xml updates

2025-05-13 05:47:23 +00:00 · 2024-01-26 13:11:57 -05:00 · 2024-01-26 13:11:57 -05:00 · e4ca4f5a97
commit e4ca4f5a97
parent 6e6e5d8076
2 changed files with 11 additions and 27 deletions
--- a/windows/configuration/kiosk/kiosk-mdm-bridge.md
+++ b/windows/configuration/kiosk/kiosk-mdm-bridge.md
@ -13,7 +13,7 @@ Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/

 Here's an example to set AssignedAccess configuration:

-1. Download the [psexec tool](/sysinternals/downloads/psexec)
+1. [Download PsTools][PSTools]
 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
 1. In the PowerShell session launched by `psexec.exe`, execute the following script:

@ -92,18 +92,18 @@ Add-Type -AssemblyName System.Web
 $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
 <?xml version="1.0" encoding="utf-8" ?>
 <AssignedAccessConfiguration
-  xmlns=http://schemas.microsoft.com/AssignedAccess/2017/config xmlns:win11=http://schemas.microsoft.com/AssignedAccess/2022/config>
+  xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
+  xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
      <AllAppsList>
        <AllowedApps>
-          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
-          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
-          <App DesktopAppPath="%windir%\system32\mspaint.exe" />
-          <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
+          <App DesktopAppPath="C:\Windows\system32\cmd.exe" />
+          <App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
+          <App DesktopAppPath="%windir%\explorer.exe" />
        </AllowedApps>
      </AllAppsList>
      <win11:StartPins>
@ -111,11 +111,10 @@ $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
          { "pinnedList":[
            {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
            {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
-            {"packagedAppId":"Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic"},
-            {"packagedAppId":"Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo"},
            {"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
-            {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\StartMenu\\Programs\\Accessories\\Paint.lnk"},
-            {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\StartMenu\\Programs\\Accessories\\Notepad.lnk"}
+            {"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
+            {"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
+            {"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"}
          ] }
        ]]>
      </win11:StartPins>
@ -141,3 +140,4 @@ For more information, see [Using PowerShell scripting with the WMI Bridge Provid
 <!--links-->

 [WIN-1]: /windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider
+[PsTools]: https://download.sysinternals.com/files/PSTools.zip
--- a/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md
+++ b/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md
@ -85,17 +85,13 @@ There are two types of profiles that you can specify in the XML:
 A lockdown profile section in the XML has the following entries:

 - [**Id**](#id)
-
 - [**AllowedApps**](#allowedapps)
-
 - [**StartPins**](#startpins)
-
 - [**Taskbar**](#taskbar)

 A kiosk profile in the XML has the following entries:

 - [**Id**](#id)
-
 - [**KioskModeApp**](#kioskmodeapp)

 ##### Id
@ -254,7 +250,7 @@ Individual accounts are specified using `<Account>`.

 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.
- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
+- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided *as is*, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`

 > [!WARNING]
 > Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account.  However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
@ -370,32 +366,22 @@ This section contains a predefined XML file which can be used as a quickstart to
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
 <AssignedAccessConfiguration
-
  xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
-
  xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
-
      <AllAppsList>
        <AllowedApps>
-
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
-
          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
-
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
          <App DesktopAppPath="C:\Windows\system32\cmd.exe" />
          <App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
          <App DesktopAppPath="%windir%\explorer.exe" />
-
        </AllowedApps>
-
      </AllAppsList>
-
      <win11:StartPins>
        <![CDATA[
-
          { "pinnedList":[
            {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
            {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
@ -408,7 +394,6 @@ This section contains a predefined XML file which can be used as a quickstart to
      </win11:StartPins>
      <Taskbar ShowTaskbar="true"/>
    </Profile>
-
  </Profiles>
  <Configs>
    <Config>
@ -417,5 +402,4 @@ This section contains a predefined XML file which can be used as a quickstart to
    </Config>
  </Configs>
 </AssignedAccessConfiguration>
-
 ```