deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into gary-fix-markup

Browse Source
This commit is contained in:
Gary Moore
2025-03-10 14:15:48 -07:00
parent 4f90afc3ca d91dfea4bb
commit ec3f5d9040
70 changed files with 1225 additions and 1147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
windows/configuration/assigned-access/configuration-file.md
View File

@ -3,7 +3,7 @@ title: Create an Assigned Access configuration file
description: Learn how to create an XML file to configure Assigned Access.
ms.topic: how-to
zone_pivot_groups: windows-versions-11-10
ms.date: 10/31/2024
ms.date: 3/7/2025
appliesto:
---
@ -150,16 +150,24 @@ Example:
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge_proxy.exe" />
<App AppUserModelId="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App"/>
<App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="%windir%\setuperr.log" />
</AllowedApps>
</AllAppsList>
```
> [!IMPORTANT]
> If you pins elements to the Start menu with Microsoft Edge secondary tiles, include the following apps in the allowed apps list:
>
> - `<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge_proxy.exe" />`
> - `<App AppUserModelId="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App"/>`
::: zone pivot="windows-10"
### File Explorer restrictions
In a restricted user experience (`AllAppList`), folder browsing is locked down by default. You can explicitly allow access to known folders by including the `FileExplorerNamespaceRestrictions` node.
In a restricted user experience, folder browsing is locked down by default. You can explicitly allow access to known folders by including the `FileExplorerNamespaceRestrictions` node.
You can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time.
@ -288,19 +296,22 @@ With the exported Start menu configuration, use the `v5:StartPins` element and a
</v5:StartPins>
```
Example with some apps pinned:
Example with some apps and a Microsoft Edge pinned site:
``` xml
<v5:StartPins>
<![CDATA[
{
"pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"},
{"secondaryTile": { "tileId": "MSEdge._pin_mjalfbhoimpkfjlpajnjkpknoe", "arguments": " --pin-url=https://www.contoso.com --profile-directory=Default --launch-tile", "displayName": "Contoso intranet", "packagedAppId": "Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App", "smallIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mjalfbhoimpkfjlpajnjkpknoe/ContosoLogo.png", "smallIcon": "iVBORw0KGgoAAAANSUhEUgAAADQAAAA0CAYAAADFeBvrAAAACXBIWXMAAAInAAACJwG+ElQIAAABaWlDQ1BEaXNwbGF5IFAzAAB4nHWQvUvDUBTFT6tS0DqIDh0cMolD1NIKdnFoKxRFMFQFq1OafgltfCQpUnETVyn4H1jBWXCwiFRwcXAQRAcR3Zw6KbhoeN6XVNoi3sfl/Ticc7lcwBtQGSv2AijplpFMxKS11Lrke4OHnlOqZrKooiwK/v276/PR9d5PiFlNu3YQ2U9cl84ul3aeAlN//V3Vn8maGv3f1EGNGRbgkYmVbYsJ3iUeMWgp4qrgvMvHgtMunzuelWSc+JZY0gpqhrhJLKc79HwHl4plrbWD2N6f1VeXxRzqUcxhEyYYilBRgQQF4X/8044/ji1yV2BQLo8CLMpESRETssTz0KFhEjJxCEHqkLhz634PrfvJbW3vFZhtcM4v2tpCAzidoZPV29p4BBgaAG7qTDVUR+qh9uZywPsJMJgChu8os2HmwiF3e38M6Hvh/GMM8B0CdpXzryPO7RqFn4Er/QcXKWq8MSlPPgAABFZJREFUeAHdWu1RajEQ3ev4X61AXgX6KhA68FWgrwLpAK0AO0ArUCsQKxArECsAK8jLuTNh9i3J5uMGBc9MhivmY0/2ZEk2l8jCGDOyZWF2FxNbeuDS2Iex/RzS7mPaNM0AhBb2j0P6Gfi1Txsms1wu6fPzs/1E6fV6dHBwQIeHGxm2t0+V8fLyQrPZjKbTafs5n8+99UDo9PSUzs/Pqd/v08nJCVWBqYDFYmGur6+NNdCgy5KCtnd3d6Yj+lhDhjrg5uaGbm9vWzlJwAuQGDzBAa/Be742qG8nhy4uLqgAg2IPvb6+Gjt4dNaHw6Gx8vP28f7+biaTibGSW2uLvvH/XA8VEbIeyZYUDISkQkbi+8vLy7V2kPJGCWGAkMGYaRiFz9B6Qj3NSBCTHoOXN0JIkrFrxIxGo+CsI1g8PDx4Zx7Enp+fg2OhX14ffVQlJMlg1mBwChwx35rTvIU2mLQM+aURQsfcCMxeCgkYEAscLniEJgfBh9eNhPY4IciJGxUj44jwmU0NGiHpjsfj/2SuRL84Ia7/mI4leWcAFjkkiugIsnj2BQ20DXmKBwolSOiEYGDKDAKQBveKCxjaOvOFahgugd8x3jc8VkSID6ZpV3oGRqUGDADRjrfnHsC4nLDdQWhdhQlJ76i9MDlEBjTaeNwLCEQysiYEozAhbElSvMPraWsgBTKa5kZWoxHis66tHS6Vgr3XGiC3QjKt2V5CmGVtkTpgsabUywHG5tKDAjLQ3yMP3t7eVs9y68/x+Pi4erYBhGoARw5Loj342WCR3a/3xGqls3rWCOFM41DtxGkBMigl8Hro4+Nj9Xx8fBxszAlpxL8SXkL8JKklM1w9nDK3BVFCR0dH3oah5Md3Yy9WwUYd7/cbSkN1hpcQl5AvkQGAkCO1Td7yEuKBgAcICR4IeID4TngJpRrK6yHBWAv39/c0GAzaZGU2Qr/WlLADwC6ZKu8U5M49M/mYtpfTNpy8npb0SEXHVFaYEM+9aR1yL2m5gRTwnbs8wieSChPisss5DyWmm9Ygz0OQmkxldc762P1U0YkV7XKOEvKIzU+s3GsJE6YT4nLCgLH8ACflUr9aG/xPnn8gW4mM/Fw/mvXhA5ZkfVwEhBFYlyjoMzdBz4NFcdYHkAeumI5RX2o/pWhkeICKZJ/ihAAuvdSIg0FD+TefB78sc+rgS56nLnwYi8Xtk6N2syCDRaesjw+SFAyEQdrtA4zi0ZK31X6I5R1UYnosj5CPFDfQ3Q+BQEhqsYzql94PxUhpJUYklORX0r71CAGhEO2TZEhaIAFphUJ4wd6w+y04bqyx3fcd8ty7CDLngENj6B0GtLm6umr7LUD5LTiHu81OudwiJXTDW102t1U8JIGZf3p6Wr1Joh3h8QYJytnZWa002KA6IQn3jg/k5fIQPB9RGT/ubazfyClsR3ajO+ZN08xA6C/+oN3G3JY/eGjcN1Z6WJW7KL0lPOP++AdqljW+tM7PvwAAAABJRU5ErkJggg==", "largeIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mjalfbhoimpkfjlpajnjkpknoe/ContosoLogo.png" }}
]
}
]]>
</v5:StartPins>
```
::: zone-end

96
windows/configuration/assigned-access/configure-multi-app-kiosk.md Normal file
View File

@ -0,0 +1,96 @@
---
title: Configure a Multi-App Kiosk With Assigned Access
description: Learn how to configure a multi-app kiosk with Assigned Access.
ms.date: 3/7/2025
ms.topic: overview
---
# Configure a restricted user experience (multi-app kiosk) with Assigned Access
An Assigned Access restricted user experience runs one or more apps from the desktop. People using the kiosk have a customized Start menu that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for shared devices.
To configure a restricted user experience with Assigned Access, you must create an XML configuration file with the settings for the desired experience. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
- A Mobile Device Management (MDM) solution, like Microsoft Intune
- Provisioning packages
- PowerShell, with the MDM Bridge WMI Provider
To learn how to configure the Assigned Access XML file, see [Create an Assigned Access configuration file](configuration-file.md).
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration`
- **Value:** content of the XML configuration file
Assign the policy to a group that contains as members the devices that you want to configure.
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
- **Value:** content of the XML configuration file
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
```PowerShell
$assignedAccessConfiguration = @"
# content of the XML configuration file
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
Exit 1
}
Write-Output "Successfully applied Assigned Access configuration"
```
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
#### [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings)
This option isn't available using Settings.
---
> [!TIP]
> For practical examples, see the [Quickstart: Configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)
[!INCLUDE [user-experience](includes/user-experience.md)]
<!--links-->
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp

131
windows/configuration/assigned-access/overview.md → windows/configuration/assigned-access/configure-single-app-kiosk.md
View File

@ -1,11 +1,11 @@
---
title: What is Assigned Access?
description: Learn how to configure a Windows kiosk for single-app and multi-app scenarios with Assigned Access.
ms.date: 10/31/2024
title: Configure a Single-App Kiosk With Assigned Access
description: Learn how to configure a single-app kiosk with Assigned Access.
ms.date: 3/7/2025
ms.topic: overview
---
# What is Assigned Access?
# Configure a single-app kiosk with Assigned Access
Assigned Access is a Windows feature that you can use to configure a device as a kiosk or with a restricted user experience.
@ -188,128 +188,7 @@ When the device isn't joined to an Active Directory domain or Microsoft Entra ID
> [!TIP]
> For practical examples, see the [Quickstart: Configure a kiosk with Assigned Access](quickstart-kiosk.md).
## Configure a restricted user experience
To configure a restricted user experience with Assigned Access, you must create an XML configuration file with the settings for the desired experience. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
- A Mobile Device Management (MDM) solution, like Microsoft Intune
- Provisioning packages
- PowerShell, with the MDM Bridge WMI Provider
To learn how to configure the Assigned Access XML file, see [Create an Assigned Access configuration file](configuration-file.md).
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
- **Value:** content of the XML configuration file
Assign the policy to a group that contains as members the devices that you want to configure.
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
- **Value:** content of the XML configuration file
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
```PowerShell
$assignedAccessConfiguration = @"
# content of the XML configuration file
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
Exit 1
}
Write-Output "Successfully applied Assigned Access configuration"
```
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
#### [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings)
This option isn't available using Settings.
---
> [!TIP]
> For practical examples, see the [Quickstart: Configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)
## User experience
To validate the kiosk or restricted user experience, sign in with the user account you specified in the configuration file.
The Assigned Access configuration takes effect the next time the targeted user signs in. If that user account is signed in when you apply the configuration, sign out and sign back in to validate the experience.
> [!NOTE]
> Starting in Windows 11, a restricted user experience supports the use of multiple monitors.
### Autotrigger touch keyboard
The touch keyboard is automatically triggered when there's an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.
> [!TIP]
> The touch keyboard is triggered only when tapping a textbox. Mouse clicks don't trigger the touch keyboard. If you're testing this feature, use a physical device instead of a virtual machine (VM), as the touch keyboard is not triggered on VMs.
### Sign out of assigned access
By default, to exit the kiosk experience, press <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd>. The kiosk app exits automatically. If you sign in again as the Assigned Access account, or wait for the sign in screen timeout, the kiosk app relaunches. The default timeout is 30 seconds, but you can change the timeout with the registry key:
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for Assigned Access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
> [!NOTE]
> `IdleTimeOut` doesn't apply to the Microsoft Edge kiosk mode.
The Breakout Sequence of <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence is <kbd>CTRL</kbd> + <kbd>ALT</kbd> + <kbd>A</kbd>, where <kbd>CTRL</kbd> + <kbd>ALT</kbd> are the modifiers, and <kbd>A</kbd> is the key value. To learn more, see [Create an Assigned Access configuration XML file](configuration-file.md).
## Remove Assigned Access
Deleting the restricted user experience removes the policy settings associated with the users, but it can't revert all the configurations. For example, the Start menu configuration is maintained.
## Next steps
> [!div class="nextstepaction"]
> Review the recommendations before you deploy Assigned Access:
>
> [Assigned Access recommendations](recommendations.md)
<!--links-->
[!INCLUDE [user-experience](includes/user-experience.md)]
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp

4
windows/configuration/assigned-access/examples.md
View File

@ -1,7 +1,7 @@
---
title: Assigned Access examples
title: Assigned Access Examples
description: Practical examples of XML files to configure Assigned Access.
ms.date: 10/31/2024
ms.date: 3/7/2025
ms.topic: reference
zone_pivot_groups: windows-versions-11-10
appliesto:

BIN
windows/configuration/assigned-access/images/kiosk.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.6 KiB

BIN
windows/configuration/assigned-access/images/restricted-user-experience-example.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 763 KiB

BIN
windows/configuration/assigned-access/images/restricted-user-experience.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 5.4 KiB

2
windows/configuration/assigned-access/includes/example-global-profile.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/example-kiosk-uwp.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/example-restricted-experience.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/example-two-profiles.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/example-usergroup.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/quickstart-kiosk-intune.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/quickstart-kiosk-xml.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

78
windows/configuration/assigned-access/includes/user-experience.md Normal file
View File

@ -0,0 +1,78 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 3/7/2025
ms.topic: include
---
## User experience
To validate the kiosk configuration, sign in with the user account you specified in the configuration file.
The Assigned Access configuration takes effect the next time the targeted user signs in. If that user account is signed in when you apply the configuration, sign out and sign back in to validate the experience.
### Autotrigger touch keyboard
The touch keyboard is automatically triggered when there's an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.
> [!TIP]
> The touch keyboard is triggered only when tapping a textbox. Mouse clicks don't trigger the touch keyboard. If you're testing this feature, use a physical device instead of a virtual machine (VM), as the touch keyboard isn't triggered on VMs.
### Sign out of assigned access
By default, to exit the kiosk experience, press <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd>. The kiosk app exits automatically. If you sign in again as the Assigned Access account, or wait for the sign in screen time-out, the kiosk app relaunches. The default time-out is 30 seconds, but you can change the time-out with the registry key:
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for Assigned Access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
> [!NOTE]
> `IdleTimeOut` doesn't apply to the Microsoft Edge kiosk mode.
The Breakout Sequence of <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence is <kbd>CTRL</kbd> + <kbd>ALT</kbd> + <kbd>A</kbd>, where <kbd>CTRL</kbd> + <kbd>ALT</kbd> are the modifiers, and <kbd>A</kbd> is the key value. To learn more, see [Create an Assigned Access configuration XML file](../configuration-file.md).
## Remove Assigned Access
Deleting the Assigned Access configuration removes the policy settings associated with the users, but it can't revert all the changes. For example, in a multi-app kiosk scenario the Start menu configuration is maintained.
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
To remove the Assigned Access configuration, unassign or delete the policy that contains the configuration.
#### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To remove the Assigned Access configuration, uninstall the provisioning package that contains the configuration.
#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
```PowerShell
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = $null
Set-CimInstance -CimInstance $obj
```
#### [:::image type="icon" source="../../images/icons/settings-app.svg"::: **Settings**](#tab/settings)
1. Go to **Settings > Accounts > Other Users**, or use the following shortcut:
> [!div class="nextstepaction"]
>
> [Other Users](ms-settings:otherusers)
1. Select **Kiosk**
1. Under **Kiosk info**, expand the application used for the kiosk experience
1. Select **Remove kiosk**
> [!NOTE]
> This option isn't available using Settings if you configured a restricted user experience.
---
## Next steps
> [!div class="nextstepaction"]
> Review the recommendations before you deploy Assigned Access:
>
> [Assigned Access recommendations](../recommendations.md)

77
windows/configuration/assigned-access/index.md
View File

@ -1,74 +1,47 @@
---
title: Windows kiosks and restricted user experiences
description: Learn about the options available in Windows to configure kiosks and restricted user experiences.
title: Assigned Access Overview
description: Learn how to configure a Windows kiosk for single-app and multi-app scenarios with Assigned Access.
ms.date: 3/7/2025
ms.topic: overview
ms.date: 10/31/2024
---
# Windows kiosks and restricted user experiences
# Assigned Access overview
Organizations are constantly seeking ways to streamline operations, improve customer service, and enhance productivity. One effective solution is the deployment of kiosk devices. These specialized devices offer a range of benefits that can significantly impact an organization's efficiency and success. For example:
Assigned Access is a Windows feature that you can use to configure a device as a kiosk or with a restricted user experience.
- Cost-effective customer service: kiosks allow organizations to provide essential services without the need for dedicated staff. Whether it's checking in at a hotel, ordering food at a restaurant, or printing boarding passes at an airport, kiosks reduce labor costs while maintaining service quality. Customers appreciate the convenience of self-service options, leading to higher satisfaction levels
- Reduced wait times: long queues and wait times frustrate customers and staff members. Kiosks expedite processes by allowing users to complete tasks independently. Whether it's paying bills, renewing memberships, or accessing information, kiosks empower users to get things done swiftly
- Consistent brand experience: kiosks ensure a uniform brand experience across different locations. Whether in retail stores, schools, airports, or healthcare facilities, the interface remains consistent. Brand consistency builds trust and reinforces the organization's image
- Customization and flexibility: kiosks can be tailored to specific needs. From touchscreens to barcode scanners, organizations choose features that align with their goals. Whether it's self-checkout, wayfinding, or interactive product catalogs, kiosks adapt to diverse requirements
When you configure a **kiosk experience**, a single Universal Windows Platform (UWP) application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it automatically restarts. Practical examples include:
Windows offers two different options for public or specialized use:
- Public browsing
- Interactive digital signage
:::row:::
:::column span="1":::
:::image type="content" source="images/kiosk.png" alt-text="Icon representing a kiosk." border="false":::
:::column-end:::
:::column span="3":::
#### Kiosk experience
:::column-end:::
:::row-end:::
When you configure a **restricted user experience**, users can only execute a defined list of applications, with a tailored Start menu and Taskbar. Different policy settings and AppLocker rules are enforced, creating a locked down experience. The users can access a familiar Windows desktop, while limiting their access, reducing distractions, and potential for inadvertent uses. Ideal for shared devices, you can create different configurations for different users. Practical examples include:
This option runs a single application in full screen, and people using the device can only use that app. When the designated kiosk account signs in, the kiosk app launches automatically. This option is sometimes referred to as *single-app kiosk*.
- Frontline worker devices
- Student devices
- Lab devices
Windows offers two different features to configure a kiosk experience:
> [!NOTE]
> When you configure a restricted user experience, different policy settings are applied to the device. Some policy settings apply to standard users only, and some to administrator accounts too. For more information, see [Assigned Access policy settings](policy-settings.md).
- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it automatically restarts
- **Shell Launcher**: used to configure a device to execute a Windows desktop application as the user interface. The specified application replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in
## Requirements
:::row:::
:::column span="1":::
:::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false":::
:::column-end:::
:::column span="3":::
#### Restricted user experience
:::column-end:::
:::row-end:::
Here are the requirements for Assigned Access:
This option loads the Windows desktop, but it only allows to run a defined set of applications. When the designated user signs in, the user can only run the apps that are allowed. The Start menu is customized to show only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types. This option is sometimes referred to as *multi-app kiosk*.
- To use a kiosk experience, [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be enabled
- To use a kiosk experience, you must sign in from the console. The kiosk experience isn't supported over a remote desktop connection
:::image type="content" source="images/restricted-user-experience-example.png" alt-text="Screenshot of a restricted user experience in Windows 11." border="false":::
To configure a restricted user experience, you use the **Assigned Access** feature.
## Choose the right experience
When you're considering a kiosk or restricted user experience, you need to choose the right experience for your needs. A good approach is to ask yourself the following set of questions:
| | Question |
|--|--|
| **🔲** | *How many apps?* <br>The number of apps determines the experience to build: **kiosk** or **restricted user experience**.|
| **🔲** | *Desktop experience or custom?* <br>If your users require access to the desktop with a custom Start menu, then you can build a **restricted user experience** with **Assigned Access**. If your users require access to multiple applications but with a custom user interface, then you should use **Shell Launcher**.|
| **🔲** | *In single-app scenario, which type of app will your kiosk run?* <br>If the kiosk requires a Universal Windows Platform (UWP) app or Microsoft Edge, you can build a **kiosk experience** with **Assigned Access**. If the kiosk requires a desktop app, you can build a **kiosk experience** with **Shell Launcher**.|
| **🔲** | *Which edition of Windows client will the kiosk run?"* <br>**Assigned Access** is supported on Windows Pro and Enterprise/Education. **Shell Launcher** is only supported on Windows Enterprise and Education editions.|
[!INCLUDE [assigned-access](../../../includes/licensing/assigned-access.md)]
## Next steps
In the next sections, you can learn more about the options available to configure kiosks and restricted user experiences:
Learn how to configure Assigned Access:
- [Assigned Access](overview.md)
- [Shell Launcher](shell-launcher/index.md)
- [Configure a single-app kiosk experience with Assigned Access](configure-single-app-kiosk.md)
- [Configure a restricted user experience (multi-app kiosk) with Assigned Access](configure-multi-app-kiosk.md)
### :::image type="icon" source="../images/icons/rocket.svg" border="false"::: Quickstarts
If you're ready to try out the options available to configure kiosks and restricted user experiences, check out the following quickstarts:
If you want to quickly test Assigned Access, check out the following quickstarts:
- [Quickstart: configure a kiosk with Assigned Access](quickstart-kiosk.md)
- [Quickstart: configure a kiosk experience with Shell Launcher](shell-launcher/quickstart-kiosk.md)
- [Quickstart: configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)
- [Quickstart: configure a single-app kiosk with Assigned Access](quickstart-kiosk.md)
- [Quickstart: configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)

2
windows/configuration/assigned-access/policy-settings.md
View File

@ -1,5 +1,5 @@
---
title: Assigned Access policy settings
title: Assigned Access Policy Settings
description: Learn about the policy settings enforced on a device configured with Assigned Access.
ms.topic: reference
ms.date: 02/25/2025

30
windows/configuration/assigned-access/quickstart-kiosk.md
View File

@ -1,13 +1,13 @@
---
title: "Quickstart: configure a kiosk experience with Assigned Access"
description: Learn how to configure a kiosk experience with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
title: "Quickstart: Configure a Single-App Kiosk With Assigned Access"
description: Learn how to configure a single-app kiosk with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
ms.date: 10/31/2024
ms.date: 3/7/2025
---
# Quickstart: configure a kiosk with Assigned Access
# Quickstart: configure a single-app kiosk with Assigned Access
This quickstart provides practical examples of how to configure a *kiosk experience* on Windows with Assigned Access. The examples describe the steps using the Settings app, a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
This quickstart provides practical examples of how to configure a single-app kiosk on Windows with Assigned Access. The examples describe the steps using the Settings app, a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
The examples can be modified to fit your specific requirements. For example, you can change the app used, the URL specified when opening Microsoft Edge, or change the name of the user that automatically signs in to Windows.
@ -62,8 +62,6 @@ Assign the policy to a group that contains as members the devices that you want
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
#### [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings)
Here are the steps to configure a kiosk using the Settings app:
@ -93,12 +91,28 @@ Here are the steps to configure a kiosk using the Settings app:
After the settings are applied, reboot the device. A local user account is automatically signed in, opening Microsoft Edge.
## Remove Assigned Access
Once you no longer need the kiosk configuration, you can remove it.
Here's a PowerShell example to remove the Assigned Access configuration:
```powershell
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = $null
Set-CimInstance -CimInstance $obj
```
Reboot the device to apply the changes.
## Next steps
> [!div class="nextstepaction"]
> Learn more about Assigned Access and how to configure it:
>
> [Assigned Access overview](overview.md)
> [Assigned Access overview](index.md)
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

24
windows/configuration/assigned-access/quickstart-restricted-user-experience.md
View File

@ -1,15 +1,15 @@
---
title: "Quickstart: configure a restricted user experience with Assigned Access"
title: "Quickstart: Configure a Restricted User Experience With Assigned Access"
description: Learn how to configure a restricted user experience with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
ms.date: 10/31/2024
ms.date: 3/7/2025
appliesto:
zone_pivot_groups: windows-versions-11-10
---
# Quickstart: configure a restricted user experience with Assigned Access
This quickstart provides practical examples of how to configure a *restricted user experience* on Windows. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
This quickstart provides practical examples of how to configure a restricted user experience on Windows. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
The examples can be modified to fit your specific requirements. For example, you can add or remove applications from the list of allowed apps, or change the name of the user that automatically signs in to Windows.
@ -80,12 +80,28 @@ After the settings are applied, reboot the device. A local user account is autom
::: zone-end
## Remove Assigned Access
Once you no longer need the restricted user experience, you can remove it. Deleting the Assigned Access configuration removes the policy settings associated with the users, but it can't revert all the changes. For example, the Start menu configuration is maintained.
Here's a PowerShell example to remove the configuration:
```powershell
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = $null
Set-CimInstance -CimInstance $obj
```
Reboot the device to apply the changes.
## Next steps
> [!div class="nextstepaction"]
> Learn more about Assigned Access and how to configure it:
>
> [Assigned Access overview](overview.md)
> [Assigned Access overview](index.md)
<!--links-->

6
windows/configuration/assigned-access/recommendations.md
View File

@ -1,8 +1,8 @@
---
title: Assigned Access recommendations
title: Assigned Access Recommendations
description: Learn about the recommended kiosk and restricted user experience configuration options.
ms.topic: best-practice
ms.date: 10/31/2024
ms.date: 3/7/2025
---
# Assigned Access recommendations
@ -20,7 +20,7 @@ Consider enabling *automatic sign-in* for your kiosk device. When the device res
You can configure the Assigned Access and Shell Launcher XML files with an account to sign-in automatically. For more information, review the articles:
- [Create an Assigned Access configuration XML file](configuration-file.md)
- [Create a Shell Launcher configuration file](shell-launcher/configuration-file.md)
- [Create a Shell Launcher configuration file](../shell-launcher/configuration-file.md)
Alternatively, you can edit the Registry to have an account sign in automatically:

291
windows/configuration/assigned-access/shell-launcher/configuration-file.md
View File

@ -1,291 +0,0 @@
---
title: Create a Shell Launcher configuration file
description: Learn how to create an XML file to configure a device with Shell Launcher.
ms.date: 10/31/2024
ms.topic: how-to
---
# Create a Shell Launcher configuration file
To configure Shell Launcher, you must create and apply a configuration XML file to your devices. The configuration file must conform to a *schema*, as defined in [Shell Launcher XML Schema Definition (XSD)](xsd.md).
This article describes how to configure a Shell Launcher configuration file, including practical examples.
Let's start by looking at the basic structure of the XML file. A Shell Launcher configuration file contains:
- One or multiple `profiles`. Each `profile` defines:
- the application that replaces the standard Windows shell (`Explorer.exe`), which is executed when a user signs in
- the default action to take when the application exits, and actions when the application exits with a specific return code
- One or multiple `configs`. Each `config` associates a user account to a `profile`
> [!NOTE]
> A profile has no effect if it's not associated to a user account.
Here's a basic example of a Shell Launcher configuration file, with one profile and one config:
```xml
<?xml version="1.0" encoding="utf-8" ?>
<ShellLauncherConfiguration
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<Profile Id="{GUID}">
<!-- Add configuration here as needed -->
</Profile>
</Profiles>
<Configs>
<Config>
<!-- Add configuration here as needed -->
</Config>
</Configs>
</ShellLauncherConfiguration>
```
## Versioning
The Shell Launcher configuration XML is versioned. The version is defined in the XML root element, and it's used to determine which schema to use to validate the XML file. The version is also used to determine which features are available for the configuration. Here's a table of the versions, aliases used in the documentation examples, and namespaces:
| Version | Alias | Namespace |
|-|-|-|
|Windows 10|`V2`|http://schemas.microsoft.com/ShellLauncher/2019/Configuration|
|Windows 10|default|http://schemas.microsoft.com/ShellLauncher/2018/Configuration|
To authorize a compatible configuration XML that includes version-specific elements and attributes, always include the namespace of the add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the kiosk application to execute in full screen, use the below example. Note the alias `V2` associated to `http://schemas.microsoft.com/ShellLauncher/2019/Configuration` namespace, and the alias is tagged on the `AppType` and `AllAppsFullScreen` properties inline.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<ShellLauncherConfiguration
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<Profile Id="{GUID}">
<!-- Add configuration here as needed -->
<Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
</Profile>
</Profiles>
<Configs>
<Config>
<!-- Add configuration here as needed -->
</Config>
</Configs>
</ShellLauncherConfiguration>
```
Here you can find the [Shell Launcher XML Schema Definitions (XSDs)](xsd.md).
## Profiles
A configuration file can contain one or more profiles. Each profile has a unique identifier `Profile Id` and, optionally, a `Name`. For example:
```xml
<Profiles>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" Name="Microsoft Learn example">
<!-- Add configuration here as needed -->
</Profile>
</Profiles>
```
> [!TIP]
> The `Profile Id` must be unique within the XML file. You can generate a GUID with the PowerShell cmdlet `New-Guid`.
You can define a `Defaultprofile` that is used when no other profile is associated to a user account. This ensures that every user using the device uses the same application. Example:
```xml
<Profiles>
<DefaultProfile>
<!-- Add configuration here as needed -->
</DefaultProfile>
</Profiles>
```
### Shell
Each profile defines a `Shell` element, which contains details about the application to execute. The `Shell` element has the following properties:
| Property| Description | Details |
|-|-|-|
|`Shell`| Application that is used as a Windows shell. |- For Universal Windows Platform (UWP) apps, you must provide the App User Model ID (AUMID). Learn how to [Find the Application User Model ID of an installed app](../../store/find-aumid.md).<br>- For desktop apps, specify the full path of the executable, which can contain system environment variables in the form of `%variableName%`. You can also specify any parameters that the app might require. |
|`V2:AppType`| Defines the type of application. |Allowed values are `Desktop` and `UWP`.|
|`V2:AllAppsFullScreen` | Boolean value that defines if all applications are executed in full screen. |- When set to `true`, Shell Launcher runs every app in full screen, or maximized for desktop apps.<br>- When set to `false` or not set, only the custom shell app runs in full screen; other apps launched by the user run in windowed mode.|
Example:
```xml
<Profile Id="{GUID}">
<Shell Shell="" V2:AppType="" V2:AllAppsFullScreen="">
<!-- Add configuration here as needed -->
</Shell>
</Profile>
```
In the next example, the Weather app is executed in full screen.
```xml
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="Microsoft.BingWeather_8wekyb3d8bbwe!App" V2:AppType="UWP">
<DefaultAction Action="RestartShell"/>
</Shell>
</DefaultProfile>
</Profiles>
<Configs/>
</ShellLauncherConfiguration>
```
In the next example, Microsoft Edge is executed in full screen, opening a website. The website is reloaded after 2 minutes of inactivity.
```xml
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
<Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
<DefaultAction Action="RestartShell"/>
</Shell>
</Profile>
```
#### ReturnCodeActions
Shell Launcher defines four actions to handle app exits. You can customize Shell Launcher and use the actions based on different exit code. Here are the `ReturnCodeActions` enums:
- `RestartShell`
- `RestartDevice`
- `ShutdownDevice`
- `DoNothing`
The actions can be used as default action, or mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to learn how to use exit codes with Shell Launcher WMI.
You can specify at most four custom actions mapping to four exit codes, and one default action for all other exit codes. When an app exits, and if the exit code isn't found in the custom action mapping, or there's no default action defined, nothing happens. For this reason, you should at least define `DefaultAction`.
Example:
```xml
<Profile Id="{GUID}">
<Shell Shell="" V2:AppType="" V2:AllAppsFullScreen="">
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell"/>
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/>
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/>
<ReturnCodeAction ReturnCode="1" Action="DoNothing"/>
</ReturnCodeActions>
<DefaultAction Action="RestartDevice"/>
</Shell>
</Profile>
```
## Configs
Under `Configs`, define one or more user accounts and their association with a profile.
Individual accounts are specified using `<Account Name=""/>`.
> [!IMPORTANT]
> Before applying the Shell Launcher configuration, make sure the specified user account is available on the device, otherwise it fails.
>
> For both domain and Microsoft Entra accounts, as long as the device is Active Directory joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for Shell Launcher.
### Local user
Local account can be entered as `devicename\user`, `.\user`, or just `user`.
```xml
<Config>
<Account Name="Learn Example"/>
<Profile Id="{GUID}"/>
</Config>
```
### Active Directory user
Domain accounts must be entered using the format `domain\samAccountName`.
```xml
<Config>
<Account Name="contoso\user"/>
<Profile Id="{GUID}"/>
</Config>
```
### Microsoft Entra user
Microsoft Entra accounts must be specified with the format: `AzureAD\{UPN}`. `AzureAD` must be provided *as is*, then follow with the Microsoft Entra user principal name (UPN).
```xml
<Config>
<Account Name="azuread\user@contoso.onmicrosoft.com"/>
<Profile Id="{GUID}"/>
</Config>
```
When the user account signs in, the associated Shell Launcher profile is applied, loading the application specified in the profile.
### Autologon account
With `<AutoLogonAccount>`, Shell Launcher creates and manages a user account to automatically sign in after a device restarts. The account is a local standard user named `Kiosk`.
Example:
```xml
<Configs>
<Config>
<!--account managed by Shell Launcher-->
<AutoLogonAccount/>
<Profile Id="{GUID}"/>
</Config>
<Configs>
<!--local account-->
<Account Name="Learn Example"/>
<Profile ID="{GUID}"/>
</Configs>
<Configs>
<!--Microsoft Entra account-->
<Account Name="azuread\kiosk@contoso.com"/>
<Profile ID="{GUID}"/>
</Configs>
</Configs>
```
## Example
Here's a complete example of a Shell Launcher configuration file, with two profiles and three configs:
```xml
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration" xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="%SystemRoot%\explorer.exe" />
</DefaultProfile>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F79}" Name="Weather">
<Shell Shell="Microsoft.BingWeather_8wekyb3d8bbwe!App" V2:AppType="UWP">
<DefaultAction Action="RestartShell" />
</Shell>
</Profile>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" Name="Edge">
<Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell" />
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice" />
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice" />
</ReturnCodeActions>
<DefaultAction Action="RestartShell" />
</Shell>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount />
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" />
</Config>
<Config>
<Account Name="azuread\kiosk1@contoso.onmicrosoft.com" />
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F79}" />
</Config>
<Config>
<Account Name="azuread\kiosk2@contoso.onmicrosoft.com" />
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" />
</Config>
</Configs>
</ShellLauncherConfiguration>
```

13
windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md
View File

@ -1,13 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 10/31/2024
ms.topic: include
---
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
Content-Type: application/json
{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Kiosk - Shell Launcher", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "ShellLauncher", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/ShellLauncher", "secretReferenceValueId": null, "isEncrypted": true, "value": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<ShellLauncherConfiguration\nxmlns=\"http://schemas.microsoft.com/ShellLauncher/2018/Configuration\"\nxmlns:V2=\"http://schemas.microsoft.com/ShellLauncher/2019/Configuration\">\n <Profiles>\n <DefaultProfile>\n <Shell Shell=\"%SystemRoot%\\explorer.exe\"/>\n </DefaultProfile>\n <Profile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F78}\">\n <Shell Shell=\"%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2\" V2:AppType=\"Desktop\" V2:AllAppsFullScreen=\"true\">\n <ReturnCodeActions>\n <ReturnCodeAction ReturnCode=\"0\" Action=\"RestartShell\"/>\n <ReturnCodeAction ReturnCode=\"-1\" Action=\"RestartDevice\"/>\n <ReturnCodeAction ReturnCode=\"255\" Action=\"ShutdownDevice\"/>\n </ReturnCodeActions>\n <DefaultAction Action=\"RestartShell\"/>\n </Shell>\n </Profile>\n </Profiles>\n <Configs>\n <Config>\n <AutoLogonAccount/>\n <Profile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F78}\"/>\n </Config>\n </Configs>\n</ShellLauncherConfiguration>" } ], }
```

43
windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md
View File

@ -1,43 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 10/31/2024
ms.topic: include
---
```PowerShell
$shellLauncherConfiguration = @"
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="%SystemRoot%\explorer.exe"/>
</DefaultProfile>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
<Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell"/>
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/>
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/>
</ReturnCodeActions>
<DefaultAction Action="RestartShell"/>
</Shell>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}"/>
</Config>
</Configs>
</ShellLauncherConfiguration>
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
$obj = Set-CimInstance -CimInstance $obj
```

35
windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md
View File

@ -1,35 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 10/31/2024
ms.topic: include
---
```xml
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="%SystemRoot%\explorer.exe"/>
</DefaultProfile>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
<Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell"/>
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/>
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/>
</ReturnCodeActions>
<DefaultAction Action="RestartShell"/>
</Shell>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}"/>
</Config>
</Configs>
</ShellLauncherConfiguration>
```

131
windows/configuration/assigned-access/shell-launcher/index.md
View File

@ -1,131 +0,0 @@
---
title: What is Shell Launcher?
description: Learn how to configure devices with Shell Launcher.
ms.date: 10/31/2024
ms.topic: overview
---
# What is Shell Launcher?
Shell Launcher is a Windows feature that you can use to replace the default Windows Explorer shell (`Explorer.exe`) with a Windows desktop application or a Universal Windows Platform (UWP) app.
Practical examples include:
- Public browsing
- Interactive digital signage
- ATMs
Shell Launcher controls which application the user sees as the shell after sign-in. It doesn't prevent the user from accessing other desktop applications and system components. From a custom shell, you can launch secondary views displayed on multiple monitors, or launch other apps in full screen on user's demand.
With Shell Launcher, you can use features and methods to control access to other applications or system components. These methods include, but aren't limited to:
- Configuration Service Provider (CSP): you can use a Mobile Device Management (MDM) solution like Microsoft Intune
- Group policy (GPO)
- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)
Shell Launcher is part of the [Assigned Access](../overview.md) feature, which allows you to configure kiosks or restricted user experiences. To learn about the differences between Shell Launcher and the other options offered by Assigned Access, see [Windows kiosks and restricted user experiences](../index.md).
[!INCLUDE [shell-launcher](../../../../includes/licensing/shell-launcher.md)]
## Limitations
Here are some limitations to consider when using Shell Launcher:
- Windows doesn't support setting a custom shell before the out-of-box experience (OOBE). If you do, you can't deploy the resulting image
- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you can't specify `write.exe` in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. `Write.exe` creates a 32-bit `wordpad.exe` process and exits. Since Shell Launcher isn't aware of the newly created `wordpad.exe` process, Shell Launcher takes action based on the exit code of `Write.exe`, such as restarting the custom shell
## Configure a device with Shell Launcher
The configuration of Shell Launcher is done using an XML file. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
- A Mobile Device Management (MDM) solution, like Microsoft Intune
- Provisioning packages
- The MDM Bridge WMI Provider
To learn how to configure the Shell Launcher XML file, see [Create a Shell Launcher configuration file](configuration-file.md).
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
- **Value:** content of the XML configuration file
Assign the policy to a group that contains as members the devices that you want to configure.
#### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
[!INCLUDE [provisioning-package-1](../../../../includes/configure/provisioning-package-1.md)]
- **Path:** `SMISettings/ShellLauncher`
- **Value:** depends on specific settings
[!INCLUDE [provisioning-package-2](../../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)]
```PowerShell
$shellLauncherConfiguration = @"
# content of the XML configuration file
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
$eventLogFilterHashTable = @{ LogName='Microsoft-Windows-AssignedAccess/Admin' }
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
Exit 1
}
Write-Output "Successfully applied Shell Launcher configuration"
```
[!INCLUDE [powershell-wmi-bridge-2](../../../../includes/configure/powershell-wmi-bridge-2.md)]
---
> [!TIP]
> For practical examples, see the [Quickstart: configure a kiosk experience with Shell Launcher](quickstart-kiosk.md).
## User experience
After the settings are applied, the users that are configured to use Shell Launcher will execute the custom shell after sign-in.
Depending on your configuration, you can have a user to automatically sign in to the device.
## Next steps
> [!div class="nextstepaction"]
> Learn how to configure the Shell Launcher XML file:
>
> [Create a Shell Launcher configuration file](configuration-file.md)
<!--links-->
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp

69
windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md
View File

@ -1,69 +0,0 @@
---
title: "Quickstart: configure a kiosk experience with Shell Launcher"
description: Learn how to configure a kiosk experience with Shell Launcher, using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
ms.date: 10/31/2024
---
# Quickstart: configure a kiosk experience with Shell Launcher
This quickstart provides practical examples of how to configure a *kiosk experience* on Windows with Shell Launcher. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, and PowerShell. While different solutions are used, the configuration settings and results are the same.
The examples can be modified to fit your specific requirements. For example, you can change the app used, the URL specified when opening Microsoft Edge, or change the name of the user that automatically signs in to Windows.
## Prerequisites
>[!div class="checklist"]
>Here's a list of requirements to complete this quickstart:
>
>- A Windows Enterprise or Education device
>- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM
>- Access to the [psexec tool](/sysinternals/downloads/psexec), if you want to test the configuration using Windows PowerShell
## Configure a kiosk device
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
> [!TIP]
> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags.
>
> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
[!INCLUDE [quickstart-intune](includes/quickstart-intune.md)]
Assign the policy to a group that contains as members the devices that you want to configure.
Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
- **Value:**
[!INCLUDE [quickstart-xml](includes/quickstart-xml.md)]
#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)]
[!INCLUDE [quickstart-ps](includes/quickstart-ps.md)]
[!INCLUDE [powershell-wmi-bridge-2](../../../../includes/configure/powershell-wmi-bridge-2.md)]
---
## User experience
After the settings are applied, reboot the device. A local user account is automatically signed in, opening Microsoft Edge.
## Next steps
> [!div class="nextstepaction"]
> Learn more how to create a Shell Launcher configuration file:
>
> [Create a Shell Launcher configuration file](configuration-file.md)
<!--links-->
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

9
windows/configuration/assigned-access/shell-launcher/toc.yml
View File

@ -1,9 +0,0 @@
items:
- name: What is Shell Launcher?
href: index.md
- name: "Quickstart: Configure a kiosk with Shell Launcher"
href: quickstart-kiosk.md
- name: Create a Shell Launcher configuration file
href: configuration-file.md
- name: Shell Launcher XSD
href: xsd.md

193
windows/configuration/assigned-access/shell-launcher/xsd.md
View File

@ -1,193 +0,0 @@
---
title: Shell Launcher XML Schema Definition (XSD)
description: Shell Launcher XSD reference article.
ms.topic: reference
ms.date: 10/31/2024
---
# Shell Launcher XML Schema Definition (XSD)
This reference article contains the latest Shell Launcher XML schema definition (XSD) and the XSD additions for each version of Windows.
## Shell Launcher XSD
Here's the latest Shell Launcher XSD, introduced in Windows 11:
```xml
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:default="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration" targetNamespace="http://schemas.microsoft.com/ShellLauncher/2018/Configuration">
<xs:import namespace="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"/>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="DefaultProfile" type="default_profile_t"/>
<xs:element name="Profile" type="profile_t"/>
</xs:choice>
<xs:element name="Profile" type="profile_t" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="default_profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Shell" type="default_shell_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="default_shell_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="DefaultAction" type="default_action_t" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Shell" type="xs:string" use="required"/>
<xs:attribute ref="V2:AppType"/>
<xs:attribute ref="V2:AllAppsFullScreen"/>
</xs:complexType>
<xs:complexType name="custom_shell_t">
<xs:all minOccurs="1" maxOccurs="1">
<xs:element name="ReturnCodeActions" type="return_code_action_list_t" minOccurs="0" maxOccurs="1">
<xs:unique name="ForbidDuplicatedReturnCodes">
<xs:selector xpath="default:ReturnCodeAction"/>
<xs:field xpath="@ReturnCode"/>
</xs:unique>
</xs:element>
<xs:element name="DefaultAction" type="default_action_t" minOccurs="0" maxOccurs="1"/>
</xs:all>
<xs:attribute name="Shell" type="xs:string" />
<xs:attribute ref="V2:AppType"/>
<xs:attribute ref="V2:AllAppsFullScreen"/>
</xs:complexType>
<xs:complexType name="default_action_t">
<xs:attribute name="Action" type="system_action_t" use="required"/>
</xs:complexType>
<xs:simpleType name="system_action_t">
<xs:restriction base="xs:string">
<xs:enumeration value="RestartShell" />
<xs:enumeration value="RestartDevice" />
<xs:enumeration value="ShutdownDevice" />
<xs:enumeration value="DoNothing" />
</xs:restriction>
</xs:simpleType>
<xs:complexType name="profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Shell" type="custom_shell_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
</xs:complexType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="return_code_action_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="ReturnCodeAction" type="return_code_action_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="return_code_action_t">
<xs:attribute name="ReturnCode" type="xs:integer" use="required"/>
<xs:attribute name="Action" type="system_action_t" use="required"/>
</xs:complexType>
<xs:complexType name="config_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Config" type="config_t" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="config_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="Account" type="account_t" minOccurs="1" maxOccurs="1">
<xs:key name="mutexNameOrSID">
<xs:selector xpath="."/>
<xs:field xpath="@Name|@Sid"/>
</xs:key>
</xs:element>
<xs:element name="AutoLogonAccount" type="autologon_account_t" minOccurs="1" maxOccurs="1"/>
</xs:choice>
<xs:element name="Profile" type="profile_id_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="account_t">
<xs:attribute name="Name" type="xs:string" use="optional"/>
<xs:attribute name="Sid" type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="autologon_account_t">
<xs:attribute name="HiddenId" type="guid_t" fixed="{50021E57-1CE4-49DF-99A9-8DB659E2C2DD}"/>
</xs:complexType>
<xs:complexType name="profile_id_t">
<xs:attribute name="Id" type="guid_t" use="required"/>
</xs:complexType>
<!--below is the definition of the config xml content-->
<xs:element name="ShellLauncherConfiguration">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Profiles" type="profile_list_t" minOccurs="1" maxOccurs="1">
<xs:unique name="ForbidDuplicatedProfiles">
<xs:selector xpath="default:Profile"/>
<xs:field xpath="@Id"/>
</xs:unique>
</xs:element>
<xs:element name="Configs" type="config_list_t" minOccurs="0" maxOccurs="1">
<xs:unique name="ForbidDuplicatedConfigs_Name">
<xs:selector xpath="default:Config/default:Account"/>
<xs:field xpath="@Name"/>
</xs:unique>
<xs:unique name="ForbidDuplicatedConfigs_Sid">
<xs:selector xpath="default:Config/default:Account"/>
<xs:field xpath="@Sid"/>
</xs:unique>
<xs:unique name="ForbidDuplicatedAutoLogonAccount">
<xs:selector xpath="default:Config/default:AutoLogonAccount"/>
<xs:field xpath="@HiddenId"/>
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
## Windows 10, version 1903 additions
In Windows 10, version 1903, Shell Launcher introduced the support of both UWP and desktop apps as the custom shell.
Here's the Shell Launcher XSD for the features added in Windows 10, version 1903:
```xml
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"
xmlns:default="http://schemas.microsoft.com/ShellLauncher/2019/Configuration" targetNamespace="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<xs:attribute name="AppType">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="UWP"/>
<xs:enumeration value="Desktop"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="AllAppsFullScreen" type="xs:boolean"/>
</xs:schema>
```

55
windows/configuration/assigned-access/toc.yml
View File

@ -1,33 +1,32 @@
items:
- name: Overview
href: index.md
- name: Assigned Access
items:
- name: What is Assigned Access?
href: overview.md
- name: Quickstarts
items:
- name: Configure a kiosk with Assigned Access
href: quickstart-kiosk.md
- name: Configure a restricted user experience with Assigned Access
href: quickstart-restricted-user-experience.md
- name: Create an Assigned Access configuration file
href: configuration-file.md
- name: Reference
items:
- name: Assigned Access XSD
href: xsd.md
- name: Assigned Access XML examples
href: examples.md
- name: Assigned Access policy settings
href: policy-settings.md
- name: Shell Launcher
href: shell-launcher/toc.yml
- name: Configure a single-app kiosk
href: configure-single-app-kiosk.md
- name: Configure a multi-app kiosk
href: configure-multi-app-kiosk.md
displayName: Configure a restricted user experience
- name: Recommendations
href: recommendations.md
- name: Assigned Access CSP 🔗
href: /windows/client-management/mdm/assignedaccess-csp
- name: Troubleshoot 🔗
href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
- name: Configure Microsoft Edge kiosk mode 🔗
href: /deployedge/microsoft-edge-configure-kiosk-mode
- name: Create a configuration file
href: configuration-file.md
- name: Quickstarts
items:
- name: Configure a single-app kiosk
href: quickstart-kiosk.md
displayName: Configure a single-app kiosk quickstart
- name: Configure a multi-app kiosk
href: quickstart-restricted-user-experience.md
displayName: Configure a restricted user experience quickstart
- name: Reference
items:
- name: Assigned Access XSD
href: xsd.md
- name: Assigned Access XML examples
href: examples.md
- name: Assigned Access policy settings
href: policy-settings.md
- name: WMI Class WEDL_AssignedAccess
href: wedl-assignedaccess.md
- name: Assigned Access CSP 🔗
href: /windows/client-management/mdm/assignedaccess-csp

133
windows/configuration/assigned-access/wedl-assignedaccess.md Normal file
View File

@ -0,0 +1,133 @@
---
title: WEDL_AssignedAccess
description: WEDL_AssignedAccess
ms.date: 02/25/2025
ms.topic: reference
---
# WEDL_AssignedAccess
This Windows Management Instrumentation (WMI) provider class configures settings for assigned access.
[!INCLUDE [assigned-access](../../../includes/licensing/assigned-access.md)]
## Syntax
```mof
class WEDL_AssignedAccess {
[Key] string UserSID;
[Read, Write] string AppUserModelId;
[Read] sint32 Status;
};
```
## Members
The following tables list any methods and properties that belong to this class.
### Methods
This class contains no methods.
### Properties
| Property | Data&nbsp;type | Qualifiers | Description |
|----------|----------------|------------|-------------|
| **UserSID** | string | [key] | The security identifier (SID) for the user account that you want to use as the assigned access account. |
| **AppUserModelId** | string | [read, write] | The Application User Model ID (AUMID) of the Windows app to launch for the assigned access account. |
| **Status** | Boolean | none | Indicates the current status of the assigned access configuration |
| Value | Description |
|:-----:|-------------|
| 0 | A valid account is configured, but no Windows app is specified. Assigned access is not enabled. |
| 1 | Assigned access is enabled. |
| 0x100 | UserSID error: cannot find the account. |
| 0x103 | UserSID error: the account profile does not exist. |
| 0x200 | AppUserModelID error: cannot find the Windows app. |
| 0x201 | Task Scheduler error: Could not schedule task. Make sure that the Task Scheduler service is running. |
| 0xffffffff | Unspecified error.|
### Remarks
Changes to assigned access do not affect any sessions that are currently signed in; you must sign out and sign back in.
## Example
The following Windows PowerShell script demonstrates how to use this class to set up an assigned access account.
```powershell
#
#---Define variables---
#
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Define the assigned access account.
# To use a different account, change $AssignedAccessAccount to a user account that is present on your device.
$AssignedAccessAccount = "KioskAccount"
# Define the Windows app to launch, in this example, use the Application Model User ID (AUMID) for Windows Calculator.
# To use a different Windows app, change $AppAUMID to the AUMID of the Windows app to launch.
# The Windows app must be installed for the account.
$AppAUMID = "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"
#
#---Define helper functions---
#
function Get-UsernameSID($AccountName) {
# This function retrieves the SID for a user account on a machine.
# This function does not check to verify that the user account actually exists.
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
#
#---Set up the new assigned access account---
#
# Get the SID for the assigned access account.
$AssignedAccessUserSID = Get-UsernameSID($AssignedAccessAccount)
# Check to see if an assigned access account is already set up, and if so, clear it.
$AssignedAccessConfig = get-WMIObject -namespace $NAMESPACE -computer $COMPUTER -class WEDL_AssignedAccess
if ($AssignedAccessConfig) {
# Configuration already exists. Delete it so that we can create a new one, since only one assigned access account can be set up at a time.
$AssignedAccessConfig.delete();
}
# Configure assigned access to launch the specified Windows app for the specified account.
Set-WmiInstance -class WEDL_AssignedAccess -ComputerName $COMPUTER -Namespace $NAMESPACE -Arguments @{
UserSID = $AssignedAccessUserSID;
AppUserModelId = $AppAUMID
} | Out-Null;
# Confirm that the settings were created properly.
$AssignedAccessConfig = get-WMIObject -namespace $NAMESPACE -computer $COMPUTER -class WEDL_AssignedAccess
if ($AssignedAccessConfig) {
"Set up assigned access for the " + $AssignedAccessAccount + " account."
" UserSID = " + $AssignedAccessConfig.UserSid
" AppModelId = " + $AssignedAccessConfig.AppUserModelId
} else {
"Could not set up assigned access account."
}
```

2
windows/configuration/assigned-access/xsd.md
View File

@ -2,7 +2,7 @@
title: Assigned Access XML Schema Definition (XSD)
description: Assigned Access XSD reference article.
ms.topic: reference
ms.date: 10/31/2024
ms.date: 3/7/2025
---
# Assigned Access XML Schema Definition (XSD)