For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
 - To configure the app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
-Here are the predefined assigned access AppLocker rules for **UWP apps**:   
+When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:   
 1.	Default rule is to allow all users to launch the signed package apps. 
 2.	The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list. 
    >[!NOTE]
    >You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
    >
    >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. 
 Here are the predefined assigned access AppLocker rules for **desktop apps**:
@ -184,8 +193,9 @@ Here are the predefined assigned access AppLocker rules for **desktop apps**:
 2.	There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration. 
 3.	Enterprise-defined allowed desktop apps are added in the AppLocker allow list. 
-The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device.
+The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
 <span id="apps-sample" />
 ```xml
 <AllAppsList>
        <AllowedApps>
@ -195,11 +205,41 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula
          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
          <App DesktopAppPath="%windir%\system32\mspaint.exe" />
-          <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
+          <App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt"/>
        </AllowedApps>
 </AllAppsList>
 ```
 ##### FileExplorerNamespaceRestrictions
 Starting in Windows 10, version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported.
 The following example shows how to allow user access to the Downloads folder in the common file dialog box.
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
 <AssignedAccessConfiguration
    xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
 >     <Profiles>
        <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
            <AllAppsList>
                <AllowedApps>
                    ...
                </AllowedApps>
            </AllAppsList>
            <rs5:FileExplorerNamespaceRestrictions>
                <rs5:AllowedNamespace Name="Downloads"/>
            </rs5:FileExplorerNamespaceRestrictions>
            <StartLayout>
                ...
            </StartLayout>
            <Taskbar ShowTaskbar="true"/>
        </Profile> 
    </Profiles>
 </AssignedAccessConfiguration>
 ```
 ##### StartLayout
 After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen. 
@ -297,7 +337,8 @@ You can assign:
 When you use `<AutoLogonAccount>` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart.
-On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
+
 The following example shows how to specify an account to sign in automatically.
 ```xml
 <Configs>
@ -308,6 +349,20 @@ On domain-joined devices, local user accounts aren't shown on the sign-in screen
 </Configs> 
 ```
 In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
 ```xml
 <Configs>
  <Config>
    <AutoLogonAccount rs5:DisplayName="Hello World"/>
    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
  </Config>
 </Configs>
 ```
 On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
 >[!IMPORTANT]
 >When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).