From 667c229073961f8ee63bd591b5731806b728797e Mon Sep 17 00:00:00 2001 From: Chandler Deng Date: Mon, 15 Jul 2019 13:34:34 -0700 Subject: [PATCH 1/5] Update assignedaccess-csp.md --- .../mdm/assignedaccess-csp.md | 126 +++++++++++++++++- 1 file changed, 125 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index ed052860e4..19e92fcfaa 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -14,6 +14,7 @@ ms.date: 09/18/2018 # AssignedAccess CSP +**Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.** The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. @@ -246,6 +247,8 @@ KioskModeApp Replace ## AssignedAccessConfiguration XSD +Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. + ```xml + + + @@ -270,6 +278,7 @@ KioskModeApp Replace + @@ -286,6 +295,10 @@ KioskModeApp Replace + + + + @@ -304,7 +317,13 @@ KioskModeApp Replace + + + + + + @@ -322,7 +341,8 @@ KioskModeApp Replace - + + @@ -340,6 +360,7 @@ KioskModeApp Replace + @@ -365,6 +386,22 @@ KioskModeApp Replace + + + + + + + + + + + + + + + + @@ -385,7 +422,94 @@ KioskModeApp Replace +``` +Here is the schema for new features introduced in Windows 10 1809 release +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +Schema for Windows 10 prerelease +```xml + + + + + + + + + + + + + + + + + + +``` + +To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. +```xml + + + + + + ``` ## Example AssignedAccessConfiguration XML From 340d30f87282607d544a79900741da3ae33709d0 Mon Sep 17 00:00:00 2001 From: Chandler Deng Date: Mon, 15 Jul 2019 14:03:44 -0700 Subject: [PATCH 2/5] Update kiosk-xml.md --- windows/configuration/kiosk-xml.md | 880 +++++++++++++++++++++++------ 1 file changed, 703 insertions(+), 177 deletions(-) diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index f2ab6d4bd9..2596146ed3 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -26,7 +26,7 @@ ms.topic: article ## Full XML sample >[!NOTE] ->Updated for Windows 10, version 1809. +>Updated for Windows 10, version 1903, and Windows 10 Prerelease ```xml @@ -165,11 +165,485 @@ ms.topic: article ``` +## Auto Launch Sample XML + +This sample demonstrates that both UWP and Win32 apps can be configured to automatically launch, when assigned access account logs in. One profile can have at most one app configured for auto launch. AutoLaunchArguments are passed to the apps as is and the app needs to handle the arguments explicitly. + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + aauser1 + + + + aauser2 + + + + + +``` + +## [Preview] Global Profile Sample XML +Global Profile is currently supported in Windows 10 Prerelease. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user. + +This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + +``` + +Below sample shows dedicated profile and global profile mixed usage, aauser would use one profile, everyone else that's non-admin will use another profile. +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + aauser + + + + + +``` + +## [Preview] Folder Access sample xml +In Windows 10 1809 release, folder access is locked down that when common file dialog is opened, IT Admin can specify if user has access to the Downloads folder, or no access to any folder at all. This restriction has be redesigned for finer granulatity and easier use, available in current Windows 10 Prerelease. + +IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. +* When v2:FileExplorerNamespaceRestrictions node is not used, or used but left empty, user will not be able to access any folder in common dialog (e.g. Save As in Microsoft Edge browser). +* When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder. +* When v3:AllowRemovableDrives is used, user will be to access removable drives. +* When v3:NoRestriction is used, no restriction will be applied to the dialog. + +Note that Downloads and Removable Drives can be allowed at the same time. + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + multi1 + + + + multi2 + + + + multi3 + + + + multi4 + + + + multi5 + + + + multi6 + + + + + + +``` ## XSD for AssignedAccess configuration XML >[!NOTE] ->Updated for Windows 10, version 1809. +>Updated for Windows 10, version 1903 and Windows 10 Prerelease. +Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. ```xml @@ -179,172 +653,174 @@ ms.topic: article xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" + xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config" > - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ``` -## XSD schema for new elements in Windows 10, version 1809 - +Here is the schema for new features introduced in Windows 10 1809 release ```xml - - - - - + - - - + + + + + + + + + - - - - - + + + - + + + + + - + - + - + + + ``` + +Schema for Windows 10 prerelease +```xml + + + + + + + + + + + + + + + + + + +``` + +To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. +```xml + + + + + + +``` From 3fe1ee7cd701107875f546157e5bbace0f9a7b57 Mon Sep 17 00:00:00 2001 From: Chandler Deng Date: Mon, 15 Jul 2019 14:13:04 -0700 Subject: [PATCH 3/5] Update kiosk-xml.md --- windows/configuration/kiosk-xml.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 2596146ed3..eaa00d09b8 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -396,13 +396,7 @@ Below sample shows dedicated profile and global profile mixed usage, aauser woul ## [Preview] Folder Access sample xml In Windows 10 1809 release, folder access is locked down that when common file dialog is opened, IT Admin can specify if user has access to the Downloads folder, or no access to any folder at all. This restriction has be redesigned for finer granulatity and easier use, available in current Windows 10 Prerelease. -IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. -* When v2:FileExplorerNamespaceRestrictions node is not used, or used but left empty, user will not be able to access any folder in common dialog (e.g. Save As in Microsoft Edge browser). -* When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder. -* When v3:AllowRemovableDrives is used, user will be to access removable drives. -* When v3:NoRestriction is used, no restriction will be applied to the dialog. - -Note that Downloads and Removable Drives can be allowed at the same time. +IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Note that Downloads and Removable Drives can be allowed at the same time. ```xml From 01cd4ca8ab0c8da79974601b4b60aa13c572d593 Mon Sep 17 00:00:00 2001 From: Chandler Deng Date: Mon, 15 Jul 2019 14:15:20 -0700 Subject: [PATCH 4/5] Update lock-down-windows-10-to-specific-apps.md --- .../lock-down-windows-10-to-specific-apps.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index a8d16003c6..674c026813 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -172,7 +172,7 @@ Here are the predefined assigned access AppLocker rules for **desktop apps**: The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. -xml +```xml <AllAppsList> <AllowedApps> <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> @@ -184,6 +184,7 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula <App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt"/> </AllowedApps> </AllAppsList> +``` ##### FileExplorerNamespaceRestrictions @@ -217,6 +218,13 @@ The following example shows how to allow user access to the Downloads folder in ``` +FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerelease for finer granularity and easier use, see in the [Assigned access XML reference.](kiosk-xml.md) for full samples. The changes will allow IT Admin to configure if user can access Downloads folder, Removable drives, or no restriction at all by using certain new elements. Note that FileExplorerNamesapceRestrictions and AllowedNamespace:Downloads are available in namespace http://schemas.microsoft.com/AssignedAccess/201810/config, AllowRemovableDrives and NoRestriction are defined in a new namespace http://schemas.microsoft.com/AssignedAccess/2020/config. + +* When FileExplorerNamespaceRestrictions node is not used, or used but left empty, user will not be able to access any folder in common dialog (e.g. Save As in Microsoft Edge browser). +* When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder. +* When AllowRemovableDrives is used, user will be to access removable drives. +* When NoRestriction is used, no restriction will be applied to the dialog. +* AllowRemovableDrives and AllowedNamespace:Downloads can be used at the same time. ##### StartLayout From eeeabe1562a7aa2c7ee23fe54c40df06cf8df28e Mon Sep 17 00:00:00 2001 From: Chandler Deng Date: Mon, 15 Jul 2019 14:23:39 -0700 Subject: [PATCH 5/5] Update lock-down-windows-10-to-specific-apps.md --- .../lock-down-windows-10-to-specific-apps.md | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 674c026813..6d4bd9ef52 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -409,6 +409,67 @@ Group accounts are specified using ``. Nested groups are not supporte +#### [Preview] Global Profile +Global profile is added in curernt Windows 10 Prerelease. There are times when IT Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback profile is wished to use. Global Profile is designed for these scenarios. + +Usage is demonstrated below, by using the new xml namespace and specify GlobalProfile from that namespace. When GlobalProfile is configured, a non-admin account logs in, if this user does not have designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, global profile will be applied for the user. + +Note: +1. GlobalProfile can only be multi-app profile +2. Only one GlobalProfile can be used in one AssignedAccess Configuration Xml +3. GlobalProfile can be used as the only config, or it can be used among with regular user or group Config. + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + +``` + ### Add XML file to provisioning package Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](kiosk-xml.md#xsd-for-assignedaccess-configuration-xml).