mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-16 02:43:43 +00:00
Update assigned access documentation
This commit is contained in:
Paolo Matarazzo
@ -32,9 +32,6 @@ Windows offers two different features to configure a kiosk experience:
|
||||
- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen above the lock screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it automatically restarts
|
||||
- **Shell Launcher**: used to configure a device to execute a Windows desktop application as the user interface. The application that you specify replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen
|
||||
|
||||
>[!IMPORTANT]
|
||||
>The kiosk experience isn't supported over a remote desktop connection. The kiosk users must sign in on the console that is set up as a kiosk.
|
||||
|
||||
:::row:::
|
||||
:::column span="1":::
|
||||
:::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false":::
|
||||
|
||||
@ -9,35 +9,12 @@ ms.topic: overview
|
||||
|
||||
Assigned Access is a Windows feature that you can use to configure a device as a kiosk or with a restricted user experience.
|
||||
|
||||
:::row:::
|
||||
:::column span="1":::
|
||||
:::image type="content" source="images/kiosk.png" alt-text="Icon representing a kiosk." border="false":::
|
||||
:::column-end:::
|
||||
:::column span="3":::
|
||||
#### Kiosk experience
|
||||
:::column-end:::
|
||||
:::row-end:::
|
||||
|
||||
When you configure a kiosk experience, a single UWP application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it automatically restarts. Practical examples include:
|
||||
When you configure a **kiosk experience**, a single UWP application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it automatically restarts. Practical examples include:
|
||||
|
||||
- Public browsing
|
||||
- Interactive digital signage
|
||||
|
||||
>[!IMPORTANT]
|
||||
>[User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
|
||||
>
|
||||
>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. Apps that run in kiosk mode cannot use copy and paste.
|
||||
|
||||
:::row:::
|
||||
:::column span="1":::
|
||||
:::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false":::
|
||||
:::column-end:::
|
||||
:::column span="3":::
|
||||
#### Restricted user experience
|
||||
:::column-end:::
|
||||
:::row-end:::
|
||||
|
||||
When you configure a restricted user experience, users can only execute a defined list of applications, with a tailored Start menu and Taskbar. Different policy settings and AppLocker rules are enforced, creating a locked down experience. The users can access a familiar Windows desktop, while limiting their access, reducing distractions, and potential for inadvertent uses. Ideal for shared devices, you can create different configurations for different users. Practical examples include:
|
||||
When you configure a **restricted user experience**, users can only execute a defined list of applications, with a tailored Start menu and Taskbar. Different policy settings and AppLocker rules are enforced, creating a locked down experience. The users can access a familiar Windows desktop, while limiting their access, reducing distractions, and potential for inadvertent uses. Ideal for shared devices, you can create different configurations for different users. Practical examples include:
|
||||
|
||||
- Frontline worker devices
|
||||
- Student devices
|
||||
@ -46,6 +23,13 @@ When you configure a restricted user experience, users can only execute a define
|
||||
> [!NOTE]
|
||||
> When you configure a restricted user experience, different policy settings are applied to the device. Some policy settings apply to standard users, and some to administrators. For more information, see [policy-settings](policy-settings.md).
|
||||
|
||||
## Requirements
|
||||
|
||||
Here are the requirements for Assigned Access:
|
||||
|
||||
- [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable a kiosk experience
|
||||
- The kiosk experience isn't supported over a remote desktop connection. The kiosk users must sign in on the console that is set up as a kiosk
|
||||
|
||||
[!INCLUDE [assigned-access](../../../includes/licensing/assigned-access.md)]
|
||||
|
||||
## Configure a kiosk experience
|
||||
@ -255,29 +239,9 @@ Write-Output "Successfully applied Assigned Access configuration"
|
||||
> [!TIP]
|
||||
> For practical examples, see the [Quickstart: Configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)
|
||||
|
||||
## Remove Assigned Access
|
||||
|
||||
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout).
|
||||
|
||||
|
||||
<!--
|
||||
|
||||
## Develop your kiosk app
|
||||
|
||||
Assigned Access uses the *Lock framework*. When an Assigned Access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an *above lock* screen app. To learn more, see [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
|
||||
|
||||
## Test your Assigned Access experience
|
||||
|
||||
Thoroughly test the Assigned Access kiosk configuration, ensuring that your devices provide a good user experience.
|
||||
|
||||
> [!NOTE]
|
||||
> The use of multiple monitors is supported for multi-app kiosk mode in Windows 11.
|
||||
|
||||
The Assigned Access feature is intended for dedicated devices, like kiosks. When the multi-app Assigned Access configuration is applied on the device, certain [policy settings](policy-settings.md) are enforced system-wide, impacting other users on the device. Deleting the kiosk configuration removes the Assigned Access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, the Start layout). To clear all the policy settings enforced by Assigned Access, you must reset Windows.
|
||||
|
||||
## User experience
|
||||
|
||||
To test the kiosk or restricted user experience, sign in with the user account you specified in the configuration file.
|
||||
To validate the kiosk or restricted user experience, sign in with the user account you specified in the configuration file.
|
||||
|
||||
The Assigned Access configuration takes effect the next time the targeted user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience.
|
||||
|
||||
@ -300,7 +264,7 @@ The Breakout Sequence of <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> is th
|
||||
|
||||
### Keyboard shortcuts
|
||||
|
||||
The following keyboard shortcuts are blocked for any user account with Assigned Access:
|
||||
The following keyboard shortcuts are blocked for the user accounts with Assigned Access:
|
||||
|
||||
| Keyboard shortcut | Action |
|
||||
|--|--|
|
||||
@ -325,102 +289,17 @@ The following keyboard shortcuts are blocked for any user account with Assigned
|
||||
| LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator |
|
||||
| LaunchMail | Open the default mail client |
|
||||
|
||||
The following keyboard shortcuts are't blocked for any user account with Assigned Access. You can use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations:
|
||||
## Remove Assigned Access
|
||||
|
||||
| Keyboard shortcut | Action |
|
||||
|--|--|
|
||||
|<kbd>Alt</kbd> + <kbd>F4</kbd>||
|
||||
|<kbd>Alt</kbd> + <kbd>Shift</kbd> + <kbd>Tab</kbd>||
|
||||
|<kbd>Alt</kbd> + <kbd>Tab</kbd>||
|
||||
Deleting the restricted user experience removes the policy settings associated with the users, but it can't revert all the configurations. For example, the Start menu configuration is maintained.
|
||||
|
||||
> [!NOTE]
|
||||
> <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Delete</kbd> is the default keyboard shortcut to break out of Assigned Access. You can use *Keyboard Filter* to configure a different key combination to break out of Assigned Access by setting *BreakoutKeyScanCode* as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings).
|
||||
|
||||
> [!CAUTION]
|
||||
> Keyboard Filter settings apply to other standard accounts.
|
||||
|
||||
- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter).
|
||||
[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education
|
||||
- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access
|
||||
For more information on removing the power button or disabling the physical power button, see [Custom Logon][WHW-1]
|
||||
- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access
|
||||
For more information, see [Unified Write Filter][WHW-2]
|
||||
- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead.
|
||||
If you need to use Assigned Access API, see [WEDL_AssignedAccess][WHW-3]
|
||||
- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own
|
||||
|
||||
For more information, see [Custom Logon][WHW-1].
|
||||
|
||||
## Assigned Access recommendations
|
||||
|
||||
Here are some options to help you to further customize the Assigned Access experience:
|
||||
|
||||
- Replace the *blue screen* with a blank screen for OS errors. For more information, see [Configure system failure and recovery options](/troubleshoot/windows-client/performance/configure-system-failure-and-recovery-options)
|
||||
- Hide *Ease of access* feature on the sign-in screen
|
||||
- **Use an MDM provider**: In Intune, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature.
|
||||
- **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)
|
||||
- Remove the power button from the sign-in screen
|
||||
- **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**.
|
||||
- **Use MDM**: In Intune, you have the following option:
|
||||
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
|
||||
- `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**.
|
||||
- Disable the camera
|
||||
- **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**
|
||||
- **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Intune, you have the following options:
|
||||
- [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): This option shows this setting, and more settings you can manage
|
||||
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
|
||||
- `Camera\Allow camera`: Set to **Not allowed**
|
||||
- Turn off app notifications on the lock screen
|
||||
|
||||
- **Use Group policy**:
|
||||
- `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
|
||||
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
|
||||
- **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Intune, you have the following options:
|
||||
- [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage.
|
||||
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
|
||||
- `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
|
||||
- `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
|
||||
|
||||
- Disable removable media
|
||||
- **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation.
|
||||
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
|
||||
- **Use an MDM provider**: In Intune, you have the following options:
|
||||
- [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage.
|
||||
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
|
||||
- `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
|
||||
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
|
||||
When looking at settings, check the supported OS for each setting to make sure it applies.
|
||||
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
|
||||
- `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
|
||||
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**
|
||||
- Enable logging: logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
|
||||
|
||||
|
||||
## Troubleshoot
|
||||
|
||||
Event Viewer
|
||||
Run "eventvwr.msc"
|
||||
Navigate to "Applications and Services Logs"
|
||||
There are 2 areas of your interests:
|
||||
"Microsoft-Windows-AssignedAccess"
|
||||
"Microsoft-Windows-AssignedAccessBroker"
|
||||
Before any repro, it's recommended to enable "Operational" channel to get the most of logs.
|
||||
TraceLogging
|
||||
|
||||
Registry Key
|
||||
These locations contain the latest Assigned Access Configuration:
|
||||
|
||||
HKLM\SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration
|
||||
HKLM\SOFTWARE\Microsoft\Windows\AssignedAccessCsp
|
||||
These locations contain the latest "evaluated" configuration for each sign-in user:
|
||||
|
||||
"HKCU\SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration" (If it doesn't exist, it means no Assigned Access to be enforced for this user.)
|
||||
|
||||
-->
|
||||
## Next steps
|
||||
|
||||
> [!div class="nextstepaction"]
|
||||
> Review the recommendations before you deploy Assigned Access
|
||||
>
|
||||
> [Assigned Access recommendations](recommendations.md)
|
||||
|
||||
<!--links-->
|
||||
|
||||
[WHW-1]: /windows-hardware/customize/enterprise/custom-logon
|
||||
[WHW-2]: /windows-hardware/customize/enterprise/unified-write-filter
|
||||
[WHW-3]: /windows-hardware/customize/enterprise/wedl-assignedaccess
|
||||
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
|
||||
|
||||
@ -137,3 +137,123 @@ Assigned access doesn't change accessibility settings. We recommend that you use
|
||||
| <kbd>Left Alt</kbd> + <kbd>Left Shift</kbd> + <kbd>Print Screen</kbd> | Open High Contrast dialog box |
|
||||
| <kbd>Left Alt</kbd> + <kbd>Left Shift</kbd> + <kbd>Num Lock</kbd> | Open Mouse Keys dialog box |
|
||||
| <kbd>WIN</kbd> + <kbd>U</kbd> | Open the Settings app accessibility panel |
|
||||
|
||||
## Develop your kiosk app
|
||||
|
||||
Assigned Access uses the *Lock framework*. When an Assigned Access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an *above lock* screen app. To learn more, see [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
|
||||
|
||||
## Test your Assigned Access experience
|
||||
|
||||
Thoroughly test the Assigned Access kiosk configuration, ensuring that your devices provide a good user experience.
|
||||
|
||||
> [!NOTE]
|
||||
> The use of multiple monitors is supported for multi-app kiosk mode in Windows 11.
|
||||
|
||||
The Assigned Access feature is intended for dedicated devices, like kiosks. When the multi-app Assigned Access configuration is applied on the device, certain [policy settings](policy-settings.md) are enforced system-wide, impacting other users on the device. Deleting the kiosk configuration removes the Assigned Access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, the Start layout). To clear all the policy settings enforced by Assigned Access, you must reset Windows.
|
||||
|
||||
## Troubleshoot
|
||||
|
||||
Event Viewer
|
||||
Run "eventvwr.msc"
|
||||
Navigate to "Applications and Services Logs"
|
||||
There are 2 areas of your interests:
|
||||
"Microsoft-Windows-AssignedAccess"
|
||||
"Microsoft-Windows-AssignedAccessBroker"
|
||||
Before any repro, it's recommended to enable "Operational" channel to get the most of logs.
|
||||
TraceLogging
|
||||
|
||||
Registry Key
|
||||
These locations contain the latest Assigned Access Configuration:
|
||||
|
||||
HKLM\SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration
|
||||
HKLM\SOFTWARE\Microsoft\Windows\AssignedAccessCsp
|
||||
These locations contain the latest "evaluated" configuration for each sign-in user:
|
||||
|
||||
"HKCU\SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration" (If it doesn't exist, it means no Assigned Access to be enforced for this user.)
|
||||
|
||||
Apps that run in kiosk mode cannot use copy and paste.
|
||||
|
||||
|
||||
|
||||
|
||||
The following keyboard shortcuts are't blocked for any user account with Assigned Access. You can use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations:
|
||||
|
||||
| Keyboard shortcut | Action |
|
||||
|--|--|
|
||||
|<kbd>Alt</kbd> + <kbd>F4</kbd>||
|
||||
|<kbd>Alt</kbd> + <kbd>Shift</kbd> + <kbd>Tab</kbd>||
|
||||
|<kbd>Alt</kbd> + <kbd>Tab</kbd>||
|
||||
|
||||
> [!NOTE]
|
||||
> <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Delete</kbd> is the default keyboard shortcut to break out of Assigned Access. You can use *Keyboard Filter* to configure a different key combination to break out of Assigned Access by setting *BreakoutKeyScanCode* as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings).
|
||||
|
||||
> [!CAUTION]
|
||||
> Keyboard Filter settings apply to other standard accounts.
|
||||
|
||||
- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). Keyboard Filter is only available on Windows client Enterprise or Education
|
||||
- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access
|
||||
For more information on removing the power button or disabling the physical power button, see [Custom Logon][WHW-1]
|
||||
- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access
|
||||
For more information, see [Unified Write Filter][WHW-2]
|
||||
- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead.
|
||||
If you need to use Assigned Access API, see [WEDL_AssignedAccess][WHW-3]
|
||||
- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own
|
||||
|
||||
For more information, see [Custom Logon][WHW-1].
|
||||
|
||||
## Assigned Access recommendations
|
||||
|
||||
Here are some options to help you to further customize the Assigned Access experience:
|
||||
|
||||
- Replace the *blue screen* with a blank screen for OS errors. For more information, see [Configure system failure and recovery options](/troubleshoot/windows-client/performance/configure-system-failure-and-recovery-options)
|
||||
- Hide *Ease of access* feature on the sign-in screen
|
||||
- **Use an MDM provider**: In Intune, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature.
|
||||
- **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)
|
||||
- Remove the power button from the sign-in screen
|
||||
- **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**.
|
||||
- **Use MDM**: In Intune, you have the following option:
|
||||
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
|
||||
- `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**.
|
||||
- Disable the camera
|
||||
- **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**
|
||||
- **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Intune, you have the following options:
|
||||
- [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): This option shows this setting, and more settings you can manage
|
||||
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
|
||||
- `Camera\Allow camera`: Set to **Not allowed**
|
||||
- Turn off app notifications on the lock screen
|
||||
|
||||
- **Use Group policy**:
|
||||
- `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
|
||||
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
|
||||
- **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Intune, you have the following options:
|
||||
- [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage.
|
||||
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
|
||||
- `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
|
||||
- `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
|
||||
|
||||
- Disable removable media
|
||||
- **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation.
|
||||
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
|
||||
- **Use an MDM provider**: In Intune, you have the following options:
|
||||
- [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage.
|
||||
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
|
||||
- `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
|
||||
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
|
||||
When looking at settings, check the supported OS for each setting to make sure it applies.
|
||||
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
|
||||
- `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
|
||||
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**
|
||||
- Enable logging: logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
|
||||
|
||||
## Next steps
|
||||
|
||||
> [!div class="nextstepaction"]
|
||||
> Learn how to create an XML file to configure Assigned Access:
|
||||
>
|
||||
> [Create an Assigned Access configuration file](configuration-file.md)
|
||||
|
||||
<!--links-->
|
||||
|
||||
[WHW-1]: /windows-hardware/customize/enterprise/custom-logon
|
||||
[WHW-2]: /windows-hardware/customize/enterprise/unified-write-filter
|
||||
[WHW-3]: /windows-hardware/customize/enterprise/wedl-assignedaccess
|
||||
Reference in New Issue
Block a user