Update Assigned Access links and remove licensing information

2025-05-11 21:07:23 +00:00 · 2024-02-26 17:13:45 -05:00 · 2024-02-26 17:13:45 -05:00 · e4f7c7dfc7
commit e4f7c7dfc7
parent 62e867e030
7 changed files with 89 additions and 52 deletions
--- a/includes/licensing/assigned-access-kiosk-mode.md
+++ b/includes/licensing/assigned-access-kiosk-mode.md
@ -7,13 +7,13 @@ ms.topic: include

 ## Windows edition and licensing requirements

-The following table lists the Windows editions that support Assigned Access (kiosk mode):
+The following table lists the Windows editions that support Assigned Access:

 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|

-Assigned Access (kiosk mode) license entitlements are granted by the following licenses:
+Assigned Access license entitlements are granted by the following licenses:

 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
--- a/includes/licensing/shell-launcher.md
+++ b/includes/licensing/shell-launcher.md
@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/18/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Shell Launcher:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Shell Launcher license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/windows/configuration/assigned-access/assigned-access-policy-settings.md
+++ b/windows/configuration/assigned-access/assigned-access-policy-settings.md
@ -78,26 +78,3 @@ The following policy settings are applied to any nonadministrator account access
 | **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options          | Remove Task Manager                                               |
 | **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer     | Remove *Map network drive* and *Disconnect Network Drive*         |
 | **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer     | Remove File Explorer's default context menu                       |
-
-### Keyboard shortcuts
-
-The following keyboard shortcuts are blocked for any nonadministrator account when using Assigned Access:
-
-| Hotkey | Action |
-|--|--|
-| <kbd>WIN</kbd> + <kbd>A</kbd> | Open Action center |
-| <kbd>WIN</kbd> + <kbd>Shift</kbd>  + <kbd> C</kbd> | Open Cortana in listening mode |
-| <kbd>WIN</kbd> + <kbd>D</kbd> | Display and hide the desktop |
-| <kbd>WIN</kbd> + <kbd>Alt</kbd>  + <kbd> D</kbd> | Display and hide the date and time on the desktop |
-| <kbd>WIN</kbd> + <kbd>E</kbd> | Open File Explorer |
-| <kbd>WIN</kbd> + <kbd>F</kbd> | Open Feedback Hub |
-| <kbd>WIN</kbd> + <kbd>G</kbd> | Open Game bar when a game is open |
-| <kbd>WIN</kbd> + <kbd>I</kbd> | Open Settings |
-| <kbd>WIN</kbd> + <kbd>J</kbd> | Set focus to a Windows tip when one is available. |
-| <kbd>WIN</kbd> + <kbd>O</kbd> | Lock device orientation |
-| <kbd>WIN</kbd> + <kbd>Q</kbd> | Open search |
-| <kbd>WIN</kbd> + <kbd>R</kbd> | Open the Run dialog box |
-| <kbd>WIN</kbd> + <kbd>S</kbd> | Open search |
-| <kbd>WIN</kbd> + <kbd>X</kbd> | Open the Quick Link menu |
-| <kbd>WIN</kbd> + <kbd>, (comma)</kbd> | Temporarily peek at the desktop |
-| <kbd>WIN</kbd> + <kbd>Ctrl</kbd>  + <kbd> F</kbd> | Search for PCs (if you're on a network) |
--- a/windows/configuration/assigned-access/index.md
+++ b/windows/configuration/assigned-access/index.md
@ -9,8 +9,25 @@ ms.date: 02/26/2024

 Organization may want to set up special purpose devices, such as a device in the lobby that customers can use to view product catalogs, or a device displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use:

- Single-app kiosk: runs a single Universal Windows Platform (UWP) application in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app launches automatically. If the kiosk app is closed, it will automatically restart
- Multi-app kiosk: runs one or more applications from the desktop. People using the kiosk see a customized Start menu that shows only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types
+:::row:::
+    :::column:::
+    :::image type="content" source="images/kiosk.png" alt-text="logo":::
+    :::column-end:::
+    :::column:::
+    ### Kiosk
+    Runs a single Universal Windows Platform (UWP) application in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app launches automatically. If the kiosk app is closed, it will automatically restart
+    :::column-end:::
+:::row-end:::
+:::row:::
+    :::column:::
+    :::image type="content" source="images/restricted-user-experience.png" alt-text="logo":::
+    :::column-end:::
+    :::column:::
+    ### Restricted user experience
+    runs one or more applications from the desktop. People using the kiosk see a customized Start menu that shows only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types
+    :::column-end:::
+:::row-end:::
+

 A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen.

@ -32,7 +49,8 @@ There are several kiosk configuration methods that you can choose from, dependin
 >[!IMPORTANT]
 >Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.

-[!INCLUDE [assigned-access-kiosk-mode](../../../includes/licensing/assigned-access-kiosk-mode.md)]
+[!INCLUDE [assigned-access-kiosk-mode](../../../includes/licensing/assigned-access.md)]
+[!INCLUDE [assigned-access-kiosk-mode](../../../includes/licensing/shell-launcher.md)]

 ## Summary of configuration methods

--- a/windows/configuration/assigned-access/kiosk-prepare.md
+++ b/windows/configuration/assigned-access/kiosk-prepare.md
@ -220,36 +220,56 @@ How to edit the registry to have an account sign in automatically:

 The following table describes some features that have interoperability issues we recommend that you consider when running assigned access.

- **Accessibility**: Assigned access doesn't change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:
+### Accessibility
+
+Assigned access doesn't change accessibility settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that open accessibility features:

  | Key combination | Blocked behavior |
  | --- | --- |
-  | Left Alt + Left Shift + Print Screen | Open High Contrast dialog box. |
-  | Left Alt + Left Shift + Num Lock | Open Mouse Keys dialog box. |
-  | Windows logo key + U | Open Ease of Access Center. |
+  | <kbd>Left Alt</kbd> + <kbd>Left Shift</kbd> + <kbd>Print Screen</kbd> | Open High Contrast dialog box |
+  | <kbd>Left Alt</kbd> + <kbd>Left Shift</kbd> + <kbd>Num Lock</kbd> | Open Mouse Keys dialog box |
+  | <kbd>WIN</kbd> + <kbd>U</kbd> | Open the Settings app accessibility panel |

- **Assigned access Windows PowerShell cmdlets**: In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/)
+### Keyboard shortcuts

- **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for Assigned Access users.
+The following keyboard shortcuts are blocked for any user account with Assigned Access:

-  <kbd>Alt</kbd> + <kbd>F4</kbd>, <kbd>Alt</kbd> + <kbd>Shift</kbd> + <kbd>Tab</kbd>, <kbd>Alt</kbd> + <kbd>Tab</kbd> aren't blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.
+| Keyboard shortcut | Action |
+|--|--|
+| <kbd>Ctrl</kbd> + <kbd>Shift</kbd>  + <kbd>Esc</kbd>  | Open Task Manager |
+| <kbd>WIN</kbd> + <kbd>, (comma)</kbd> | Temporarily peek at the desktop |
+| <kbd>WIN</kbd> + <kbd>A</kbd> | Open Action center |
+| <kbd>WIN</kbd> + <kbd>Alt</kbd>  + <kbd> D</kbd> | Display and hide the date and time on the desktop |
+| <kbd>WIN</kbd> + <kbd>Ctrl</kbd>  + <kbd> F</kbd> | Find computer objects in Active Directory |
+| <kbd>WIN</kbd> + <kbd>D</kbd> | Display and hide the desktop |
+| <kbd>WIN</kbd> + <kbd>E</kbd> | Open File Explorer |
+| <kbd>WIN</kbd> + <kbd>F</kbd> | Open Feedback Hub |
+| <kbd>WIN</kbd> + <kbd>G</kbd> | Open Game bar when a game is open |
+| <kbd>WIN</kbd> + <kbd>I</kbd> | Open Settings |
+| <kbd>WIN</kbd> + <kbd>J</kbd> | Set focus to a Windows tip when one is available |
+| <kbd>WIN</kbd> + <kbd>O</kbd> | Lock device orientation |
+| <kbd>WIN</kbd> + <kbd>Q</kbd> | Open search |
+| <kbd>WIN</kbd> + <kbd>R</kbd> | Open the Run dialog box |
+| <kbd>WIN</kbd> + <kbd>S</kbd> | Open search |
+| <kbd>WIN</kbd> + <kbd>Shift</kbd>  + <kbd> C</kbd> | Open Cortana in listening mode |
+| <kbd>WIN</kbd> + <kbd>X</kbd> | Open the Quick Link menu |
+| LaunchApp1 | Open the app that is assigned to this key |
+| LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator |
+| LaunchMail | Open the default mail client |

-  Ctrl + Alt + Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of Assigned Access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings).
+The following keyboard shortcuts are't blocked for any user account with Assigned Access. You can use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations:

-  | Key combination | Blocked behavior for Assigned Access users |
-  | --- | --- |
-  | <kbd>Alt</kbd> + <kbd>Esc</kbd> | Cycle through items in the reverse order from which they were opened. |
-  | <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Esc</kbd>  | Cycle through items in the reverse order from which they were opened. |
-  | <kbd>Ctrl</kbd> + <kbd>Esc</kbd> | Open the Start screen. |
-  | <kbd>Ctrl</kbd> + <kbd>F4</kbd> | Close the window. |
-  | <kbd>Ctrl</kbd> + <kbd>Shift</kbd>  + <kbd>Esc</kbd>  | Open Task Manager. |
-  | <kbd>Ctrl</kbd> + <kbd>Tab</kbd> | Switch windows within the application currently open. |
-  | LaunchApp1 | Open the app that is assigned to this key. |
-  | LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator. |
-  | LaunchMail | Open the default mail client. |
-  | Windows logo key | Open the Start screen. |
+| Keyboard shortcut | Action |
+|--|--|
+|<kbd>Alt</kbd> + <kbd>F4</kbd>||
+|<kbd>Alt</kbd> + <kbd>Shift</kbd> + <kbd>Tab</kbd>||
+|<kbd>Alt</kbd> + <kbd>Tab</kbd>||

-  Keyboard Filter settings apply to other standard accounts.
+> [!NOTE]
+> <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Delete</kbd> is the default keyboard shortcut to break out of Assigned Access. You can use *Keyboard Filter* to configure a different key combination to break out of Assigned Access by setting *BreakoutKeyScanCode* as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings).
+
+> [!CAUTION]
+> Keyboard Filter settings apply to other standard accounts.

 - **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter).
  [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education
--- a/windows/security/includes/sections/operating-system-security.md
+++ b/windows/security/includes/sections/operating-system-security.md
@ -13,7 +13,7 @@ ms.topic: include
 | **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.<br><br>The Measured Boot feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The anti-malware software can use the log to determine whether components that ran before it are trustworthy, or if they're infected with malware. The anti-malware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
 | **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
 | **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
-| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.<br><br>Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
+| **[Assigned Access](/windows/configuration/assigned-access)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.<br><br>Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |

 ## Virus and threat protection

--- a/windows/security/operating-system-security/system-security/toc.yml
+++ b/windows/security/operating-system-security/system-security/toc.yml
@ -13,8 +13,8 @@ items:
  href: ../../threat-protection/security-policy-settings/security-policy-settings.md
 - name: Security auditing
  href: ../../threat-protection/auditing/security-auditing-overview.md
- name: Assigned Access (kiosk mode) 🔗
-  href: /windows/configuration/kiosk-methods
+- name: Assigned Access 🔗
+  href: /windows/configuration/assigned-access
 - name: Windows Security settings
  href: windows-defender-security-center/windows-defender-security-center.md
  items: