From e4ca4f5a97ed968d06cb5c20df17264b921f91f0 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 26 Jan 2024 13:11:57 -0500
Subject: [PATCH] xml updates

---
 .../configuration/kiosk/kiosk-mdm-bridge.md   | 20 +++++++++----------
 .../lock-down-windows-11-to-specific-apps.md  | 18 +----------------
 2 files changed, 11 insertions(+), 27 deletions(-)

diff --git a/windows/configuration/kiosk/kiosk-mdm-bridge.md b/windows/configuration/kiosk/kiosk-mdm-bridge.md
index 0236b7a700..7725923709 100644
--- a/windows/configuration/kiosk/kiosk-mdm-bridge.md
+++ b/windows/configuration/kiosk/kiosk-mdm-bridge.md
@@ -13,7 +13,7 @@ Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/
 
 Here's an example to set AssignedAccess configuration:
 
-1. Download the [psexec tool](/sysinternals/downloads/psexec)
+1. [Download PsTools][PSTools]
 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
 1. In the PowerShell session launched by `psexec.exe`, execute the following script:
 
@@ -92,18 +92,18 @@ Add-Type -AssemblyName System.Web
 $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
 <?xml version="1.0" encoding="utf-8" ?>
 <AssignedAccessConfiguration
-  xmlns=http://schemas.microsoft.com/AssignedAccess/2017/config xmlns:win11=http://schemas.microsoft.com/AssignedAccess/2022/config>
+  xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
+  xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
   <Profiles>
     <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
       <AllAppsList>
         <AllowedApps>
-          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
-          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
           <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
           <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
           <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
-          <App DesktopAppPath="%windir%\system32\mspaint.exe" />
-          <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
+          <App DesktopAppPath="C:\Windows\system32\cmd.exe" />
+          <App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
+          <App DesktopAppPath="%windir%\explorer.exe" />
         </AllowedApps>
       </AllAppsList>
       <win11:StartPins>
@@ -111,11 +111,10 @@ $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
           { "pinnedList":[
             {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
             {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
-            {"packagedAppId":"Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic"},
-            {"packagedAppId":"Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo"},
             {"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
-            {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\StartMenu\\Programs\\Accessories\\Paint.lnk"},
-            {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\StartMenu\\Programs\\Accessories\\Notepad.lnk"}
+            {"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
+            {"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
+            {"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"}
           ] }
         ]]>
       </win11:StartPins>
@@ -141,3 +140,4 @@ For more information, see [Using PowerShell scripting with the WMI Bridge Provid
 <!--links-->
 
 [WIN-1]: /windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider
+[PsTools]: https://download.sysinternals.com/files/PSTools.zip
diff --git a/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md b/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md
index e2db94e804..4db04adf38 100644
--- a/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md
+++ b/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md
@@ -85,17 +85,13 @@ There are two types of profiles that you can specify in the XML:
 A lockdown profile section in the XML has the following entries:
 
 - [**Id**](#id)
-
 - [**AllowedApps**](#allowedapps)
-
 - [**StartPins**](#startpins)
-
 - [**Taskbar**](#taskbar)
 
 A kiosk profile in the XML has the following entries:
 
 - [**Id**](#id)
-
 - [**KioskModeApp**](#kioskmodeapp)
 
 ##### Id
@@ -254,7 +250,7 @@ Individual accounts are specified using `<Account>`.
 
 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.
-- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
+- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided *as is*, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
 
 > [!WARNING]
 > Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account.  However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
@@ -370,32 +366,22 @@ This section contains a predefined XML file which can be used as a quickstart to
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
 <AssignedAccessConfiguration
-
   xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
-
   xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
   <Profiles>
     <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
-
       <AllAppsList>
         <AllowedApps>
-
           <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
-
           <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
-
           <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
           <App DesktopAppPath="C:\Windows\system32\cmd.exe" />
           <App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
           <App DesktopAppPath="%windir%\explorer.exe" />
-
         </AllowedApps>
-
       </AllAppsList>
-
       <win11:StartPins>
         <![CDATA[
-
           { "pinnedList":[
             {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
             {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
@@ -408,7 +394,6 @@ This section contains a predefined XML file which can be used as a quickstart to
       </win11:StartPins>
       <Taskbar ShowTaskbar="true"/>
     </Profile>
-
   </Profiles>
   <Configs>
     <Config>
@@ -417,5 +402,4 @@ This section contains a predefined XML file which can be used as a quickstart to
     </Config>
   </Configs>
 </AssignedAccessConfiguration>
-
 ```