From e32a9e02530a91e2f72eb320814c263cef2d4fc5 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 13 Feb 2024 18:16:36 +0100
Subject: [PATCH] updates
---
.../_lock-down-windows-10-to-specific-apps.md | 76 +--------
...> create-assigned-access-configuration.md} | 0
.../create-shell-launcher-configuration.md | 160 ++++++++++++++++++
.../kiosk/includes/quickstart-kiosk-xml.md | 36 ++++
.../kiosk/kiosk-additional-reference.md | 22 ---
windows/configuration/kiosk/kiosk-policies.md | 2 +-
.../kiosk/kiosk-shelllauncher.md | 25 ++-
.../configuration/kiosk/kiosk-single-app.md | 3 -
windows/configuration/kiosk/kiosk-validate.md | 36 ++--
.../configuration/kiosk/quickstart-kiosk.md | 109 ++++++++++++
windows/configuration/kiosk/toc.yml | 12 +-
11 files changed, 349 insertions(+), 132 deletions(-)
rename windows/configuration/kiosk/{create-xml.md => create-assigned-access-configuration.md} (100%)
create mode 100644 windows/configuration/kiosk/create-shell-launcher-configuration.md
create mode 100644 windows/configuration/kiosk/includes/quickstart-kiosk-xml.md
delete mode 100644 windows/configuration/kiosk/kiosk-additional-reference.md
create mode 100644 windows/configuration/kiosk/quickstart-kiosk.md
diff --git a/windows/configuration/kiosk/_lock-down-windows-10-to-specific-apps.md b/windows/configuration/kiosk/_lock-down-windows-10-to-specific-apps.md
index dde1ab62f4..f307940f45 100644
--- a/windows/configuration/kiosk/_lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/kiosk/_lock-down-windows-10-to-specific-apps.md
@@ -7,25 +7,9 @@ ms.date: 11/08/2023
# Set up a multi-app kiosk on Windows 10 devices
-> [!NOTE]
-> The use of multiple monitors isn't supported for multi-app kiosk mode in Windows 10.
+A kiosk device typically runs a single application, and users are prevented from accessing any features or functions on the device outside of the app.
-A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access.
-
-The following table lists changes to multi-app kiosk in recent updates.
-
-| New features and improvements | In update |
-| --- | ---|
-| - Configure [a single-app kiosk profile](#profile) in your XML file
- Assign [group accounts to a config profile](#config-for-group-accounts)
- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 |
-| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)
- [Automatically launch an app](#allowedapps) when the user signs in
- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809
**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. |
-
-> [!WARNING]
-> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
-
-You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
-
-> [!TIP]
-> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
+The assigned access feature is intended for dedicated devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, impacting other users on the device. Deleting the kiosk configuration removes the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, the Start layout). To clear all the policy settings enforced by Assigned Access, you must reset Windows.
## Configure a kiosk in Microsoft Intune
@@ -46,56 +30,8 @@ Watch how to use a provisioning package to configure a multi-app kiosk.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
-If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
-
-### Prerequisites
-
-- Windows Configuration Designer (Windows 10, version 1709 or later)
-- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later
-
-> [!NOTE]
-> For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
-
### Create XML file
-
-
#### Profile
There are two types of profiles that you can specify in the XML:
@@ -477,15 +413,15 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
1. On **New project**, select **Finish**. The workspace for your package opens.
-1. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**.
+1. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**.
1. In the center pane, select **Browse**. Locate and select the assigned access configuration XML file that you created.
-1. _Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step._ Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
+1. _Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step._ Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
-1. _Optional: If you already have a non-admin account on the kiosk device, skip this step._ Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
+1. _Optional: If you already have a non-admin account on the kiosk device, skip this step._ Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
1. On the **File** menu, select **Save.**
@@ -620,7 +556,7 @@ Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No
[Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes
[WindowsInkWorkspace/AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes
[Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No
-[WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes
+[WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes
-->
diff --git a/windows/configuration/kiosk/create-xml.md b/windows/configuration/kiosk/create-assigned-access-configuration.md
similarity index 100%
rename from windows/configuration/kiosk/create-xml.md
rename to windows/configuration/kiosk/create-assigned-access-configuration.md
diff --git a/windows/configuration/kiosk/create-shell-launcher-configuration.md b/windows/configuration/kiosk/create-shell-launcher-configuration.md
new file mode 100644
index 0000000000..1a7638fdf8
--- /dev/null
+++ b/windows/configuration/kiosk/create-shell-launcher-configuration.md
@@ -0,0 +1,160 @@
+---
+title: Create an Shell Launcher configuration file
+description: Learn how to create an XML file to configure a device with Shell Launcher.
+ms.date: 02/12/2024
+ms.topic: how-to
+zone_pivot_groups: windows-versions-11-10
+appliesto:
+---
+
+# Create an Shell Launcher configuration file
+
+## Full XML example
+
+::: zone pivot="windows-11"
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+::: zone-end
+
+
+:::row:::
+ :::column span="1":::
+ **Scenario**
+ :::column-end:::
+ :::column span="3":::
+ **Sample Xml**
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ **Block everything**
+ :::column-end:::
+ :::column span="3":::
+ Either don't use the node or leave it empty
+
+ ```xml
+
+
+ ```
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ **Only allow downloads**
+ :::column-end:::
+ :::column span="3":::
+ ```xml
+
+
+
+ ```
+ :::column-end:::
+:::row-end:::
+
+:::row:::
+ :::column span="1":::
+ **Only allow removable drives**
+ :::column-end:::
+ :::column span="3":::
+ ```xml
+
+
+
+ ```
+ :::column-end:::
+:::row-end:::
+
+:::row:::
+ :::column span="1":::
+ **Allow both Downloads, and removable drives**
+ :::column-end:::
+ :::column span="3":::
+ ```xml
+
+
+
+
+ ```
+ :::column-end:::
+:::row-end:::
+
+:::row:::
+ :::column span="1":::
+ **No restrictions, all locations are allowed**
+ :::column-end:::
+ :::column span="3":::
+ ```xml
+
+
+
+ ```
+ :::column-end:::
+:::row-end:::
+
+
diff --git a/windows/configuration/kiosk/includes/quickstart-kiosk-xml.md b/windows/configuration/kiosk/includes/quickstart-kiosk-xml.md
new file mode 100644
index 0000000000..31a97dba4e
--- /dev/null
+++ b/windows/configuration/kiosk/includes/quickstart-kiosk-xml.md
@@ -0,0 +1,36 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 02/05/2024
+ms.topic: include
+ms.prod: windows-client
+---
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
diff --git a/windows/configuration/kiosk/kiosk-additional-reference.md b/windows/configuration/kiosk/kiosk-additional-reference.md
deleted file mode 100644
index d652bf9874..0000000000
--- a/windows/configuration/kiosk/kiosk-additional-reference.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-title: More kiosk methods and reference information
-description: Find more information for configuring, validating, and troubleshooting kiosk configuration.
-ms.topic: reference
-ms.date: 12/31/2017
----
-
-# More kiosk methods and reference information
-
-## In this section
-
-| Topic | Description |
-|--|--|
-| [Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | This topic explains how to get the AUMID for an app. |
-| [Validate your kiosk configuration](kiosk-validate.md) | This topic explains what to expect on a multi-app kiosk. |
-| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience. |
-| [Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk. |
-| [Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration. |
-| [Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps. |
-| [Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface. |
-| [Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. |
-| [Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) | Tips for troubleshooting multi-app kiosk configuration. |
diff --git a/windows/configuration/kiosk/kiosk-policies.md b/windows/configuration/kiosk/kiosk-policies.md
index 102866fb6d..19263360e1 100644
--- a/windows/configuration/kiosk/kiosk-policies.md
+++ b/windows/configuration/kiosk/kiosk-policies.md
@@ -69,7 +69,7 @@ Some of the MDM policies based on the [Policy configuration service provider (CS
| [Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes |
| [WindowsInkWorkspace/AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes |
| [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No |
-| [WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes |
+| [WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes |
# Set up a single-app kiosk
diff --git a/windows/configuration/kiosk/kiosk-validate.md b/windows/configuration/kiosk/kiosk-validate.md
index eb3259d185..8fa892d286 100644
--- a/windows/configuration/kiosk/kiosk-validate.md
+++ b/windows/configuration/kiosk/kiosk-validate.md
@@ -56,23 +56,23 @@ If the applied multi-app configuration enables taskbar, when the assigned access
The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience.
| Hotkey | Action |
-| --- | --- |
-| Windows logo key + A | Open Action center |
-| Windows logo key + Shift + C | Open Cortana in listening mode |
-| Windows logo key + D | Display and hide the desktop |
-| Windows logo key + Alt + D | Display and hide the date and time on the desktop |
-| Windows logo key + E | Open File Explorer |
-| Windows logo key + F | Open Feedback Hub |
-| Windows logo key + G | Open Game bar when a game is open |
-| Windows logo key + I | Open Settings |
-| Windows logo key + J | Set focus to a Windows tip when one is available. |
-| Windows logo key + O | Lock device orientation |
-| Windows logo key + Q | Open search |
-| Windows logo key + R | Open the Run dialog box |
-| Windows logo key + S | Open search |
-| Windows logo key + X | Open the Quick Link menu |
-| Windows logo key + comma (,) | Temporarily peek at the desktop |
-| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) |
+|--|--|
+| WIN + A | Open Action center |
+| WIN + Shift + C | Open Cortana in listening mode |
+| WIN + D | Display and hide the desktop |
+| WIN + Alt + D | Display and hide the date and time on the desktop |
+| WIN + E | Open File Explorer |
+| WIN + F | Open Feedback Hub |
+| WIN + G | Open Game bar when a game is open |
+| WIN + I | Open Settings |
+| WIN + J | Set focus to a Windows tip when one is available. |
+| WIN + O | Lock device orientation |
+| WIN + Q | Open search |
+| WIN + R | Open the Run dialog box |
+| WIN + S | Open search |
+| WIN + X | Open the Quick Link menu |
+| WIN + , (comma) | Temporarily peek at the desktop |
+| WIN + Ctrl + F | Search for PCs (if you're on a network) |
### Locked-down Ctrl+Alt+Del screen
@@ -80,4 +80,4 @@ The multi-app mode removes options (e.g. **Change a password**, **Task Manager**
### Auto-trigger touch keyboard
-In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.
+In the multi-app mode, the touch keyboard i automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.
diff --git a/windows/configuration/kiosk/quickstart-kiosk.md b/windows/configuration/kiosk/quickstart-kiosk.md
new file mode 100644
index 0000000000..a700b7372c
--- /dev/null
+++ b/windows/configuration/kiosk/quickstart-kiosk.md
@@ -0,0 +1,109 @@
+---
+title: "Quickstart: Configure a restricted user experience"
+description: Learn how to configure a restricted user experience using Windows Configuration Designer, Microsoft Intune, PowerShell or GPO.
+ms.topic: quickstart
+ms.date: 02/05/2024
+appliesto:
+- ✅ Windows 11
+---
+
+# Quickstart: Configure a kiosk device
+
+Add intro about single-use device and shell launcher
+
+## Prerequisites
+
+>[!div class="checklist"]
+>Here's a list of requirements to complete this quickstart:
+>
+>- A Windows Enterprise or Education device
+>- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM
+>- Access to the [psexec tool](/sysinternals/downloads/psexec), if you want to test the configuration using Windows PowerShell
+
+## Configure a kiosk device
+
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
+
+> [!TIP]
+> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags.
+>
+> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
+Content-Type: application/json
+
+```
+
+[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
+
+- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
+- **Value:**
+
+[!INCLUDE [quickstart-kiosk-xml](includes/quickstart-kiosk-xml.md)]
+
+#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
+
+[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
+
+```PowerShell
+$shellLauncherConfiguration = @"
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+"@
+
+$namespaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
+$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
+
+```
+
+[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
+
+---
+
+## User experience
+
+After the settings are applied, reboot the device. A local account is automatically signed in, and the Weather app starts automatically in full screen.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Learn more how to configure Windows to execute as a restricted user experience:
+>
+> [Configure a shell launcher configuration](create-shell-launcher-configuration.md)
+
+
+
+[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
diff --git a/windows/configuration/kiosk/toc.yml b/windows/configuration/kiosk/toc.yml
index 065ca9a358..fbada43ffe 100644
--- a/windows/configuration/kiosk/toc.yml
+++ b/windows/configuration/kiosk/toc.yml
@@ -3,6 +3,8 @@ items:
href: kiosk-methods.md
- name: Quickstarts
items:
+ - name: Configure a kiosk device
+ href: quickstart-restricted-experience.md
- name: Configure a restricted user experience
href: quickstart-restricted-experience.md
- name: Concepts
@@ -17,8 +19,10 @@ items:
href: kiosk-single-app.md
- name: How-to guides
items:
- - name: Create an Assigned Access XML file
- href: create-xml.md
+ - name: Create an Assigned Access configuration file
+ href: create-assigned-access-configuration.md
+ - name: Create a Shell Launcher configuration file
+ href: create-shell-launcher-configuration.md
- name: Find the AUMID of an installed app
href: find-aumid.md
- name: Use MDM Bridge WMI Provider to create a Windows client kiosk
@@ -33,15 +37,13 @@ items:
href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
- name: Reference
items:
- - name: Kiosk methods and reference information
- href: kiosk-additional-reference.md
- name: Guidelines for choosing an app for assigned access
href: guidelines-for-assigned-access-app.md
- name: Policies enforced on kiosk devices
href: kiosk-policies.md
- name: Assigned access XML reference
href: kiosk-xml.md
-- name: On the way to ☠️
+- name: On the way to 🪦
items:
- name: _lock-down-windows-10-to-specific-apps
href: _lock-down-windows-10-to-specific-apps.md