deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-07 18:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into commdeadline-9091858

Browse Source
This commit is contained in:
Meghan Stewart 2025-03-10 14:42:06 -07:00
commit f973f940f8
91 changed files with 1668 additions and 1379 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
.openpublishing.redirection.windows-configuration.json
View File

@ -1034,6 +1034,56 @@
"source_path": "windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md",
"redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-working-with-custom-templates-and-the-uev-generator",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/assigned-access/overview.md",
"redirect_url": "/windows/configuration/assigned-access/index",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/assigned-access/shell-launcher/configuration-file.md",
"redirect_url": "/windows/configuration/shell-launcher/configuration-file",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/assigned-access/shell-launcher/index.md",
"redirect_url": "/windows/configuration/shell-launcher/index",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md",
"redirect_url": "/windows/configuration/shell-launcher/quickstart-kiosk",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/assigned-access/shell-launcher/xsd.md",
"redirect_url": "/windows/configuration/shell-launcher/xsd",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/shell-launcher/browser-support.md",
"redirect_url": "/windows/configuration/kiosk/index",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/shell-launcher/kiosk-mode.md",
"redirect_url": "/windows/configuration/kiosk/index",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/shell-launcher/multi-app-kiosk.md",
"redirect_url": "/windows/configuration/kiosk/index",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/shell-launcher/single-app-kiosk.md",
"redirect_url": "/windows/configuration/kiosk/index",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/shell-launcher/wedl-assignedaccess.md",
"redirect_url": "/windows/configuration/assigned-access/wedl-assignedaccess",
"redirect_document_id": false
}
]
}

19
includes/licensing/assigned-access.md
View File

@ -5,18 +5,11 @@ ms.date: 09/18/2023
ms.topic: include
---
<!--## Windows edition and licensing requirements-->
### Windows edition requirements
## Windows edition requirements
The following list contains the Windows editions that support Assigned Access:
The following table lists the Windows editions that support Assigned Access:
|Edition|Assigned Access support|
|:---|:---:|
|Education|✅|
|Enterprise |✅|
|Enterprise LTSC|✅|
|IoT Enterprise | ✅|
|IoT Enterprise LTSC|✅|
|Pro Education|✅|
|Pro|✅|
✅ Pro\
✅ Enterprise / Enterprise LTSC\
✅ Education\
✅ IoT Enterprise / IoT Enterprise LTSC

19
includes/licensing/shell-launcher.md
View File

@ -5,19 +5,10 @@ ms.date: 09/18/2023
ms.topic: include
---
<!--## Windows edition and licensing requirements-->
### Windows edition requirements
## Windows edition requirements
The following list contains the Windows editions that support Shell Launcher:
The following table lists the Windows editions that support Shell Launcher:
|Edition|Shell Launcher support|
|:---|:---:|
|Education|✅|
|Enterprise |✅|
|Enterprise LTSC|✅|
|IoT Enterprise | ✅|
|IoT Enterprise LTSC|✅|
|Pro Education|❌|
|Pro|❌|
|Home|❌|
✅ Enterprise / Enterprise LTSC\
✅ Education\
✅ IoT Enterprise / IoT Enterprise LTSC

21
windows/configuration/assigned-access/configuration-file.md
View File

@ -3,7 +3,7 @@ title: Create an Assigned Access configuration file
description: Learn how to create an XML file to configure Assigned Access.
ms.topic: how-to
zone_pivot_groups: windows-versions-11-10
ms.date: 10/31/2024
ms.date: 3/7/2025
appliesto:
---
@ -90,7 +90,7 @@ A configuration file can contain one or more profiles. Each profile is identifie
A profile can be one of two types:
- `KioskModeApp`: is used to configure a kiosk experience. Users assigned this profile don't access the desktop, but only the Universal Windows Platform (UWP) application or Microsoft Edge running in full-screen above the Lock screen
- `KioskModeApp`: is used to configure a kiosk experience. Users assigned this profile execute a Universal Windows Platform (UWP) application or Microsoft Edge running in full-screen
- `AllAppList` is used to configure a restricted user experience. Users assigned this profile, access the desktop with the specific apps on the Start menu
> [!IMPORTANT]
@ -150,16 +150,24 @@ Example:
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge_proxy.exe" />
<App AppUserModelId="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App"/>
<App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="%windir%\setuperr.log" />
</AllowedApps>
</AllAppsList>
```
> [!IMPORTANT]
> If you pins elements to the Start menu with Microsoft Edge secondary tiles, include the following apps in the allowed apps list:
>
> - `<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge_proxy.exe" />`
> - `<App AppUserModelId="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App"/>`
::: zone pivot="windows-10"
### File Explorer restrictions
In a restricted user experience (`AllAppList`), folder browsing is locked down by default. You can explicitly allow access to known folders by including the `FileExplorerNamespaceRestrictions` node.
In a restricted user experience, folder browsing is locked down by default. You can explicitly allow access to known folders by including the `FileExplorerNamespaceRestrictions` node.
You can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time.
@ -288,19 +296,22 @@ With the exported Start menu configuration, use the `v5:StartPins` element and a
</v5:StartPins>
```
Example with some apps pinned:
Example with some apps and a Microsoft Edge pinned site:
``` xml
<v5:StartPins>
<![CDATA[
{
"pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"},
{"secondaryTile": { "tileId": "MSEdge._pin_mjalfbhoimpkfjlpajnjkpknoe", "arguments": " --pin-url=https://www.contoso.com --profile-directory=Default --launch-tile", "displayName": "Contoso intranet", "packagedAppId": "Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App", "smallIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mjalfbhoimpkfjlpajnjkpknoe/ContosoLogo.png", "smallIcon": "iVBORw0KGgoAAAANSUhEUgAAADQAAAA0CAYAAADFeBvrAAAACXBIWXMAAAInAAACJwG+ElQIAAABaWlDQ1BEaXNwbGF5IFAzAAB4nHWQvUvDUBTFT6tS0DqIDh0cMolD1NIKdnFoKxRFMFQFq1OafgltfCQpUnETVyn4H1jBWXCwiFRwcXAQRAcR3Zw6KbhoeN6XVNoi3sfl/Ticc7lcwBtQGSv2AijplpFMxKS11Lrke4OHnlOqZrKooiwK/v276/PR9d5PiFlNu3YQ2U9cl84ul3aeAlN//V3Vn8maGv3f1EGNGRbgkYmVbYsJ3iUeMWgp4qrgvMvHgtMunzuelWSc+JZY0gpqhrhJLKc79HwHl4plrbWD2N6f1VeXxRzqUcxhEyYYilBRgQQF4X/8044/ji1yV2BQLo8CLMpESRETssTz0KFhEjJxCEHqkLhz634PrfvJbW3vFZhtcM4v2tpCAzidoZPV29p4BBgaAG7qTDVUR+qh9uZywPsJMJgChu8os2HmwiF3e38M6Hvh/GMM8B0CdpXzryPO7RqFn4Er/QcXKWq8MSlPPgAABFZJREFUeAHdWu1RajEQ3ev4X61AXgX6KhA68FWgrwLpAK0AO0ArUCsQKxArECsAK8jLuTNh9i3J5uMGBc9MhivmY0/2ZEk2l8jCGDOyZWF2FxNbeuDS2Iex/RzS7mPaNM0AhBb2j0P6Gfi1Txsms1wu6fPzs/1E6fV6dHBwQIeHGxm2t0+V8fLyQrPZjKbTafs5n8+99UDo9PSUzs/Pqd/v08nJCVWBqYDFYmGur6+NNdCgy5KCtnd3d6Yj+lhDhjrg5uaGbm9vWzlJwAuQGDzBAa/Be742qG8nhy4uLqgAg2IPvb6+Gjt4dNaHw6Gx8vP28f7+biaTibGSW2uLvvH/XA8VEbIeyZYUDISkQkbi+8vLy7V2kPJGCWGAkMGYaRiFz9B6Qj3NSBCTHoOXN0JIkrFrxIxGo+CsI1g8PDx4Zx7Enp+fg2OhX14ffVQlJMlg1mBwChwx35rTvIU2mLQM+aURQsfcCMxeCgkYEAscLniEJgfBh9eNhPY4IciJGxUj44jwmU0NGiHpjsfj/2SuRL84Ia7/mI4leWcAFjkkiugIsnj2BQ20DXmKBwolSOiEYGDKDAKQBveKCxjaOvOFahgugd8x3jc8VkSID6ZpV3oGRqUGDADRjrfnHsC4nLDdQWhdhQlJ76i9MDlEBjTaeNwLCEQysiYEozAhbElSvMPraWsgBTKa5kZWoxHis66tHS6Vgr3XGiC3QjKt2V5CmGVtkTpgsabUywHG5tKDAjLQ3yMP3t7eVs9y68/x+Pi4erYBhGoARw5Loj342WCR3a/3xGqls3rWCOFM41DtxGkBMigl8Hro4+Nj9Xx8fBxszAlpxL8SXkL8JKklM1w9nDK3BVFCR0dH3oah5Md3Yy9WwUYd7/cbSkN1hpcQl5AvkQGAkCO1Td7yEuKBgAcICR4IeID4TngJpRrK6yHBWAv39/c0GAzaZGU2Qr/WlLADwC6ZKu8U5M49M/mYtpfTNpy8npb0SEXHVFaYEM+9aR1yL2m5gRTwnbs8wieSChPisss5DyWmm9Ygz0OQmkxldc762P1U0YkV7XKOEvKIzU+s3GsJE6YT4nLCgLH8ACflUr9aG/xPnn8gW4mM/Fw/mvXhA5ZkfVwEhBFYlyjoMzdBz4NFcdYHkAeumI5RX2o/pWhkeICKZJ/ihAAuvdSIg0FD+TefB78sc+rgS56nLnwYi8Xtk6N2syCDRaesjw+SFAyEQdrtA4zi0ZK31X6I5R1UYnosj5CPFDfQ3Q+BQEhqsYzql94PxUhpJUYklORX0r71CAGhEO2TZEhaIAFphUJ4wd6w+y04bqyx3fcd8ty7CDLngENj6B0GtLm6umr7LUD5LTiHu81OudwiJXTDW102t1U8JIGZf3p6Wr1Joh3h8QYJytnZWa002KA6IQn3jg/k5fIQPB9RGT/ubazfyClsR3ajO+ZN08xA6C/+oN3G3JY/eGjcN1Z6WJW7KL0lPOP++AdqljW+tM7PvwAAAABJRU5ErkJggg==", "largeIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mjalfbhoimpkfjlpajnjkpknoe/ContosoLogo.png" }}
]
}
]]>
</v5:StartPins>
```
::: zone-end

96
windows/configuration/assigned-access/configure-multi-app-kiosk.md Normal file
View File

@ -0,0 +1,96 @@
---
title: Configure a Multi-App Kiosk With Assigned Access
description: Learn how to configure a multi-app kiosk with Assigned Access.
ms.date: 3/7/2025
ms.topic: overview
---
# Configure a restricted user experience (multi-app kiosk) with Assigned Access
An Assigned Access restricted user experience runs one or more apps from the desktop. People using the kiosk have a customized Start menu that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for shared devices.
To configure a restricted user experience with Assigned Access, you must create an XML configuration file with the settings for the desired experience. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
- A Mobile Device Management (MDM) solution, like Microsoft Intune
- Provisioning packages
- PowerShell, with the MDM Bridge WMI Provider
To learn how to configure the Assigned Access XML file, see [Create an Assigned Access configuration file](configuration-file.md).
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration`
- **Value:** content of the XML configuration file
Assign the policy to a group that contains as members the devices that you want to configure.
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
- **Value:** content of the XML configuration file
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
```PowerShell
$assignedAccessConfiguration = @"
# content of the XML configuration file
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
Exit 1
}
Write-Output "Successfully applied Assigned Access configuration"
```
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
#### [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings)
This option isn't available using Settings.
---
> [!TIP]
> For practical examples, see the [Quickstart: Configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)
[!INCLUDE [user-experience](includes/user-experience.md)]
<!--links-->
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp

135
windows/configuration/assigned-access/overview.md → windows/configuration/assigned-access/configure-single-app-kiosk.md
View File

@ -1,15 +1,15 @@
---
title: What is Assigned Access?
description: Learn how to configure a Windows kiosk for single-app and multi-app scenarios with Assigned Access.
ms.date: 10/31/2024
title: Configure a Single-App Kiosk With Assigned Access
description: Learn how to configure a single-app kiosk with Assigned Access.
ms.date: 3/7/2025
ms.topic: overview
---
# What is Assigned Access?
# Configure a single-app kiosk with Assigned Access
Assigned Access is a Windows feature that you can use to configure a device as a kiosk or with a restricted user experience.
When you configure a **kiosk experience**, a single Universal Windows Platform (UWP) application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it automatically restarts. Practical examples include:
When you configure a **kiosk experience**, a single Universal Windows Platform (UWP) application or Microsoft Edge is executed in full screen. Users can only use that application and once the kiosk app is closed, it automatically restarts. Practical examples include:
- Public browsing
- Interactive digital signage
@ -170,7 +170,7 @@ Here are the steps to configure a kiosk using the Settings app:
>[!NOTE]
>If there are any local standard user accounts already, the **Create an account** dialog offers the option to **Choose an existing account**
1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen are available in the list of apps to choose from. If you select **Microsoft Edge** as the kiosk app, you configure the following options:
1. Choose the application to run when the kiosk account signs in. If you select **Microsoft Edge** as the kiosk app, you configure the following options:
- Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
- Which URL should be open when the kiosk accounts signs in
@ -188,128 +188,7 @@ When the device isn't joined to an Active Directory domain or Microsoft Entra ID
> [!TIP]
> For practical examples, see the [Quickstart: Configure a kiosk with Assigned Access](quickstart-kiosk.md).
## Configure a restricted user experience
To configure a restricted user experience with Assigned Access, you must create an XML configuration file with the settings for the desired experience. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
- A Mobile Device Management (MDM) solution, like Microsoft Intune
- Provisioning packages
- PowerShell, with the MDM Bridge WMI Provider
To learn how to configure the Assigned Access XML file, see [Create an Assigned Access configuration file](configuration-file.md).
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
- **Value:** content of the XML configuration file
Assign the policy to a group that contains as members the devices that you want to configure.
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
- **Value:** content of the XML configuration file
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
```PowerShell
$assignedAccessConfiguration = @"
# content of the XML configuration file
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
Exit 1
}
Write-Output "Successfully applied Assigned Access configuration"
```
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
#### [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings)
This option isn't available using Settings.
---
> [!TIP]
> For practical examples, see the [Quickstart: Configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)
## User experience
To validate the kiosk or restricted user experience, sign in with the user account you specified in the configuration file.
The Assigned Access configuration takes effect the next time the targeted user signs in. If that user account is signed in when you apply the configuration, sign out and sign back in to validate the experience.
> [!NOTE]
> Starting in Windows 11, a restricted user experience supports the use of multiple monitors.
### Autotrigger touch keyboard
The touch keyboard is automatically triggered when there's an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.
> [!TIP]
> The touch keyboard is triggered only when tapping a textbox. Mouse clicks don't trigger the touch keyboard. If you're testing this feature, use a physical device instead of a virtual machine (VM), as the touch keyboard is not triggered on VMs.
### Sign out of assigned access
By default, to exit the kiosk experience, press <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd>. The kiosk app exits automatically. If you sign in again as the Assigned Access account, or wait for the sign in screen timeout, the kiosk app relaunches. The default timeout is 30 seconds, but you can change the timeout with the registry key:
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for Assigned Access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
> [!NOTE]
> `IdleTimeOut` doesn't apply to the Microsoft Edge kiosk mode.
The Breakout Sequence of <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence is <kbd>CTRL</kbd> + <kbd>ALT</kbd> + <kbd>A</kbd>, where <kbd>CTRL</kbd> + <kbd>ALT</kbd> are the modifiers, and <kbd>A</kbd> is the key value. To learn more, see [Create an Assigned Access configuration XML file](configuration-file.md).
## Remove Assigned Access
Deleting the restricted user experience removes the policy settings associated with the users, but it can't revert all the configurations. For example, the Start menu configuration is maintained.
## Next steps
> [!div class="nextstepaction"]
> Review the recommendations before you deploy Assigned Access:
>
> [Assigned Access recommendations](recommendations.md)
<!--links-->
[!INCLUDE [user-experience](includes/user-experience.md)]
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp

4
windows/configuration/assigned-access/examples.md
View File

@ -1,7 +1,7 @@
---
title: Assigned Access examples
title: Assigned Access Examples
description: Practical examples of XML files to configure Assigned Access.
ms.date: 10/31/2024
ms.date: 3/7/2025
ms.topic: reference
zone_pivot_groups: windows-versions-11-10
appliesto:

BIN
windows/configuration/assigned-access/images/restricted-user-experience-example.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 763 KiB

2
windows/configuration/assigned-access/includes/example-global-profile.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/example-kiosk-uwp.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/example-restricted-experience.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/example-two-profiles.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/example-usergroup.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/quickstart-kiosk-intune.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/quickstart-kiosk-xml.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.date: 3/7/2025
ms.topic: include
---

78
windows/configuration/assigned-access/includes/user-experience.md Normal file
View File

@ -0,0 +1,78 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 3/7/2025
ms.topic: include
---
## User experience
To validate the kiosk configuration, sign in with the user account you specified in the configuration file.
The Assigned Access configuration takes effect the next time the targeted user signs in. If that user account is signed in when you apply the configuration, sign out and sign back in to validate the experience.
### Autotrigger touch keyboard
The touch keyboard is automatically triggered when there's an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.
> [!TIP]
> The touch keyboard is triggered only when tapping a textbox. Mouse clicks don't trigger the touch keyboard. If you're testing this feature, use a physical device instead of a virtual machine (VM), as the touch keyboard isn't triggered on VMs.
### Sign out of assigned access
By default, to exit the kiosk experience, press <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd>. The kiosk app exits automatically. If you sign in again as the Assigned Access account, or wait for the sign in screen time-out, the kiosk app relaunches. The default time-out is 30 seconds, but you can change the time-out with the registry key:
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for Assigned Access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
> [!NOTE]
> `IdleTimeOut` doesn't apply to the Microsoft Edge kiosk mode.
The Breakout Sequence of <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence is <kbd>CTRL</kbd> + <kbd>ALT</kbd> + <kbd>A</kbd>, where <kbd>CTRL</kbd> + <kbd>ALT</kbd> are the modifiers, and <kbd>A</kbd> is the key value. To learn more, see [Create an Assigned Access configuration XML file](../configuration-file.md).
## Remove Assigned Access
Deleting the Assigned Access configuration removes the policy settings associated with the users, but it can't revert all the changes. For example, in a multi-app kiosk scenario the Start menu configuration is maintained.
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
To remove the Assigned Access configuration, unassign or delete the policy that contains the configuration.
#### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To remove the Assigned Access configuration, uninstall the provisioning package that contains the configuration.
#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
```PowerShell
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = $null
Set-CimInstance -CimInstance $obj
```
#### [:::image type="icon" source="../../images/icons/settings-app.svg"::: **Settings**](#tab/settings)
1. Go to **Settings > Accounts > Other Users**, or use the following shortcut:
> [!div class="nextstepaction"]
>
> [Other Users](ms-settings:otherusers)
1. Select **Kiosk**
1. Under **Kiosk info**, expand the application used for the kiosk experience
1. Select **Remove kiosk**
> [!NOTE]
> This option isn't available using Settings if you configured a restricted user experience.
---
## Next steps
> [!div class="nextstepaction"]
> Review the recommendations before you deploy Assigned Access:
>
> [Assigned Access recommendations](../recommendations.md)

77
windows/configuration/assigned-access/index.md
View File

@ -1,74 +1,47 @@
---
title: Windows kiosks and restricted user experiences
description: Learn about the options available in Windows to configure kiosks and restricted user experiences.
title: Assigned Access Overview
description: Learn how to configure a Windows kiosk for single-app and multi-app scenarios with Assigned Access.
ms.date: 3/7/2025
ms.topic: overview
ms.date: 10/31/2024
---
# Windows kiosks and restricted user experiences
# Assigned Access overview
Organizations are constantly seeking ways to streamline operations, improve customer service, and enhance productivity. One effective solution is the deployment of kiosk devices. These specialized devices offer a range of benefits that can significantly impact an organization's efficiency and success. For example:
Assigned Access is a Windows feature that you can use to configure a device as a kiosk or with a restricted user experience.
- Cost-effective customer service: kiosks allow organizations to provide essential services without the need for dedicated staff. Whether it's checking in at a hotel, ordering food at a restaurant, or printing boarding passes at an airport, kiosks reduce labor costs while maintaining service quality. Customers appreciate the convenience of self-service options, leading to higher satisfaction levels
- Reduced wait times: long queues and wait times frustrate customers and staff members. Kiosks expedite processes by allowing users to complete tasks independently. Whether it's paying bills, renewing memberships, or accessing information, kiosks empower users to get things done swiftly
- Consistent brand experience: kiosks ensure a uniform brand experience across different locations. Whether in retail stores, schools, airports, or healthcare facilities, the interface remains consistent. Brand consistency builds trust and reinforces the organization's image
- Customization and flexibility: kiosks can be tailored to specific needs. From touchscreens to barcode scanners, organizations choose features that align with their goals. Whether it's self-checkout, wayfinding, or interactive product catalogs, kiosks adapt to diverse requirements
When you configure a **kiosk experience**, a single Universal Windows Platform (UWP) application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it automatically restarts. Practical examples include:
Windows offers two different options for public or specialized use:
- Public browsing
- Interactive digital signage
:::row:::
:::column span="1":::
:::image type="content" source="images/kiosk.png" alt-text="Icon representing a kiosk." border="false":::
:::column-end:::
:::column span="3":::
#### Kiosk experience
:::column-end:::
:::row-end:::
When you configure a **restricted user experience**, users can only execute a defined list of applications, with a tailored Start menu and Taskbar. Different policy settings and AppLocker rules are enforced, creating a locked down experience. The users can access a familiar Windows desktop, while limiting their access, reducing distractions, and potential for inadvertent uses. Ideal for shared devices, you can create different configurations for different users. Practical examples include:
This option runs a single application in full screen, and people using the device can only use that app. When the designated kiosk account signs in, the kiosk app launches automatically. This option is sometimes referred to as *single-app kiosk*.
- Frontline worker devices
- Student devices
- Lab devices
Windows offers two different features to configure a kiosk experience:
> [!NOTE]
> When you configure a restricted user experience, different policy settings are applied to the device. Some policy settings apply to standard users only, and some to administrator accounts too. For more information, see [Assigned Access policy settings](policy-settings.md).
- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen above the lock screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it automatically restarts
- **Shell Launcher**: used to configure a device to execute a Windows desktop application as the user interface. The application that you specify replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen
## Requirements
:::row:::
:::column span="1":::
:::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false":::
:::column-end:::
:::column span="3":::
#### Restricted user experience
:::column-end:::
:::row-end:::
Here are the requirements for Assigned Access:
This option loads the Windows desktop, but it only allows to run a defined set of applications. When the designated user signs in, the user can only run the apps that are allowed. The Start menu is customized to show only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types. This option is sometimes referred to as *multi-app kiosk*.
- To use a kiosk experience, [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be enabled
- To use a kiosk experience, you must sign in from the console. The kiosk experience isn't supported over a remote desktop connection
:::image type="content" source="images/restricted-user-experience-example.png" alt-text="Screenshot of a restricted user experience in Windows 11." border="false":::
To configure a restricted user experience, you use the **Assigned Access** feature.
## Choose the right experience
When you're considering a kiosk or restricted user experience, you need to choose the right experience for your needs. A good approach is to ask yourself the following set of questions:
| | Question |
|--|--|
| **🔲** | *How many apps?* <br>The number of apps determines the experience to build: **kiosk** or **restricted user experience**.|
| **🔲** | *Desktop experience or custom?* <br>If your users require access to the desktop with a custom Start menu, then you can build a **restricted user experience** with **Assigned Access**. If your users require access to multiple applications but with a custom user interface, then you should use **Shell Launcher**.|
| **🔲** | *In single-app scenario, which type of app will your kiosk run?* <br>If the kiosk requires a Universal Windows Platform (UWP) app or Microsoft Edge, you can build a **kiosk experience** with **Assigned Access**. If the kiosk requires a desktop app, you can build a **kiosk experience** with **Shell Launcher**.|
| **🔲** | *Which edition of Windows client will the kiosk run?"* <br>**Assigned Access** is supported on Windows Pro and Enterprise/Education. **Shell Launcher** is only supported on Windows Enterprise and Education editions.|
[!INCLUDE [assigned-access](../../../includes/licensing/assigned-access.md)]
## Next steps
In the next sections, you can learn more about the options available to configure kiosks and restricted user experiences:
Learn how to configure Assigned Access:
- [Assigned Access](overview.md)
- [Shell Launcher](shell-launcher/index.md)
- [Configure a single-app kiosk experience with Assigned Access](configure-single-app-kiosk.md)
- [Configure a restricted user experience (multi-app kiosk) with Assigned Access](configure-multi-app-kiosk.md)
### :::image type="icon" source="../images/icons/rocket.svg" border="false"::: Quickstarts
If you're ready to try out the options available to configure kiosks and restricted user experiences, check out the following quickstarts:
If you want to quickly test Assigned Access, check out the following quickstarts:
- [Quickstart: configure a kiosk with Assigned Access](quickstart-kiosk.md)
- [Quickstart: configure a kiosk experience with Shell Launcher](shell-launcher/quickstart-kiosk.md)
- [Quickstart: configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)
- [Quickstart: configure a single-app kiosk with Assigned Access](quickstart-kiosk.md)
- [Quickstart: configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)

2
windows/configuration/assigned-access/policy-settings.md
View File

@ -1,5 +1,5 @@
---
title: Assigned Access policy settings
title: Assigned Access Policy Settings
description: Learn about the policy settings enforced on a device configured with Assigned Access.
ms.topic: reference
ms.date: 02/25/2025

32
windows/configuration/assigned-access/quickstart-kiosk.md
View File

@ -1,13 +1,13 @@
---
title: "Quickstart: configure a kiosk experience with Assigned Access"
description: Learn how to configure a kiosk experience with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
title: "Quickstart: Configure a Single-App Kiosk With Assigned Access"
description: Learn how to configure a single-app kiosk with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
ms.date: 10/31/2024
ms.date: 3/7/2025
---
# Quickstart: configure a kiosk with Assigned Access
# Quickstart: configure a single-app kiosk with Assigned Access
This quickstart provides practical examples of how to configure a *kiosk experience* on Windows with Assigned Access. The examples describe the steps using the Settings app, a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
This quickstart provides practical examples of how to configure a single-app kiosk on Windows with Assigned Access. The examples describe the steps using the Settings app, a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
The examples can be modified to fit your specific requirements. For example, you can change the app used, the URL specified when opening Microsoft Edge, or change the name of the user that automatically signs in to Windows.
@ -62,8 +62,6 @@ Assign the policy to a group that contains as members the devices that you want
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
#### [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings)
Here are the steps to configure a kiosk using the Settings app:
@ -79,7 +77,7 @@ Here are the steps to configure a kiosk using the Settings app:
>[!NOTE]
>If there are any local standard user accounts already, the **Create an account** dialog offers the option to **Choose an existing account**
1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen are available in the list of apps to choose from. If you select **Microsoft Edge** as the kiosk app, you configure the following options:
1. Choose the application to run when the kiosk account signs in. If you select **Microsoft Edge** as the kiosk app, you configure the following options:
- Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
- Which URL should be open when the kiosk accounts signs in
@ -93,12 +91,28 @@ Here are the steps to configure a kiosk using the Settings app:
After the settings are applied, reboot the device. A local user account is automatically signed in, opening Microsoft Edge.
## Remove Assigned Access
Once you no longer need the kiosk configuration, you can remove it.
Here's a PowerShell example to remove the Assigned Access configuration:
```powershell
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = $null
Set-CimInstance -CimInstance $obj
```
Reboot the device to apply the changes.
## Next steps
> [!div class="nextstepaction"]
> Learn more about Assigned Access and how to configure it:
>
> [Assigned Access overview](overview.md)
> [Assigned Access overview](index.md)
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

24
windows/configuration/assigned-access/quickstart-restricted-user-experience.md
View File

@ -1,15 +1,15 @@
---
title: "Quickstart: configure a restricted user experience with Assigned Access"
title: "Quickstart: Configure a Restricted User Experience With Assigned Access"
description: Learn how to configure a restricted user experience with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
ms.date: 10/31/2024
ms.date: 3/7/2025
appliesto:
zone_pivot_groups: windows-versions-11-10
---
# Quickstart: configure a restricted user experience with Assigned Access
This quickstart provides practical examples of how to configure a *restricted user experience* on Windows. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
This quickstart provides practical examples of how to configure a restricted user experience on Windows. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
The examples can be modified to fit your specific requirements. For example, you can add or remove applications from the list of allowed apps, or change the name of the user that automatically signs in to Windows.
@ -80,12 +80,28 @@ After the settings are applied, reboot the device. A local user account is autom
::: zone-end
## Remove Assigned Access
Once you no longer need the restricted user experience, you can remove it. Deleting the Assigned Access configuration removes the policy settings associated with the users, but it can't revert all the changes. For example, the Start menu configuration is maintained.
Here's a PowerShell example to remove the configuration:
```powershell
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = $null
Set-CimInstance -CimInstance $obj
```
Reboot the device to apply the changes.
## Next steps
> [!div class="nextstepaction"]
> Learn more about Assigned Access and how to configure it:
>
> [Assigned Access overview](overview.md)
> [Assigned Access overview](index.md)
<!--links-->

8
windows/configuration/assigned-access/recommendations.md
View File

@ -1,8 +1,8 @@
---
title: Assigned Access recommendations
title: Assigned Access Recommendations
description: Learn about the recommended kiosk and restricted user experience configuration options.
ms.topic: best-practice
ms.date: 10/31/2024
ms.date: 3/7/2025
---
# Assigned Access recommendations
@ -20,7 +20,7 @@ Consider enabling *automatic sign-in* for your kiosk device. When the device res
You can configure the Assigned Access and Shell Launcher XML files with an account to sign-in automatically. For more information, review the articles:
- [Create an Assigned Access configuration XML file](configuration-file.md)
- [Create a Shell Launcher configuration file](shell-launcher/configuration-file.md)
- [Create a Shell Launcher configuration file](../shell-launcher/configuration-file.md)
Alternatively, you can edit the Registry to have an account sign in automatically:
@ -116,7 +116,7 @@ The following guidelines help you choose an appropriate Windows app for a kiosk
- Windows apps must be provisioned or installed for the Assigned Access account before they can be selected as the Assigned Access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps)
- UWP app updates can sometimes change the Application User Model ID (AUMID) of the app. In such scenario, you must update the Assigned Access settings to execute the updated app, because Assigned Access uses the AUMID to determine the app to launch
- The app must be able to run above the lock screen. If the app can't run above the lock screen, it can't be used as a kiosk app
- The app must be able to run *above* the lock screen. If the app can't run above the lock screen, it can't be used as a kiosk app
- Some apps can launch other apps. Assigned Access in kiosk mode prevents Windows apps from launching other apps. Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality
- Microsoft Edge includes support for kiosk mode. To learn more, see [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
- Don't select Windows apps that might expose information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access

131
windows/configuration/assigned-access/shell-launcher/index.md
View File

@ -1,131 +0,0 @@
---
title: What is Shell Launcher?
description: Learn how to configure devices with Shell Launcher.
ms.date: 10/31/2024
ms.topic: overview
---
# What is Shell Launcher?
Shell Launcher is a Windows feature that you can use to replace the default Windows Explorer shell (`Explorer.exe`) with a Windows desktop application or a Universal Windows Platform (UWP) app.
Practical examples include:
- Public browsing
- Interactive digital signage
- ATMs
Shell Launcher controls which application the user sees as the shell after sign-in. It doesn't prevent the user from accessing other desktop applications and system components. From a custom shell, you can launch secondary views displayed on multiple monitors, or launch other apps in full screen on user's demand.
With Shell Launcher, you can use features and methods to control access to other applications or system components. These methods include, but aren't limited to:
- Configuration Service Provider (CSP): you can use a Mobile Device Management (MDM) solution like Microsoft Intune
- Group policy (GPO)
- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)
Shell Launcher is part of the [Assigned Access](../overview.md) feature, which allows you to configure kiosks or restricted user experiences. To learn about the differences between Shell Launcher and the other options offered by Assigned Access, see [Windows kiosks and restricted user experiences](../index.md).
[!INCLUDE [shell-launcher](../../../../includes/licensing/shell-launcher.md)]
## Limitations
Here are some limitations to consider when using Shell Launcher:
- Windows doesn't support setting a custom shell before the out-of-box experience (OOBE). If you do, you can't deploy the resulting image
- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you can't specify `write.exe` in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. `Write.exe` creates a 32-bit `wordpad.exe` process and exits. Since Shell Launcher isn't aware of the newly created `wordpad.exe` process, Shell Launcher takes action based on the exit code of `Write.exe`, such as restarting the custom shell
## Configure a device with Shell Launcher
The configuration of Shell Launcher is done using an XML file. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
- A Mobile Device Management (MDM) solution, like Microsoft Intune
- Provisioning packages
- The MDM Bridge WMI Provider
To learn how to configure the Shell Launcher XML file, see [Create a Shell Launcher configuration file](configuration-file.md).
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
- **Value:** content of the XML configuration file
Assign the policy to a group that contains as members the devices that you want to configure.
#### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
[!INCLUDE [provisioning-package-1](../../../../includes/configure/provisioning-package-1.md)]
- **Path:** `SMISettings/ShellLauncher`
- **Value:** depends on specific settings
[!INCLUDE [provisioning-package-2](../../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)]
```PowerShell
$shellLauncherConfiguration = @"
# content of the XML configuration file
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
$eventLogFilterHashTable = @{ LogName='Microsoft-Windows-AssignedAccess/Admin' }
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
Exit 1
}
Write-Output "Successfully applied Shell Launcher configuration"
```
[!INCLUDE [powershell-wmi-bridge-2](../../../../includes/configure/powershell-wmi-bridge-2.md)]
---
> [!TIP]
> For practical examples, see the [Quickstart: configure a kiosk experience with Shell Launcher](quickstart-kiosk.md).
## User experience
After the settings are applied, the users that are configured to use Shell Launcher will execute the custom shell after sign-in.
Depending on your configuration, you can have a user to automatically sign in to the device.
## Next steps
> [!div class="nextstepaction"]
> Learn how to configure the Shell Launcher XML file:
>
> [Create a Shell Launcher configuration file](configuration-file.md)
<!--links-->
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp

9
windows/configuration/assigned-access/shell-launcher/toc.yml
View File

@ -1,9 +0,0 @@
items:
- name: What is Shell Launcher?
href: index.md
- name: "Quickstart: Configure a kiosk with Shell Launcher"
href: quickstart-kiosk.md
- name: Create a Shell Launcher configuration file
href: configuration-file.md
- name: Shell Launcher XSD
href: xsd.md

55
windows/configuration/assigned-access/toc.yml
View File

@ -1,33 +1,32 @@
items:
- name: Overview
href: index.md
- name: Assigned Access
items:
- name: What is Assigned Access?
href: overview.md
- name: Quickstarts
items:
- name: Configure a kiosk with Assigned Access
href: quickstart-kiosk.md
- name: Configure a restricted user experience with Assigned Access
href: quickstart-restricted-user-experience.md
- name: Create an Assigned Access configuration file
href: configuration-file.md
- name: Reference
items:
- name: Assigned Access XSD
href: xsd.md
- name: Assigned Access XML examples
href: examples.md
- name: Assigned Access policy settings
href: policy-settings.md
- name: Shell Launcher
href: shell-launcher/toc.yml
- name: Configure a single-app kiosk
href: configure-single-app-kiosk.md
- name: Configure a multi-app kiosk
href: configure-multi-app-kiosk.md
displayName: Configure a restricted user experience
- name: Recommendations
href: recommendations.md
- name: Assigned Access CSP 🔗
href: /windows/client-management/mdm/assignedaccess-csp
- name: Troubleshoot 🔗
href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
- name: Configure Microsoft Edge kiosk mode 🔗
href: /deployedge/microsoft-edge-configure-kiosk-mode
- name: Create a configuration file
href: configuration-file.md
- name: Quickstarts
items:
- name: Configure a single-app kiosk
href: quickstart-kiosk.md
displayName: Configure a single-app kiosk quickstart
- name: Configure a multi-app kiosk
href: quickstart-restricted-user-experience.md
displayName: Configure a restricted user experience quickstart
- name: Reference
items:
- name: Assigned Access XSD
href: xsd.md
- name: Assigned Access XML examples
href: examples.md
- name: Assigned Access policy settings
href: policy-settings.md
- name: WMI Class WEDL_AssignedAccess
href: wedl-assignedaccess.md
- name: Assigned Access CSP 🔗
href: /windows/client-management/mdm/assignedaccess-csp

2
windows/configuration/shell-launcher/wedl-assignedaccess.md → windows/configuration/assigned-access/wedl-assignedaccess.md
View File

@ -9,7 +9,7 @@ ms.topic: reference
This Windows Management Instrumentation (WMI) provider class configures settings for assigned access.
[!INCLUDE [shell-launcher](../../../includes/licensing/assigned-access.md)]
[!INCLUDE [assigned-access](../../../includes/licensing/assigned-access.md)]
## Syntax

2
windows/configuration/assigned-access/xsd.md
View File

@ -2,7 +2,7 @@
title: Assigned Access XML Schema Definition (XSD)
description: Assigned Access XSD reference article.
ms.topic: reference
ms.date: 10/31/2024
ms.date: 3/7/2025
---
# Assigned Access XML Schema Definition (XSD)

BIN
windows/configuration/background/images/contoso-lockscreen-10.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

BIN
windows/configuration/background/images/contoso-lockscreen-11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

135
windows/configuration/background/index.md Normal file
View File

@ -0,0 +1,135 @@
---
title: Configure the Desktop and Lock Screen Backgrounds in Windows
description: Learn how to configure the desktop and lock screen background in Windows using policy settings, including Intune, CSP, and GPO.
ms.topic: how-to
ms.date: 03/03/2025
author: paolomatarazzo
ms.author: paoloma
appliesto:
zone_pivot_groups: windows-versions-11-10
---
# Configure the desktop and lock screen backgrounds
Configuring desktop and lock screen backgrounds in Windows offers a simple yet effective way to enhance productivity, enforce consistency, and strengthen organizational branding.
Predefined backgrounds can display company logos, mission statements, or school emblems, reinforcing identity across devices. Examples where predefined backgrounds are especially valuable include kiosks, where lock screens can provide clear instructions, or student devices, where consistent branding fosters a sense of belonging and professionalism.
::: zone pivot="windows-11"
:::image type="content" source="images/contoso-lockscreen-11.png" alt-text="Screenshot of the Windows 11 lock screen with Windows spotlight enabled over an organization wallpaper." border="false":::
::: zone-end
::: zone pivot="windows-10"
:::image type="content" source="images/contoso-lockscreen-10.png" alt-text="Screenshot of the Windows 10 lock screen with Windows spotlight enabled over an organization wallpaper." border="false":::
::: zone-end
This article explains how to configure the desktop and lock screen backgrounds in Windows using policy settings. It includes examples of how to implement these configurations using Microsoft Intune, Configuration Service Provider (CSP), and Group Policy Object (GPO).
## Image ratios and scaling
A key consideration when using custom images is how they appear on devices with varying screen sizes and resolutions. For example, a custom image created in a 16:9 aspect ratio (such as 1600x900) scales properly on devices with 16:9 resolutions, like 1280x720 or 1920x1080. On devices with other aspect ratios, such as 4:3 (1024x768) or 16:10 (1280x800), the image's height scales correctly, but the width is cropped to match the aspect ratio. The image remains centered on the screen.
Images created in nonstandard aspect ratios might scale and center unpredictably when displayed on devices with different resolutions. To ensure consistent results, especially for images containing text (for example, legal statements), design the image in a 16:9 resolution and keep critical text within the 4:3 region. This approach ensures that the text remains visible across all aspect ratios.
## Configure the desktop background
**Windows edition requirements**. The following table summarizes the Windows editions and licensing requirements for configuring the desktop background:
| Windows edition | Intune/CSP | GPO |
|:-|:-:|:-:|
|Pro / Pro Education|✅|✅|
|Enterprise / Education|✅|✅|
|IoT Enterprise|✅|✅|
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
| Category | Setting name | Value |
|--|--|--|
| **Personalization** | Desktop Image Url | An http or https URL to a jpg, jpeg, or png image file. |
[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][INT-1] with the [Personalization CSP][CSP-1].
| Setting |
|--------|
| - **OMA-URI:** `./Vendor/MSFT/Personalization/DesktopImageUrl`<br>- **Data type:** string <br>- **Value:** An http or https URL to a jpg, jpeg, or png image file. |
#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)]
| Group policy path | Group policy setting | Value |
| - | - | - |
| **User Configuration\Administrative Templates\Desktop\Desktop** |Desktop Wallpaper | Fully qualified path and name of the image file. You can use a local path or a UNC path. |
[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
---
## Configure the lock screen background
**Windows edition requirements**. The following table summarizes the Windows editions and licensing requirements for configuring the lock screen background:
| Windows edition | Intune/CSP | GPO |
|:-|:-:|:-:|
|Pro / Pro Education|✅|❌|
|Enterprise / Education|✅|✅|
|IoT Enterprise|✅|✅|
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
| Category | Setting name | Value |
|--|--|--|
| **Personalization** | Lock Screen Image Url| An http or https URL to a jpg, jpeg, or png image file. |
[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][INT-1] with the [Personalization CSP][CSP-1].
| Setting |
|--------|
| - **OMA-URI:** `./Vendor/MSFT/Personalization/LockScreenImageUrl`<br>- **Data type:** string <br>- **Value:** An http or https URL to a jpg, jpeg, or png image file.|
#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)]
| Group policy path | Group policy setting | Value |
| - | - | - |
| **Computer Configuration\Administrative Templates\Control Panel\Personalization** | Force a specific default lock screen and logon image | Fully qualified path and name of the image file. You can use a local path or a UNC path.|
[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
---
> [!TIP]
> You can also configure a custom lock screen image using [organizational messages in the Microsoft 365 admin center][M365-1].
## User experience
When the policy is applied, the lock screen and desktop background images are set to the specified URL or path. The images are downloaded and cached locally on the device. The images are displayed in the background when the user signs in, and on the lock screen when the user locks the device.
## Windows spotlight
Windows spotlight is a feature that can display a different image on the lock screen and desktop background every day. Windows spotlight can also provide personalized content, such as tips and tricks for using Windows. You can configure a custom background image or lock screen image and still use Windows spotlight. When you do so, users can still receive suggestions, fun facts, tips, or organizational messages, but the background image is replaced with the custom image.
To learn more, see [Configure Windows spotlight](../windows-spotlight/index.md).
<!--links-->
[CSP-1]: /windows/client-management/mdm/personalization-csp
[M365-1]: /microsoft-365/admin/misc/organizational-messages-microsoft-365?view=o365-worldwide
[INT-1]: /mem/intune/configuration/settings-catalog

12
windows/configuration/docfx.json
View File

@ -84,14 +84,16 @@
"custom-logon//**/*.yml": "terrywarwick",
"keyboard-filter//**/*.md": "terrywarwick",
"keyboard-filter//**/*.yml": "terrywarwick",
"kiosk//**/*.md": "paolomatarazzo",
"kiosk//**/*.yml": "paolomatarazzo",
"lock-screen//**/*.md": "paolomatarazzo",
"lock-screen//**/*.yml": "paolomatarazzo",
"provisioning-packages//**/*.md": "vinaypamnani-msft",
"provisioning-packages//**/*.yml": "vinaypamnani-msft",
"shared-pc//**/*.md": "paolomatarazzo",
"shared-pc//**/*.yml": "paolomatarazzo",
"shell-launcher//**/*.md": "terrywarwick",
"shell-launcher//**/*.yml": "terrywarwick",
"shell-launcher//**/*.md": "paolomatarazzo",
"shell-launcher//**/*.yml": "paolomatarazzo",
"start//**/*.md": "paolomatarazzo",
"start//**/*.yml": "paolomatarazzo",
"store//**/*.md": "paolomatarazzo",
@ -119,13 +121,15 @@
"lock-screen//**/*.md": "paoloma",
"keyboard-filter//**/*.md": "twarwick",
"keyboard-filter//**/*.yml": "twarwick",
"kiosk//**/*.md": "paoloma",
"kiosk//**/*.yml": "paoloma",
"lock-screen//**/*.yml": "paoloma",
"provisioning-packages//**/*.md": "vinpa",
"provisioning-packages//**/*.yml": "vinpa",
"shared-pc//**/*.md": "paoloma",
"shared-pc//**/*.yml": "paoloma",
"shell-launcher//**/*.md": "twarwick",
"shell-launcher//**/*.yml": "twarwick",
"shell-launcher//**/*.md": "paoloma",
"shell-launcher//**/*.yml": "paoloma",
"start//**/*.md": "paoloma",
"start//**/*.yml": "paoloma",
"store//**/*.md": "paoloma",

10
windows/configuration/images/icons/dev.svg Normal file
View File

@ -0,0 +1,10 @@
<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0_443_483)">
<path d="M2.925 0C1.30956 0 0 1.30956 0 2.925V13.275C0 14.8904 1.30956 16.2 2.925 16.2H7.23987C7.32204 15.7666 7.53075 15.3526 7.86618 15.0171L8.03331 14.85H2.925C2.05515 14.85 1.35 14.1448 1.35 13.275V4.95H14.85V7.22898C15.0045 7.24644 15.1583 7.27182 15.3106 7.30503C15.7342 7.39746 16.0432 7.67574 16.2 8.01756V2.925C16.2 1.30956 14.8904 0 13.275 0H2.925ZM11.6942 8.03961L10.1523 6.49773C9.88866 6.2341 9.46134 6.2341 9.19773 6.49773C8.93412 6.76134 8.93412 7.18866 9.19773 7.45227L10.7202 8.97471C10.8378 8.82279 10.9663 8.67654 11.1058 8.53704C11.2909 8.352 11.4879 8.18622 11.6942 8.03961ZM7.00227 7.45227C7.26588 7.18866 7.26588 6.76134 7.00227 6.49773C6.73866 6.2341 6.31134 6.2341 6.0477 6.49773L3.3477 9.19773C3.0841 9.46134 3.0841 9.88866 3.3477 10.1523L6.0477 12.8523C6.31134 13.1159 6.73866 13.1159 7.00227 12.8523C7.26588 12.5887 7.26588 12.1613 7.00227 11.8977L4.77959 9.675L7.00227 7.45227ZM15.1189 8.18451C15.4364 8.25372 15.515 8.6409 15.2852 8.87067L13.5716 10.5842C13.0347 11.1209 13.0347 11.9913 13.5716 12.5282C14.1083 13.0649 14.9786 13.0649 15.5154 12.5282L17.2292 10.8145C17.459 10.5847 17.8463 10.6633 17.9155 10.9808C18.1726 12.1595 17.8429 13.4406 16.9263 14.3571C15.8386 15.4447 14.2375 15.7059 12.903 15.1408L10.4467 17.5974C9.90981 18.1342 9.03942 18.1342 8.50266 17.5974C7.96581 17.0607 7.96581 16.1904 8.50266 15.6536L10.9588 13.1971C10.3932 11.8628 10.6543 10.2613 11.7422 9.17352C12.6588 8.25705 13.94 7.92738 15.1189 8.18451Z" fill="#0883D9"/>
</g>
<defs>
<clipPath id="clip0_443_483">
<rect width="18" height="18" fill="white"/>
</clipPath>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

14
windows/configuration/index.yml
View File

@ -38,20 +38,18 @@ landingContent:
linkLists:
- linkListType: concept
links:
- text: Kiosk options in Windows
url: kiosk/index.md
- text: What is Assigned Access?
url: assigned-access/overview.md
- text: What is Shell Launcher?
url: assigned-access/shell-launcher/index.md
- linkListType: how-to-guide
links:
- text: Configure kiosks and restricted user experiences
url: assigned-access/index.md
- text: What is Shell Launcher?
url: shell-launcher/index.md
- linkListType: quickstart
links:
- text: Configure a kiosk with Assigned Access
url: assigned-access/quickstart-kiosk.md
- text: Configure a kiosk with Shell Launcher
url: assigned-access/shell-launcher/quickstart-kiosk.md
url: shell-launcher/quickstart-kiosk.md
- text: Configure a restricted user experience with Assigned Access
url: assigned-access/quickstart-restricted-user-experience.md
- linkListType: reference
@ -59,7 +57,7 @@ landingContent:
- text: Assigned Access XML Schema Definition (XSD)
url: assigned-access/xsd.md
- text: Shell Launcher XML Schema Definition (XSD)
url: assigned-access/shell-launcher/xsd.md
url: shell-launcher/xsd.md
- title: Configure shared devices
linkLists:

98
windows/configuration/keyboard-filter/toc.yml
View File

@ -1,53 +1,51 @@
items:
- name: Keyboard Filter
- name: About keyboard filter
href: index.md
- name: Key Names
href: keyboardfilter-key-names.md
- name: Predefined Key Combinations
href: predefined-key-combinations.md
- name: WMI Provider Reference
items:
- name: About keyboard filter
href: index.md
- name: Key Names
href: keyboardfilter-key-names.md
- name: Predefined Key Combinations
- name: Overview
href: keyboardfilter-wmi-provider-reference.md
- name: Class WEKF_CustomKey
items:
- name: Overview
href: wekf-customkey.md
- name: Add
href: wekf-customkeyadd.md
- name: Remove
href: wekf-customkeyremove.md
- name: Class WEKF_PredefinedKey
items:
- name: Overview
href: wekf-predefinedkey.md
- name: Disable
href: wekf-predefinedkeydisable.md
- name: Enable
href: wekf-predefinedkeyenable.md
- name: Class WEKF_Scancode
items:
- name: Overview
href: wekf-scancode.md
- name: Add
href: wekf-scancodeadd.md
- name: Remove
href: wekf-scancoderemove.md
- name: Class WEKF-Settings
href: wekf-settings.md
- name: PowerShell script samples
items:
- name: Overview
href: keyboardfilter-powershell-script-samples.md
- name: Add blocked key Combinations
href: keyboardfilter-add-blocked-key-combinations.md
- name: Disable all blocked key Combinations
href: disable-all-blocked-key-combinations.md
- name: List all configured key combinations
href: keyboardfilter-list-all-configured-key-combinations.md
- name: WMI Provider Reference
items:
- name: Overview
href: keyboardfilter-wmi-provider-reference.md
- name: Class WEKF_CustomKey
items:
- name: Overview
href: wekf-customkey.md
- name: Add
href: wekf-customkeyadd.md
- name: Remove
href: wekf-customkeyremove.md
- name: Class WEKF_PredefinedKey
items:
- name: Overview
href: wekf-predefinedkey.md
- name: Disable
href: wekf-predefinedkeydisable.md
- name: Enable
href: wekf-predefinedkeyenable.md
- name: Class WEKF_Scancode
items:
- name: Overview
href: wekf-scancode.md
- name: Add
href: wekf-scancodeadd.md
- name: Remove
href: wekf-scancoderemove.md
- name: Class WEKF-Settings
href: wekf-settings.md
- name: PowerShell script samples
items:
- name: Overview
href: keyboardfilter-powershell-script-samples.md
- name: Add blocked key Combinations
href: keyboardfilter-add-blocked-key-combinations.md
- name: Disable all blocked key Combinations
href: disable-all-blocked-key-combinations.md
- name: List all configured key combinations
href: keyboardfilter-list-all-configured-key-combinations.md
- name: Modify global settings
href: modify-global-settings.md
- name: Remove key combination configurations
href: remove-key-combination-configurations.md
- name: Modify global settings
href: modify-global-settings.md
- name: Remove key combination configurations
href: remove-key-combination-configurations.md

0
windows/configuration/assigned-access/images/kiosk.png → windows/configuration/kiosk/images/kiosk.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.6 KiB

After

Width:  |  Height:  |  Size: 4.6 KiB

BIN
windows/configuration/kiosk/images/restricted-user-experience-example.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 270 KiB

0
windows/configuration/assigned-access/images/restricted-user-experience.png → windows/configuration/kiosk/images/restricted-user-experience.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.4 KiB

After

Width:  |  Height:  |  Size: 5.4 KiB

95
windows/configuration/kiosk/index.md Normal file
View File

@ -0,0 +1,95 @@
---
title: Windows Single-App and Multi-App Kiosk Configuration Options Overview
description: Learn how to configure Windows kiosks with single-app and multi-app options for a secure and enhanced user experience.
ms.topic: overview
ms.date: 3/7/2025
---
# Windows kiosks configuration options overview
Organizations are constantly seeking ways to streamline operations, improve customer service, and enhance productivity. One effective solution is the deployment of kiosk devices. These specialized devices offer a range of benefits that can significantly impact an organization's efficiency and success. For example:
- **Cost-effective customer service**: kiosks allow organizations to provide essential services without the need for dedicated staff. Whether it's checking in at a hotel, ordering food at a restaurant, or printing boarding passes at an airport, kiosks reduce labor costs while maintaining service quality. Customers appreciate the convenience of self-service options, leading to higher satisfaction levels
- **Reduced wait times**: long queues and wait times frustrate customers and staff members. Kiosks expedite processes by allowing users to complete tasks independently. Whether it's paying bills, renewing memberships, or accessing information, kiosks empower users to get things done swiftly
- **Consistent brand experience**: kiosks ensure a uniform brand experience across different locations. Whether in retail stores, schools, airports, or healthcare facilities, the interface remains consistent. Brand consistency builds trust and reinforces the organization's image
- **Customization and flexibility**: kiosks can be tailored to specific needs. From touchscreens to barcode scanners, organizations choose features that align with their goals. Whether it's self-checkout, wayfinding, or interactive product catalogs, kiosks adapt to diverse requirements
Windows offers two kiosk modes for public or specialized use:
:::row:::
:::column span="1":::
:::image type="content" source="images/kiosk.png" alt-text="Icon representing a kiosk." border="false":::
:::column-end:::
:::column span="3":::
#### Single-app kiosk
:::column-end:::
:::row-end:::
This option runs a single application in full screen, and people using the device can only use that app. When the designated kiosk account signs in, the kiosk app launches automatically. This option is sometimes referred to as *single-app kiosk*.
Windows has two features to configure a single-app kiosk:
- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen above the lock screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it automatically restarts
- **Shell Launcher**: used to configure a device to execute a Windows desktop application as the user interface. The application that you specify replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen
:::row:::
:::column span="1":::
:::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false":::
:::column-end:::
:::column span="3":::
#### Restricted user experience
:::column-end:::
:::row-end:::
This option loads the Windows desktop, but it only allows to run a defined set of applications. When the designated user signs in, the user can only run the apps that are allowed. The Start menu is customized to show only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types. This option is sometimes referred to as *multi-app kiosk*.
:::image type="content" source="images/restricted-user-experience-example.png" alt-text="Screenshot of a restricted user experience in Windows 11." border="false":::
To configure a restricted user experience, you use the **Assigned Access** feature.
> [!NOTE]
> You can't configure both Shell Launcher and Assigned Access on the same system.
## Choose the right experience
When you're considering a kiosk or restricted user experience, you need to choose the right experience for your needs. A good approach is to ask yourself the following set of questions:
| | Question |
|--|--|
| **🔲** | *How many apps?* <br>The number of apps determines the experience to build: **kiosk** or **restricted user experience**.|
| **🔲** | *Desktop experience or custom?* <br>If your users require access to the desktop with a custom Start menu, then you can build a **restricted user experience** with **Assigned Access**. If your users require access to multiple applications but with a custom user interface, then you should use **Shell Launcher**.|
| **🔲** | *In single-app scenario, which type of app will your kiosk run?* <br>If the kiosk requires a Universal Windows Platform (UWP) app or Microsoft Edge, you can build a **kiosk experience** with **Assigned Access**. If the kiosk requires a desktop app, you can build a **kiosk experience** with **Shell Launcher**.|
| **🔲** | *Which edition of Windows client will the kiosk run?* <br>**Assigned Access** is supported on Windows Pro and Enterprise/Education. **Shell Launcher** is only supported on Windows Enterprise and Education editions.|
| **🔲** | *Which type of user account will be the kiosk account?* <br>The kiosk account can be a local standard user account, a domain account, or a Microsoft Entra ID account, depending on the method that you use to configure the kiosk. If you require users to sign in and authenticate on the kiosk, you should use an Assigned Access multi-app kiosk configuration. The Assigned Access single-app kiosk configuration doesn't require users to sign in to the kiosk, although they can sign in to the kiosk app if you select an app that has a sign-in method.|
> [!TIP]
>
> A benefit of using an Assigned Access kiosk mode is that a [set of policy settings](../assigned-access/policy-settings.md) are automatically applied to the device to optimize the lock-down experience. Shell Launcher doesn't have any default lockdown policies.
## Microsoft Edge Kiosk Mode
You can use Microsoft Edge kiosk mode to create an Assigned Access single-app or multi-app kiosk experience.
[Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode) offers two lockdown experiences of the browser to create, manage, and provide the best experience for your customers. The following lockdown experiences are available:
- Digital/Interactive Signage experience: Displays a specific site in full-screen mode
- Public-Browsing experience: Runs a limited multi-tab version of Microsoft Edge
Both experiences run a Microsoft Edge InPrivate session, which protects user data.
To learn more, see [Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode).
## Next steps
Learn more about the Windows features to configure kiosk devices:
- [Assigned Access](../assigned-access/index.md)
- [Shell Launcher](../shell-launcher/index.md)
### :::image type="icon" source="../images/icons/rocket.svg" border="false"::: Quickstarts
If you're ready to configure kiosk devices, check out the following quickstarts:
- [Quickstart: configure a single-app kiosk with Assigned Access](../assigned-access/quickstart-kiosk.md)
- [Quickstart: configure a restricted user experience with Assigned Access](../assigned-access/quickstart-restricted-user-experience.md)
- [Quickstart: configure a kiosk with Shell Launcher](../shell-launcher/quickstart-kiosk.md)

11
windows/configuration/kiosk/toc.yml Normal file
View File

@ -0,0 +1,11 @@
items:
- name: Overview
href: index.md
- name: Assigned Access
href: ../assigned-access/toc.yml
- name: Shell Launcher
href: ../shell-launcher/toc.yml
- name: Troubleshoot 🔗
href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
- name: Configure Microsoft Edge kiosk mode 🔗
href: /deployedge/microsoft-edge-configure-kiosk-mode

4
windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
View File

@ -12,7 +12,7 @@ This article explains how to create and apply a provisioning package that contai
The following wizard options provide a simple interface for configuring common settings for desktop and kiosk devices:
- [Instructions for the desktop wizard](#start-a-new-project)
- [Instructions for the kiosk wizard](../assigned-access/overview.md)
- [Instructions for the kiosk wizard](../assigned-access/index.md)
- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#provisioning-package-hololens-wizard)
- [Instructions for the Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub)
@ -27,7 +27,7 @@ In this example, we use the **Provision desktop devices** option which helps you
- Create local administrator account
- Add applications and certificates
> [IMPORTANT]
> [!IMPORTANT]
> You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
## Start a new project

2
windows/configuration/provisioning-packages/provisioning-packages.md
View File

@ -59,7 +59,7 @@ WCD supports the following scenarios for IT administrators:
Windows Configuration Designer provides the following simple provisioning scenarios:
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
- [Instructions for the kiosk wizard](../assigned-access/overview.md)
- [Instructions for the kiosk wizard](../assigned-access/index.md)
- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#provisioning-package-hololens-wizard)
- [Instructions for the Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub)

BIN
windows/configuration/settings/images/settings-page-visibility.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

84
windows/configuration/settings/page-visibility.md Normal file
View File

@ -0,0 +1,84 @@
---
title: Configure the Settings Page Visibility in Windows
description: Learn how to configure the pages listed in the Windows Settings app.
ms.topic: how-to
ms.date: 03/03/2025
author: paolomatarazzo
ms.author: paoloma
---
# Configure the Settings page visibility
*Settings* is a Windows application that offers a unified interface to manage the system settings. In certain scenarios, you might want to restrict access to specific Settings pages to ensure a more controlled and secure environment. This is especially beneficial for devices used in specific environments, such as kiosks or student devices, where limiting access to certain options can prevent unauthorized changes and maintain a consistent user experience.
:::image type="content" source="images/settings-page-visibility.png" alt-text="Screenshot of the Settings app configured with a policy setting to limit the categories displayed." border="false":::
This article explains how to configure the Settings app and how to implement the configurations using Microsoft Intune, Configuration Service Provider (CSP), and Group Policy Object (GPO).
## Page visibility list policy setting
You can configure the visibility of Settings pages using the *page visibility list* policy setting. This policy allows you to block a given set of pages from the Settings app. Blocked pages aren't visible in the app and can't be accessed through direct navigation via Uniform Resource Identifier (URI), context menu in Explorer, or other means. Direct navigation to a blocked page results in the first page of Settings displayed instead.
The page visibility list policy has two modes:
- **Show Specific Pages**
- Start the policy string with `showonly:`
- Follow it with a list of Settings page identifiers, separated by semicolons
- **Hide Specific Pages**
- Start the policy string with `hide:`
- Follow it with a list of Settings page identifiers, separated by semicolons
> [!NOTE]
> The identifier for any Settings page is the published URI for that page, minus the `ms-settings:` protocol part. For the list of categories and page identifiers, see [ms-settings: URI scheme reference](https://go.microsoft.com/fwlink/?linkid=2102995#ms-settings-uri-scheme-reference).
## Examples
Show only the **About** and **Bluetooth** pages. Their respective URIs are `ms-settings:about` and `ms-settings:bluetooth`:
`showonly:about;bluetooth`
Hide only the Bluetooth page, which has the URI `ms-settings:bluetooth`:
`hide:bluetooth`
## Configuration
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
| Category | Setting name | Value |
|--|--|--|
| **Settings** | - Page Visibility List<br>- Page Visibility List (User)| List of URIs to show or hide, separated by semicolons.|
[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1].
| Setting |
|--|
|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList`<br>- **Data type:** string<br>- **Value:** List of URIs to show or hide, separated by semicolons.<br><br>Or<br><br>- **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList`<br>- **Data type:** string<br>- **Value:** List of URIs to show or hide, separated by semicolons.|
#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)]
| Group policy path | Group policy setting | Value |
| - | - | - |
| **Computer Configuration\Administrative Templates\Control Panel**<br><br>Or<br><br>**User Configuration\Administrative Templates\Control Panel** | Settings Page Visibility | List of URIs to show or hide, separated by semicolons.|
[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
---
## User Experience
By controlling the visibility of Settings pages, you can create a customized user experience tailored to your organization's specific needs. Once the policy is applied, users have access only to the Settings pages you explicitly allow, ensuring a focused and streamlined interface.
<!--links-->
[CSP-1]: /windows/client-management/mdm/policy-csp-settings#pagevisibilitylist
[M365-1]: /microsoft-365/admin/misc/organizational-messages-microsoft-365?view=o365-worldwide
[INT-1]: /mem/intune/configuration/settings-catalog

47
windows/configuration/shell-launcher/browser-support.md
View File

@ -1,47 +0,0 @@
---
title: Browser Support
ms.date: 03/30/2023
ms.topic: concept-article
description: Learn about browser support in Kiosk Mode
---
# Browser Support
Today, you can use two browsers, Internet Explorer 11 and [Microsoft Edge](/deployedge/microsoft-edge-configure-kiosk-mode) to create an assigned access single-app or multi-app kiosk experience.
## Microsoft Edge Kiosk Mode
> Available for LTSC starting in [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/iot-enterprise/whats-new/Windows-10-IoT-Enterprise-LTSC-2021)
[Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode) offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
* Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
* Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
## Internet Explorer 11
[Internet Explorer 11](/internet-explorer/internet-explorer) is considered a legacy browser, in subsequent releases.
In anticipation of that, you can use [Internet Explorer (IE) mode](/deployedge/edge-ie-mode) on Microsoft Edge. IE mode allows you to run legacy web apps and modern web apps in a single browser.
> [!NOTE]
> For in-support Windows 10 IoT Enterprise [Semi-Annual Channel (SAC) releases](/lifecycle/products/windows-10-iot-enterprise), Internet Explorer 11 will reach end of support on June 15, 2022.
>
> Internet Explorer 11 follows the Long-Term-Servicing-Channel (LTSC) Lifecycle for [Windows 10 IoT Enterprise LTSC](/lifecycle/products/?terms=Windows%2010%20IoT%20Enterprise%20LTSC) products.
## Supported Versions
| Browser | Internet Explorer 11 | Microsoft Edge Legacy | Microsoft Edge |
|--|--|--|--|
| OS Release | [IE11 App](/internet-explorer/internet-explorer) | [Edge Browser - Legacy](/deployedge/microsoft-edge-kiosk-mode-transition-plan) | [New Edge Browser](/deployedge/microsoft-edge-configure-kiosk-mode) |
| Windows 10 IoT Enterprise LTSC 2019 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2019) | No browser security updates after March, 9, 2021 (removed where applicable). In-box engine supported until OS end of service | Microsoft Edge and WebView2 Runtime not in-box (requires app migration from EdgeHTML) |
| Windows 10 IoT Enterprise, version 21H2 | End of support June 15, 2022 | Removed & replaced with New Microsoft Edge Browser in May 2021 Update | Included in-box or installed with May 2021 Update |
| Windows 10 IoT Enterprise LTSC 2021 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021) | Not included | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) |
| Windows 11 IoT Enterprise | N/A | N/A | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) |
## Additional Resources
* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode)
* [Plan your kiosk mode transition](/deployedge/microsoft-edge-kiosk-mode-transition-plan)

4
windows/configuration/assigned-access/shell-launcher/configuration-file.md → windows/configuration/shell-launcher/configuration-file.md
View File

@ -1,7 +1,7 @@
---
title: Create a Shell Launcher configuration file
description: Learn how to create an XML file to configure a device with Shell Launcher.
ms.date: 10/31/2024
ms.date: 3/7/2025
ms.topic: how-to
---
@ -104,7 +104,7 @@ Each profile defines a `Shell` element, which contains details about the applica
| Property| Description | Details |
|-|-|-|
|`Shell`| Application that is used as a Windows shell. |- For Universal Windows Platform (UWP) apps, you must provide the App User Model ID (AUMID). Learn how to [Find the Application User Model ID of an installed app](../../store/find-aumid.md).<br>- For desktop apps, specify the full path of the executable, which can contain system environment variables in the form of `%variableName%`. You can also specify any parameters that the app might require. |
|`Shell`| Application that is used as a Windows shell. |- For Universal Windows Platform (UWP) apps, you must provide the App User Model ID (AUMID). Learn how to [Find the Application User Model ID of an installed app](../store/find-aumid.md).<br>- For desktop apps, specify the full path of the executable, which can contain system environment variables in the form of `%variableName%`. You can also specify any parameters that the app might require. |
|`V2:AppType`| Defines the type of application. |Allowed values are `Desktop` and `UWP`.|
|`V2:AllAppsFullScreen` | Boolean value that defines if all applications are executed in full screen. |- When set to `true`, Shell Launcher runs every app in full screen, or maximized for desktop apps.<br>- When set to `false` or not set, only the custom shell app runs in full screen; other apps launched by the user run in windowed mode.|

143
windows/configuration/shell-launcher/configure-wmi.md Normal file
View File

@ -0,0 +1,143 @@
---
title: Configure Shell Launcher with the WMI provider
description: Learn how to configure a Windows kiosk using the WMI provider for Shell Launcher.
ms.date: 3/7/2025
ms.topic: reference
---
# Configure Shell Launcher with the WMI provider
This article provides a guide on configuring Shell Launcher using the WMI provider, which consists of a set of classes for managing Shell Launcher settings.
Included in this article is a PowerShell script that demonstrates how to utilize the WMI provider for configuring Shell Launcher. The script offers examples on setting the default shell, assigning a custom shell to a user, and removing a custom shell. Additionally, the WMI provider can be used to enable or disable Shell Launcher.
> [!IMPORTANT]
> The script is not intended to be run as-is. You must modify the script to match your environment and requirements. For example, you must change the user name in the script to match an existing user on your system. The script is provided as a reference only.
```PowerShell
# Verify Shell Launcher license
function Check-ShellLauncherLicenseEnabled
{
[string]$source = @"
using System;
using System.Runtime.InteropServices;
static class CheckShellLauncherLicense
{
const int S_OK = 0;
public static bool IsShellLauncherLicenseEnabled()
{
int enabled = 0;
if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
enabled = 0;
}
return (enabled != 0);
}
static class NativeMethods
{
[DllImport("Slc.dll")]
internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
}
}
"@
$type = Add-Type -TypeDefinition $source -PassThru
return $type[0]::IsShellLauncherLicenseEnabled()
}
[bool]$result = $false
$result = Check-ShellLauncherLicenseEnabled
"`nShell Launcher license enabled is set to " + $result
if (-not($result))
{
"`nThis device doesn't have required license to use Shell Launcher"
exit
}
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
try {
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
} catch [Exception] {
write-host $_.Exception.Message;
write-host "Make sure Shell Launcher feature is enabled"
exit
}
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
$do_nothing = 3
# Examples. You can change these examples to use the program that you want to use as the shell.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Enable Shell Launcher
$ShellLauncherClass.SetEnabled($TRUE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
# Disable Shell Launcher
$ShellLauncherClass.SetEnabled($FALSE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```

266
windows/configuration/shell-launcher/configure.md Normal file
View File

@ -0,0 +1,266 @@
---
title: Configure Shell Launcher
description: Learn how to configure Shell Launcher.
ms.date: 3/7/2025
ms.topic: how-to
---
# Configure Shell Launcher
There are two ways you can configure Shell Launcher:
1. Using the `ShellLauncher` node of the [Assigned Access Configuration Service Provider (CSP)](/windows/client-management/mdm/assignedaccess-csp), which also automatically enables Shell Launcher on the device, if the device supports it
1. Using the **Shell Launcher WMI providers** directly in an application. When using this method, you must [enable Shell Launcher](#enable-shell-launcher) first
You can configure the following options for Shell Launcher:
- Add/remove a shell configuration for a specific user or group
- Change the default shell configuration
- Get information on a shell configuration for a specific user or group
> [!NOTE]
> Any changes don't take effect until a user signs in.
## Enable Shell Launcher
Shell Launcher is an optional component in Windows that is not enabled by default. To configure it, you must first enable it. You can enable and configure Shell Launcher in a customized Windows image, or you can enable it before applying a provisioning package to configure it.
> [!NOTE]
> When you configure Shell Launcher with the Assigned Access Configuration Service Provider (CSP), Shell Launcher is automatically enabled, if the device supports it. There's no need to enable Shell Launcher separately when you configure it using Assigned Access CSP.
There are multiple ways to enable Shell Launcher, select the method that best fits your needs to learn more.
#### [:::image type="icon" source="../images/icons/control-panel.svg"::: **Control Panel**](#tab/control-panel1)
To enable Shell Launcher using Control Panel, follow these steps:
1. Open **Control Panel** > **Programs** > **Turn Windows features on or off** or use the command `optionalfeatures.exe`
1. Expand **Device Lockdown** and select **Shell Launcher**
1. Select **OK** to enable Shell Launcher
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/powershell1)
To enable Shell Launcher using PowerShell, follow these steps:
1. Open a PowerShell window with administrator privileges
1. Run the following command:
```powershell
Enable-WindowsOptionalFeature -FeatureName Client-DeviceLockdown,Client-EmbeddedShellLauncher -Online
```
#### [:::image type="icon" source="../images/icons/settings.svg"::: **DISM**](#tab/dism1)
The following example uses a Windows image called `install.wim`, but you can use the same procedure to apply a provisioning package.
1. Open a command prompt with administrator privileges.
1. Copy install.wim to a temporary folder on hard drive (in the following steps, we assume it's called `C:\wim`)
1. Modify the following script to match your environment:
```cmd
@echo off
REM Create a new directory
md c:\wim
REM Mount the image
dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
REM Enable the feature
dism /image:c:\wim /enable-feature /all /featureName:Client-EmbeddedShellLauncher
REM Commit the change
dism /unmount-wim /MountDir:c:\wim /Commit
```
For more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism).
#### [:::image type="icon" source="../images/icons/dev.svg"::: **WMI**](#tab/wmi)
You can enable or disable Shell Launcher by calling the `SetEnabled` function in the Windows Management Instrumentation (WMI) class `WESL_UserSetting`.
For more information, see [WESL_UserSetting](wesl-usersetting.md).
---
## Launch different shells for different user accounts
By default, Shell Launcher runs the default shell, which is specified when you create the OS image at design time. The default shell is set to the Windows Command Processor (`Cmd.exe`), but you can specify any executable file to be the default shell.
You can also configure Shell Launcher to launch a different shell for specific users or groups if you don't want to run the default shell. For example, you might configure a device to launch a custom application shell for guest accounts, but run the standard Windows Explorer shell for administrator accounts for servicing the device.
When the current signed in account belongs to two or more groups that have different configurations defined for each group, Shell Launcher uses the first configuration it finds. The search order isn't defined, so we recommend that you avoid assigning a user to multiple groups with different Shell Launcher configurations.
> [!NOTE]
> If you use the WMI provider to configure Shell Launcher for a user or group at run time, you must use the security identifier (SID) for that security principal. You can't use the user name or group name.
>
> For more information about common security identifiers, see [Well-known SIDs](/windows/win32/secauthz/well-known-sids).
## Shell Launcher startup and exit behavior
Shell Launcher processes the `Run` and `RunOnce` registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications and services.
Shell Launcher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior doesn't meet your needs. When a custom shell exits, Shell Launcher can perform one of four actions:
- `0`: Restart the shell
- `1`: Restart the device
- `2`: Shut down the device
- `3`: Do nothing
> [!IMPORTANT]
> Make sure that your shell application does not automatically exit and is not automatically closed by any features such as Dialog Filter, as this can lead to an infinite cycle of exiting and restarting, unless the return code action is set to do nothing.
### Default return code action
You can define a default return code action for Shell Launcher with the DefaultReturnCodeAction setting. If you don't change the initial value, the default return code action is set to 0 (zero), which indicates that Shell Launcher restarts the shell when the shell exits.
### Map the exit code to a Shell Launcher action
Shell Launcher can take a specific action based on the exit code returned by the shell. For any given exit code returned by the shell, you can configure the action that Shell Launcher takes by mapping that exit code to one of the shell exit actions.
If the exit code doesn't match a defined value, Shell Launcher performs the default return code action.
For example, your shell might return exit code values of `-1`, `0`, `1`, or `255` depending on how the shell exits. You can configure Shell Launcher to:
- restart the device (`1`) when the shell returns an exit code of value `-1`
- restart the shell (`0`) when the shell returns an exit code of value `0`
- do nothing (`3`) when the shell returns an exit code of value 1
- shut down the device (`2`) when the shell returns an exit code of value `255`
Your custom return code action mapping would look like this:
|Exit code|Action|
|:----:|----|
|`-1`|`1` (restart the device)|
|`0`|`0` (restart the shell)|
|`1`|`3` (do nothing)|
|`255`|`2` (shut down the device)|
## Set your custom shell with the Assigned Access CSP
The configuration of Shell Launcher is done using an XML file. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
- A Mobile Device Management (MDM) solution, like Microsoft Intune
- Provisioning packages
- The MDM Bridge WMI Provider
> [!NOTE]
> Configuring Shell Launcher using Assigned Access CSP, automatically enables Shell Launcher on the device, if the device supports it.
To learn how to configure the Shell Launcher XML file, see [Create a Shell Launcher configuration file](configuration-file.md).
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
- **Value:** content of the XML configuration file
Assign the policy to a group that contains as members the devices that you want to configure.
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
You can configure Shell Launcher by creating a provisioning package and then applying the provisioning package during image deployment time or at runtime:
- If you're creating an installation media with settings for Shell Launcher included in the image, or you're applying a provisioning package during setup, you must enable Shell Launcher on the installation media with DISM for a provisioning package to successfully apply
- If exectuing the provisioning package at runtime, ensure to [enable Shell Launcher](#enable-shell-launcher) before applying the provisioning package
[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
| Path | Setting name | Value |
|--|--|--|
| `SMISettings/ShellLauncher/` | `Enable` | ENABLE |
| `SMISettings/ShellLauncher/` | * | It depends on specific settings. |
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
```PowerShell
$shellLauncherConfiguration = @"
# content of the XML configuration file
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
$eventLogFilterHashTable = @{ LogName='Microsoft-Windows-AssignedAccess/Admin' }
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
Exit 1
}
Write-Output "Successfully applied Shell Launcher configuration"
```
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
---
> [!TIP]
> For practical examples, see the [Quickstart: configure a kiosk experience with Shell Launcher](quickstart-kiosk.md).
## User experience
After the settings are applied, the users that are configured to use Shell Launcher will execute the custom shell after sign-in.
Depending on your configuration, you can have a user to automatically sign in to the device.
## Remove Shell Launcher
Here are the options to remove Shell Launcher, select the method that best fits your needs:
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
Unassign or delete the policy that contains the configuration.
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
Uninstall the provisioning package that contains the configuration.
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
```PowerShell
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = $null
Set-CimInstance -CimInstance $obj
```
---
## Next steps
> [!div class="nextstepaction"]
> Learn how to configure the Shell Launcher XML file:
>
> [Create a Shell Launcher configuration file](configuration-file.md)
<!--links-->
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp

2
windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md → windows/configuration/shell-launcher/includes/quickstart-intune.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 10/31/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md → windows/configuration/shell-launcher/includes/quickstart-ps.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 10/31/2024
ms.date: 3/7/2025
ms.topic: include
---

2
windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md → windows/configuration/shell-launcher/includes/quickstart-xml.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 10/31/2024
ms.date: 3/7/2025
ms.topic: include
---

357
windows/configuration/shell-launcher/index.md
View File

@ -1,344 +1,65 @@
---
title: Shell Launcher
description: Shell Launcher
ms.date: 06/07/2018
title: Shell Launcher Overview
description: Learn how to configure devices with Shell Launcher.
ms.date: 3/7/2025
ms.topic: overview
---
# Shell Launcher
# Shell Launcher overview
Using Shell Launcher, you can configure a kiosk device to use almost any application or executable as your custom shell. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
Shell Launcher is a Windows feature that you can use to replace the default Windows Explorer shell (`Explorer.exe`) with a Windows desktop application or a Universal Windows Platform (UWP) app. This feature is useful for creating a custom user experience on devices that are used for a specific purpose, including kiosks, ATMs, and digital signage.
You can also configure Shell Launcher to launch different shell applications for different users or user groups.
Shell Launcher controls which application a user gets as the shell after sign-in. It doesn't prevent a user from accessing other desktop applications and system components. From a custom shell, you can launch secondary views displayed on multiple monitors, or launch other apps in full screen on user's demand. You can also configure Shell Launcher to launch different shell applications for different users or user groups.
There are a few exceptions to the applications and executables you can use as a custom shell:
With Shell Launcher, you can use features and methods to control access to other applications or system components. These methods include, but aren't limited to:
- You can't use the following executable as a custom shell: `C:\\Windows\\System32\\Eshell.exe`. Using Eshell.exe as the default shell will result in a blank screen after user signs in.
- You can't use a Universal Windows app as a custom shell.
- You can't use a custom shell to launch Universal Windows apps, for example, the Settings app.
- You can't use an application that launches a different process and exits as a custom shell. For example, you can't specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher isn't aware of the newly created wordpad.exe process, Shell Launcher takes action based on the exit code of **Write.exe**, and restart the custom shell.
- You can't prevent the system from shutting down. For Shell Launcher V1 and V2, you can't block the session ending by returning FALSE upon receiving the [WM_QUERYENDSESSION](/windows/win32/shutdown/wm-queryendsession) message in a graphical application or returning FALSE in the [handler routine](/windows/console/handlerroutine) that is added through the [SetConsoleCtrlHandler](/windows/console/setconsolectrlhandler) function in a console application.
- Configuration Service Provider (CSP)
- Group policy (GPO)
- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)
> [!NOTE]
> You cannot configure both Shell Launcher and assigned access on the same system.
>
> Use **Shell Launcher V2**, you can specify a Universal Windows app as a custom shell. Check [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher) for the differences between Shell Launcher v1 and Shell Launcher V2.
[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)]
Shell Launcher processes the **Run** and **RunOnce** registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications and services.
## Shell Launcher version history
Shell Launcher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior doesn't meet your needs.
Shell Launcher has undergone several iterations since its introduction, with the most notable being Shell Launcher v1 and Shell Launcher v2. Each version has brought improvements and new features to enhance the user experience and functionality of custom shells in Windows environments:
Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher such as, [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250), [AppLocker](/windows/iot/iot-enterprise/customize/application-control#applocker), and [Mobile Device Management](/windows/client-management/mdm/)
- Shell Launcher v1 was the original implementation, introduced to provide basic functionality for replacing the default shell. However, it had limitations, such as only supporting Win32 applications as custom shells and lacking flexibility for handling modern app scenarios
- Shell Launcher v2, introduced with Windows 10, version 1809, added support for Universal Windows Platform (UWP) apps as custom shells, making it more versatile for modern environments
> [!NOTE]
>
> In Shell Launcher v1, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In Shell Launcher v2, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell.
>
> To use Shell Launcher v2 in version 1809, you need to install the [KB4551853 update](https://support.microsoft.com/topic/may-12-2020-kb4551853-os-build-17763-1217-c2ea33f7-4506-dd13-2739-d9c7bb80b26d).
### Differences between Shell Launcher v1 and Shell Launcher v2
## Differences between Shell Launcher v1 and Shell Launcher v2
- Shell Launcher v1 replaces `Explorer.exe` with `Eshell.exe`, which can only launch a Windows desktop application
- Shell Launcher v2 replaces `Explorer.exe` with `CustomShellHost.exe`, which can launch a Windows desktop application or a UWP app
- In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers more enhancements:
- You can use a custom Windows desktop application that can then launch UWP apps, such as Settings and Touch Keyboard
- From a custom UWP shell, you can launch secondary views and run on multiple monitors
- The custom shell app runs in full screen, and can run other apps in full screen on user's demand
Shell Launcher v1 replaces ```explorer.exe```, the default shell, with ```eshell.exe```, which can launch a Windows desktop application.
Shell Launcher v2 replaces ```explorer.exe``` with ```customshellhost.exe```. This new executable file can launch a Windows desktop application or a UWP app.
In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers more enhancements:
- You can use a custom Windows desktop application that can then launch UWP apps, such as Settings and Touch Keyboard.
- From a custom UWP shell, you can launch secondary views and run on multiple monitors.
- The custom shell app runs in full screen, and can run other apps in full screen on user's demand.
For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/microsoft/Windows-IoT-Samples/tree/master/samples/ShellLauncher/ShellLauncherV2).
## Requirements
## Limitations
Windows 10 Enterprise or Windows 10 Education.
Here are some limitations to consider when using Shell Launcher:
## Terminology
- **Turn on, enable:** To make the setting available to the device and optionally apply the settings to the device.
- **Configure:** To customize the setting or subsettings.
- **Embedded Shell Launcher:** This feature is called Embedded Shell Launcher in Windows 10, version 1511.
- **Custom Shell Launcher:** This feature is called Shell Launcher in Windows 10, version 1607 and later.
## Turn on Shell Launcher
Shell Launcher is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Shell Launcher in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed, you must turn on Shell Launcher before applying a provisioning package to configure Shell Launcher.
### Enable Shell Launcher using Control Panel
1. In the **Search the web and Windows** field, type **Programs and Features** and either press **Enter** or tap or select **Programs and Features** to open it.
1. In the **Programs and Features** window, select **Turn Windows features on or off**.
1. In the **Windows Features** window, expand the **Device Lockdown** node, select or clear the checkbox for **Shell Launcher**, and then select **OK.**
1. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
1. Select **Close** to close the **Windows Features** window.
> [!NOTE]
> Turning on Shell Launcher does not require a device restart.
### Enable Shell Launcher by calling WESL_UserSetting
1. Enable or disable Shell Launcher by calling the WESL_UserSetting.SetEnabled function in the Windows Management Instrumentation (WMI) class WESL_UserSetting.
1. If you enable or disable Shell Launcher using WESL_UserSetting, the changes don't affect any sessions that are currently signed in; you must sign out and sign back in.
This example uses a Windows image called install.wim, but you can use the same procedure to apply a provisioning package (for more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism).
### Enable Shell Launcher using DISM
1. Open a command prompt with administrator privileges.
1. Copy install.wim to a temporary folder on hard drive (in the following steps, we assume it's called C:\\wim).
1. Create a new directory.
```CMD
md c:\wim
```
1. Mount the image.
```CMD
dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
```
1. Enable the feature.
```CMD
dism /image:c:\wim /enable-feature /all /featureName:Client-EmbeddedShellLauncher
```
1. Commit the change.
```CMD
dism /unmount-wim /MountDir:c:\wim /Commit
```
### Enable Shell Launcher using Windows Configuration Designer
The Shell Launcher settings are also available as Windows provisioning settings so you can configure these settings to be applied during the image runtime. You can set one or all Shell Launcher settings by creating a provisioning package using Windows Configuration Designer and then applying the provisioning package during image deployment time or runtime. If Windows hasn't been installed and you're using Windows Configuration Designer to create installation media with settings for Shell Launcher included in the image or you're applying a provisioning package during setup, you must enable Shell Launcher on the installation media with DISM in order for a provisioning package to successfully apply.
Use the following steps to create a provisioning package that contains the ShellLauncher settings.
1. Build a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
1. In the **Available customizations** page, select **Runtime settings** > **SMISettings** > **ShellLauncher**.
1. Set the value of **Enable** to **ENABLE**. More options to configure Shell Launcher appears, and you can set the values as desired.
1. Once you have finished configuring the settings and creating the provisioning package, you can apply the package to the image deployment time or runtime. See the [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) for more information. The process for applying the package to a Windows 10 Enterprise image is the same.
## Configure Shell Launcher
There are two ways you can configure Shell Launcher:
1. In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the Assigned Access Configuration Service Provider (CSP). See [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp) for details. Configuring Shell Launcher using this method also automatically enables Shell Launcher on the device, if the device supports it.
1. Use the Shell Launcher WMI providers directly in a PowerShell script or application.
You can configure the following options for Shell Launcher:
- Enable or disable Shell Launcher.
- Specify a shell configuration for a specific user or group.
- Remove a shell configuration for a specific user or group.
- Change the default shell configuration.
- Get information on a shell configuration for a specific user or group.
Any changes don't take effect until a user signs in.
## Launch different shells for different user accounts
By default, Shell Launcher runs the default shell, which is specified when you create the OS image at design time. The default shell is set to Cmd.exe, but you can specify any executable file to be the default shell.
You can configure Shell Launcher to launch a different shell for specific users or groups if you don't want to run the default shell. For example, you might configure a device to run a custom application shell for guest accounts, but run the standard Windows Explorer shell for administrator accounts in order to service the device.
If you use the WMI providers to configure Shell Launcher for a user or group at run time, you must use the security identifier (SID) for that user or group; you can't use the user name or group name.
For more information about common security identifiers, see [Well-known SIDs](/windows/win32/secauthz/well-known-sids).
When the current signed in account belongs to two or more groups that have different configurations defined for each group, Shell Launcher uses the first configuration it finds. The search order isn't defined, so we recommend that you avoid assigning a user to multiple groups with different Shell Launcher configurations.
## Perform an action when the shell exits
When a custom shell exits, Shell Launcher can perform one of four actions:
|Action|Description|
|:---:|:---|
|0|Restart the shell.|
|1|Restart the device.|
|2|Shut down the device.|
|3|Do nothing.|
> [!IMPORTANT]
> Make sure that your shell application does not automatically exit and is not automatically closed by any features such as Dialog Filter, as this can lead to an infinite cycle of exiting and restarting, unless the return code action is set to do nothing.
### Default return code action
You can define a default return code action for Shell Launcher with the DefaultReturnCodeAction setting. If you don't change the initial value, the default return code action is set to 0 (zero), which indicates that Shell Launcher restarts the shell when the shell exits.
### Map the exit code to a Shell Launcher action
Shell Launcher can take a specific action based on the exit code returned by the shell. For any given exit code returned by the shell, you can configure the action that Shell Launcher takes by mapping that exit code to one of the shell exit actions.
If the exit code doesn't match a defined value, Shell Launcher performs the default return code action.
For example, your shell might return exit code values of -1, 0, 1, or 255 depending on how the shell exits. You can configure Shell Launcher to:
- restart the device (1) when the shell returns an exit code of value -1
- restart the shell (0) when the shell returns an exit code of value 0
- do nothing (3) when the shell returns an exit code of value 1
- shut down the device (2) when the shell returns an exit code of value 255
Your custom return code action mapping would look like this:
|Exit code|Action|
|:----:|----|
|-1|1 (restart the device)|
|0|0 (restart the shell)|
|1|3 (do nothing)|
|255|2 (shut down the device)|
## Set your custom shell
Modify the following PowerShell script as appropriate and run the script on the device.
```PowerShell
# Check if shell launcher license is enabled
function Check-ShellLauncherLicenseEnabled
{
[string]$source = @"
using System;
using System.Runtime.InteropServices;
static class CheckShellLauncherLicense
{
const int S_OK = 0;
public static bool IsShellLauncherLicenseEnabled()
{
int enabled = 0;
if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
enabled = 0;
}
return (enabled != 0);
}
static class NativeMethods
{
[DllImport("Slc.dll")]
internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
}
}
"@
$type = Add-Type -TypeDefinition $source -PassThru
return $type[0]::IsShellLauncherLicenseEnabled()
}
[bool]$result = $false
$result = Check-ShellLauncherLicenseEnabled
"`nShell Launcher license enabled is set to " + $result
if (-not($result))
{
"`nThis device doesn&#39;t have required license to use Shell Launcher"
exit
}
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
try {
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
} catch [Exception] {
write-host $_.Exception.Message;
write-host "Make sure Shell Launcher feature is enabled"
exit
}
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
$do_nothing = 3
# Examples. You can change these examples to use the program that you want to use as the shell.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Enable Shell Launcher
$ShellLauncherClass.SetEnabled($TRUE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
# Disable Shell Launcher
$ShellLauncherClass.SetEnabled($FALSE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
> [!NOTE]
> The previous script includes examples of multiple configuration options, including removing a custom shell and disabling Shell Launcher. It is not intended to be run as-is.
- Windows doesn't support setting a custom shell before the out-of-box experience (OOBE). If you do, you can't deploy the resulting image
- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you can't specify `write.exe` in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. `Write.exe` creates a 32-bit `wordpad.exe` process and exits. Since Shell Launcher isn't aware of the newly created `wordpad.exe` process, Shell Launcher takes action based on the exit code of `Write.exe`, such as restarting the custom shell
## Shell Launcher user rights
A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights can't.
A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrative rights can perform any system action that requires administrative rights, including launching other applications with administrative rights.
> [!WARNING]
> If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for Shell Launcher to launch the shell application.
> If your shell application requires administrative rights and needs to be elevated, and User Account Control (UAC) is enabled, you must disable UAC for Shell Launcher to launch the shell application.
## Related articles
## Next steps
- [Unbranded Boot](../unbranded-boot/index.md)
- [Custom Logon](../custom-logon/index.md)
- [Use Shell Launcher to create a Windows 10 Kiosk](/windows/configuration/kiosk-shelllauncher)
- [Launch different shells for different user accounts](/windows-hardware/customize/enterprise/shell-launcher#launch-different-shells-for-different-user-accounts)
- [Perform an action when the shell exits](/windows-hardware/customize/enterprise/shell-launcher#perform-an-action-when-the-shell-exits)
- [Shell Launcher user rights](/windows-hardware/customize/enterprise/shell-launcher#shell-launcher-user-rights)
> [!div class="nextstepaction"]
> Learn how to configure Shell Launcher:
>
> [Configure Shell Launcher](configure.md)
### :::image type="icon" source="../images/icons/rocket.svg" border="false"::: Quickstarts
If you want to quickly test Shell Launcher, check out the following quickstart:
- [Quickstart: configure a kiosk with Shell Launcher](quickstart-kiosk.md)

61
windows/configuration/shell-launcher/kiosk-mode.md
View File

@ -1,61 +0,0 @@
---
title: Kiosk Mode
ms.date: 01/18/2024
ms.topic: overview
description: Learn about Kiosk Mode in Windows IoT Enterprise.
---
# Kiosk mode
Windows IoT Enterprise allows you to build fixed purpose devices such as ATM machines, point-of-sale terminals, medical devices, digital signs, or kiosks. Kiosk mode helps you create a dedicated and locked down user experience on these fixed purpose devices. Windows IoT Enterprise offers a set of different locked-down experiences for public or specialized use: [assigned access single-app kiosks](single-app-kiosk.md), [assigned access multi-app kiosks](multi-app-kiosk.md), or [shell launcher](index.md).
Kiosk configurations are based upon either [assigned access](../assigned-access/overview.md) or [shell launcher](index.md). There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
> [!NOTE]
>
> A benefit of using an assigned access kiosk mode is [these policies](/windows/configuration/kiosk-policies) are automatically applied to the device to optimize the lock-down experience.
## Which type of app will your kiosk run?
Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](/windows/configuration/setup-digital-signage), select a digital sign player as your kiosk app. Check out the [Guidelines for Kiosk Apps](/windows/configuration/guidelines-for-assigned-access-app).
## Which type of kiosk do you need?
If you want your kiosk to run a single app for anyone to see or use, consider an [assigned-access single-app kiosk](/windows/configuration/shell-launcher/single-app-kiosk) that runs either a [Universal Windows Platform (UWP) app](/windows/configuration/kiosk-methods#uwp) or a [Windows desktop application](/windows/configuration/kiosk-methods#classic).
For a kiosk that people can sign in to with their accounts or that runs more than one app, consider an [assigned access multi-app kiosk](/windows/configuration/kiosk-methods#desktop).
## Which type of user account will be the kiosk account?
The kiosk account can be a local standard user account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use an assigned access multi-app kiosk configuration. The assigned access single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
## Kiosk capabilities for Windows 10 IoT Enterprise
| Mode | Features | Description | Customer Usage |
|------|----------|------------ |-----------------|
| Assigned access | Single-app kiosk (UWP) | Auto launches a UWP app in full screen and prevents access to other system functions, while monitoring the lifecycle of the kiosk app. Only supports one single-app kiosk profile under one account per device. | Digital signs & single function devices
| Assigned access | Single-app kiosk (Microsoft Edge) | Auto launches Microsoft Edge and prevents access to other system functions, while monitoring the lifecycle of browser. Only supports one single-app kiosk profile under one account per device. | Public browsing kiosks & digital signs |
| Assigned access | Multi-app kiosk (Restricted User Experience) | Windows 10: Always auto launches a restricted Start menu in full screen with the list of allowed app tiles. <br/> Windows 11: Presents the familiar Windows desktop experience with a restricted set of apps. | Frontline Worker shared devices |
| Shell launcher | Shell launcher | Auto launches an app that the customer specifies and monitors the lifecycle of this app. App can be used as a "shell" if desired. No default lockdown policies like hotkey blocking are enforced in Shell Launcher. | Fixed purpose devices with a custom shell experience |
## How to configure your device for kiosk mode?
Visit the following documentation to set up a kiosk according to your scenario:
* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app)
* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps)
* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode)
## Additional Resources
* [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app)
* [Validate your kiosk configuration](/windows/configuration/kiosk-validate)
* [Guidelines for choosing an app for assigned access (kiosk mode)](/windows/configuration/guidelines-for-assigned-access-app)
* [Policies enforced on kiosk devices](/windows/configuration/kiosk-policies)
* [Assigned access XML reference](/windows/configuration/kiosk-xml)
* [Use AppLocker to create a Windows 10 kiosk](/windows/configuration/lock-down-windows-10-applocker)
* [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher)
* [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](/windows/configuration/kiosk-mdm-bridge)
* [Troubleshoot kiosk mode issues](/windows/configuration/kiosk-troubleshoot)
* [Plan your kiosk mode transition to Microsoft Edge](/deployedge/microsoft-edge-kiosk-mode-transition-plan)

39
windows/configuration/shell-launcher/multi-app-kiosk.md
View File

@ -1,39 +0,0 @@
---
title: Multi-App Kiosk
ms.date: 08/16/2023
ms.topic: concept-article
description: Learn about the Multi-App Kiosk in Windows IoT Enterprise.
---
# Assigned access multi-app kiosk
An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a [guide](/windows/configuration/lock-down-windows-10-to-specific-apps) on how to set up a multi-app kiosk.
> [!NOTE]
> Multi-app kiosk mode isn't available for Windows 11 IoT Enterprise, version 21H2, or 22H2. Refer to [What's new for subsequent releases](/windows/iot/iot-enterprise/whats-new/release-history#windows-11-iot-enterprise) for information about its return.
>
> **Update** - [Multi-app kiosk mode is now available in Windows 11](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/multi-app-kiosk-mode-now-available-in-windows-11/ba-p/3845558)., version 22H2 as part of the Windows continuous innovation releases. To learn how you can take advantage of features introduced via Windows continuous innovation, see more about how you can access this feature in Windows 11 IoT Enterprise, version 22H2, see [Delivering continuous innovation in Windows 11](https://support.microsoft.com/windows/delivering-continuous-innovation-in-windows-11-b0aa0a27-ea9a-4365-9224-cb155e517f12).
## Benefits of using a multi-app kiosk
The benefit of a kiosk that runs multiple specified apps is to provide an easy-to-understand experience for individuals by showing them only the things they need to use, and removing the things they don't need to access.
A multi-app kiosk is appropriate for devices that are shared by multiple people. Each user can authenticate with the device and receive a customized lockdown experience based on the configuration.
## Configuring your multi-app kiosk
* [Configure a kiosk in Microsoft Intune](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-in-microsoft-intune)
* [Configure a kiosk using a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package)
> [!NOTE]
>
> When you configure a multi-app kiosk, [specific policies](/windows/configuration/kiosk-policies) are enforced that affects all nonadministrator users on the device.
## More Resources
* [New features and improvements](/windows/configuration/lock-down-windows-10-to-specific-apps)
* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps)
* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access)
* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app)
* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference)

32
windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md → windows/configuration/shell-launcher/quickstart-kiosk.md
View File

@ -1,11 +1,11 @@
---
title: "Quickstart: configure a kiosk experience with Shell Launcher"
description: Learn how to configure a kiosk experience with Shell Launcher, using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
title: "Quickstart: configure a single-app kiosk with Shell Launcher"
description: Learn how to configure a signle-app kiosk experience with Shell Launcher, using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
ms.date: 10/31/2024
ms.date: 3/7/2025
---
# Quickstart: configure a kiosk experience with Shell Launcher
# Quickstart: configure a kiosk with Shell Launcher
This quickstart provides practical examples of how to configure a *kiosk experience* on Windows with Shell Launcher. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, and PowerShell. While different solutions are used, the configuration settings and results are the same.
@ -22,9 +22,9 @@ The examples can be modified to fit your specific requirements. For example, you
## Configure a kiosk device
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
> [!TIP]
> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags.
@ -42,13 +42,13 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
[!INCLUDE [quickstart-xml](includes/quickstart-xml.md)]
#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)]
[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
[!INCLUDE [quickstart-ps](includes/quickstart-ps.md)]
[!INCLUDE [powershell-wmi-bridge-2](../../../../includes/configure/powershell-wmi-bridge-2.md)]
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
---
@ -56,6 +56,20 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
After the settings are applied, reboot the device. A local user account is automatically signed in, opening Microsoft Edge.
## Remove Shell Launcher
Once you no longer need the kiosk configuration, you can remove it.
Here's a PowerShell example to remove the Shell Launcher configuration:
```powershell
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.ShellLauncher = $null
Set-CimInstance -CimInstance $obj
```
## Next steps
> [!div class="nextstepaction"]

38
windows/configuration/shell-launcher/single-app-kiosk.md
View File

@ -1,38 +0,0 @@
---
title: Assigned access Single-App Kiosk
ms.date: 03/30/2023
ms.topic: concept-article
description: Learn about the Single-App Kiosk in Windows IoT Enterprise.
---
# Assigned access single-app kiosk
A single-app kiosk uses the assigned access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk can't do anything on the device outside of the kiosk app.
> [!NOTE]
>
> Assigned access single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
## Benefits of using a single-app kiosk
A single-app kiosk is ideal for public use. Using [shell launcher](./index.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk runs above the lock screen, and users have access to only this app and nothing else on the system. This experience is often used for public-facing kiosk machines. Check out [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions) for more information.
## Configuring your single-app kiosks
You have several options for configuring your single-app kiosk.
* [Settings App](/windows/configuration/kiosk-single-app#local)
* [PowerShell](/windows/configuration/kiosk-single-app#powershell)
* [Kiosk Wizard in Windows Configuration Designer](/windows/configuration/kiosk-single-app#wizard)
* [Microsoft Intune or other MDM providers](/windows/configuration/kiosk-single-app#mdm)
> [!TIP]
> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps) by using a [kiosk profile](/windows/configuration/lock-down-windows-10-to-specific-apps#profile).
## Additional Resources
* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app)
* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app)
* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access)
* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference)

54
windows/configuration/shell-launcher/toc.yml
View File

@ -1,25 +1,33 @@
items:
- name: Shell Launcher
- name: Overview
href: index.md
- name: Configure Shell Launcher
href: configure.md
- name: "Quickstart: Configure a kiosk"
href: quickstart-kiosk.md
- name: Create a configuration file
href: configuration-file.md
- name: Reference
items:
- name: Overview
href: index.md
- name: WMI Provider Reference
items:
- name: Class WESL_UserSetting
href: wesl-usersetting.md
- name: GetCustomShell
href: wesl-usersettinggetcustomshell.md
- name: GetDefaultShell
href: wesl-usersettinggetdefaultshell.md
- name: IsEnabled
href: wesl-usersettingisenabled.md
- name: RemoveCustomShell
href: wesl-usersettingremovecustomshell.md
- name: SetCustomShell
href: wesl-usersettingsetcustomshell.md
- name: SetDefaultShell
href: wesl-usersettingsetdefaultshell.md
- name: SetEnabled
href: wesl-usersettingsetenabled.md
- name: Shell Launcher XSD
href: xsd.md
- name: WMI Provider
items:
- name: Class WESL_UserSetting
href: wesl-usersetting.md
- name: GetCustomShell
href: wesl-usersettinggetcustomshell.md
- name: GetDefaultShell
href: wesl-usersettinggetdefaultshell.md
- name: IsEnabled
href: wesl-usersettingisenabled.md
- name: RemoveCustomShell
href: wesl-usersettingremovecustomshell.md
- name: SetCustomShell
href: wesl-usersettingsetcustomshell.md
- name: SetDefaultShell
href: wesl-usersettingsetdefaultshell.md
- name: SetEnabled
href: wesl-usersettingsetenabled.md
- name: Configure Shell Launcher with WMI
href: configure-wmi.md

2
windows/configuration/shell-launcher/wesl-usersetting.md
View File

@ -1,7 +1,7 @@
---
title: WESL_UserSetting
description: WESL_UserSetting
ms.date: 02/25/2025
ms.date: 3/7/2025
ms.topic: reference
---

2
windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md
View File

@ -1,7 +1,7 @@
---
title: WESL_UserSetting.GetCustomShell
description: WESL_UserSetting.GetCustomShell
ms.date: 02/25/2025
ms.date: 3/7/2025
ms.topic: reference
---

2
windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md
View File

@ -1,7 +1,7 @@
---
title: WESL_UserSetting.GetDefaultShell
description: WESL_UserSetting.GetDefaultShell
ms.date: 02/25/2025
ms.date: 3/7/2025
ms.topic: reference
---

2
windows/configuration/shell-launcher/wesl-usersettingisenabled.md
View File

@ -1,7 +1,7 @@
---
title: WESL_UserSetting.IsEnabled
description: WESL_UserSetting.IsEnabled
ms.date: 02/25/2025
ms.date: 3/7/2025
ms.topic: reference
---

2
windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md
View File

@ -1,7 +1,7 @@
---
title: WESL_UserSetting.RemoveCustomShell
description: WESL_UserSetting.RemoveCustomShell
ms.date: 02/25/2025
ms.date: 3/7/2025
ms.topic: reference
---

2
windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md
View File

@ -1,7 +1,7 @@
---
title: WESL_UserSetting.SetCustomShell
description: WESL_UserSetting.SetCustomShell
ms.date: 02/25/2025
ms.date: 3/7/2025
ms.topic: reference
---

2
windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md
View File

@ -1,7 +1,7 @@
---
title: WESL_UserSetting.SetDefaultShell
description: WESL_UserSetting.SetDefaultShell
ms.date: 02/25/2025
ms.date: 3/7/2025
ms.topic: reference
---

2
windows/configuration/shell-launcher/wesl-usersettingsetenabled.md
View File

@ -1,7 +1,7 @@
---
title: WESL_UserSetting.SetEnabled
description: WESL_UserSetting.SetEnabled
ms.date: 02/25/2025
ms.date: 3/7/2025
ms.topic: reference
---

2
windows/configuration/assigned-access/shell-launcher/xsd.md → windows/configuration/shell-launcher/xsd.md
View File

@ -2,7 +2,7 @@
title: Shell Launcher XML Schema Definition (XSD)
description: Shell Launcher XSD reference article.
ms.topic: reference
ms.date: 10/31/2024
ms.date: 3/7/2025
---
# Shell Launcher XML Schema Definition (XSD)

BIN
windows/configuration/start/images/windows-11-settings.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 325 KiB

After

Width:  |  Height:  |  Size: 328 KiB

BIN
windows/configuration/start/images/windows-11.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 167 KiB

After

Width:  |  Height:  |  Size: 169 KiB

23
windows/configuration/start/includes/example-secondary-tiles.md
View File

@ -7,6 +7,8 @@ ms.topic: include
Example of secondary tiles in XML generated by the PowerShell cmdlet `Export-StartLayout`:
::: zone pivot="windows-10"
```xml
<start:SecondaryTile
AppUserModelID="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App"
@ -22,3 +24,24 @@ Example of secondary tiles in XML generated by the PowerShell cmdlet `Export-Sta
ShowNameOnWide310x150Logo="false" BackgroundColor="#efefef" ForegroundText="light"
/>
```
::: zone-end
::: zone pivot="windows-11"
```json
{
"secondaryTile": {
"tileId": "MSEdge._pin_obflpecijelbcglkjpdhljkfbe",
"arguments": " --pin-url=https://intranet.contoso.com/ --profile-directory=Default --launch-tile",
"displayName": "Contoso Intranet",
"packagedAppId": "Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App",
"smallIconPath": "ms-appdata:///local/Pins/MSEdge._pin_obflpecijelbcglkjpdhljkfbe/SmallLogo.png",
"smallIcon": "Base64 encoded value of the logo",
"largeIconPath": "ms-appdata:///local/Pins/MSEdge._pin_obflpecijelbcglkjpdhljkfbe/Logo.png",
"largeIcon": "Base64 encoded value of the logo",
}
}
```
::: zone-end

5
windows/configuration/start/includes/example-start-layout.md
View File

@ -39,7 +39,7 @@ ms.topic: include
```json
{
"pinnedList": [
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk" },
{ "desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk" },
{ "packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" },
{ "desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk" },
{ "desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk" },
@ -49,7 +49,8 @@ ms.topic: include
{ "packagedAppId": "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!App" },
{ "packagedAppId": "Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe!App" },
{ "packagedAppId": "Microsoft.SecHealthUI_8wekyb3d8bbwe!SecHealthUI" },
{ "packagedAppId": "Microsoft.OutlookForWindows_8wekyb3d8bbwe!Microsoft.OutlookforWindows"}
{ "packagedAppId": "Microsoft.OutlookForWindows_8wekyb3d8bbwe!Microsoft.OutlookforWindows"},
{"secondaryTile": { "tileId": "MSEdge._pin_mjalfbhoimpkfjlpajnjkpknoe", "arguments": " --pin-url=https://www.contoso.com --profile-directory=Default --launch-tile", "displayName": "Contoso intranet", "packagedAppId": "Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App", "smallIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mjalfbhoimpkfjlpajnjkpknoe/ContosoLogo.png", "smallIcon": "iVBORw0KGgoAAAANSUhEUgAAADQAAAA0CAYAAADFeBvrAAAACXBIWXMAAAInAAACJwG+ElQIAAABaWlDQ1BEaXNwbGF5IFAzAAB4nHWQvUvDUBTFT6tS0DqIDh0cMolD1NIKdnFoKxRFMFQFq1OafgltfCQpUnETVyn4H1jBWXCwiFRwcXAQRAcR3Zw6KbhoeN6XVNoi3sfl/Ticc7lcwBtQGSv2AijplpFMxKS11Lrke4OHnlOqZrKooiwK/v276/PR9d5PiFlNu3YQ2U9cl84ul3aeAlN//V3Vn8maGv3f1EGNGRbgkYmVbYsJ3iUeMWgp4qrgvMvHgtMunzuelWSc+JZY0gpqhrhJLKc79HwHl4plrbWD2N6f1VeXxRzqUcxhEyYYilBRgQQF4X/8044/ji1yV2BQLo8CLMpESRETssTz0KFhEjJxCEHqkLhz634PrfvJbW3vFZhtcM4v2tpCAzidoZPV29p4BBgaAG7qTDVUR+qh9uZywPsJMJgChu8os2HmwiF3e38M6Hvh/GMM8B0CdpXzryPO7RqFn4Er/QcXKWq8MSlPPgAABFZJREFUeAHdWu1RajEQ3ev4X61AXgX6KhA68FWgrwLpAK0AO0ArUCsQKxArECsAK8jLuTNh9i3J5uMGBc9MhivmY0/2ZEk2l8jCGDOyZWF2FxNbeuDS2Iex/RzS7mPaNM0AhBb2j0P6Gfi1Txsms1wu6fPzs/1E6fV6dHBwQIeHGxm2t0+V8fLyQrPZjKbTafs5n8+99UDo9PSUzs/Pqd/v08nJCVWBqYDFYmGur6+NNdCgy5KCtnd3d6Yj+lhDhjrg5uaGbm9vWzlJwAuQGDzBAa/Be742qG8nhy4uLqgAg2IPvb6+Gjt4dNaHw6Gx8vP28f7+biaTibGSW2uLvvH/XA8VEbIeyZYUDISkQkbi+8vLy7V2kPJGCWGAkMGYaRiFz9B6Qj3NSBCTHoOXN0JIkrFrxIxGo+CsI1g8PDx4Zx7Enp+fg2OhX14ffVQlJMlg1mBwChwx35rTvIU2mLQM+aURQsfcCMxeCgkYEAscLniEJgfBh9eNhPY4IciJGxUj44jwmU0NGiHpjsfj/2SuRL84Ia7/mI4leWcAFjkkiugIsnj2BQ20DXmKBwolSOiEYGDKDAKQBveKCxjaOvOFahgugd8x3jc8VkSID6ZpV3oGRqUGDADRjrfnHsC4nLDdQWhdhQlJ76i9MDlEBjTaeNwLCEQysiYEozAhbElSvMPraWsgBTKa5kZWoxHis66tHS6Vgr3XGiC3QjKt2V5CmGVtkTpgsabUywHG5tKDAjLQ3yMP3t7eVs9y68/x+Pi4erYBhGoARw5Loj342WCR3a/3xGqls3rWCOFM41DtxGkBMigl8Hro4+Nj9Xx8fBxszAlpxL8SXkL8JKklM1w9nDK3BVFCR0dH3oah5Md3Yy9WwUYd7/cbSkN1hpcQl5AvkQGAkCO1Td7yEuKBgAcICR4IeID4TngJpRrK6yHBWAv39/c0GAzaZGU2Qr/WlLADwC6ZKu8U5M49M/mYtpfTNpy8npb0SEXHVFaYEM+9aR1yL2m5gRTwnbs8wieSChPisss5DyWmm9Ygz0OQmkxldc762P1U0YkV7XKOEvKIzU+s3GsJE6YT4nLCgLH8ACflUr9aG/xPnn8gW4mM/Fw/mvXhA5ZkfVwEhBFYlyjoMzdBz4NFcdYHkAeumI5RX2o/pWhkeICKZJ/ihAAuvdSIg0FD+TefB78sc+rgS56nLnwYi8Xtk6N2syCDRaesjw+SFAyEQdrtA4zi0ZK31X6I5R1UYnosj5CPFDfQ3Q+BQEhqsYzql94PxUhpJUYklORX0r71CAGhEO2TZEhaIAFphUJ4wd6w+y04bqyx3fcd8ty7CDLngENj6B0GtLm6umr7LUD5LTiHu81OudwiJXTDW102t1U8JIGZf3p6Wr1Joh3h8QYJytnZWa002KA6IQn3jg/k5fIQPB9RGT/ubazfyClsR3ajO+ZN08xA6C/+oN3G3JY/eGjcN1Z6WJW7KL0lPOP++AdqljW+tM7PvwAAAABJRU5ErkJggg==", "largeIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mjalfbhoimpkfjlpajnjkpknoe/ContosoLogo.png" }}
]
}
```

7
windows/configuration/start/layout.md
View File

@ -431,9 +431,10 @@ You can edit the JSON file to make any modifications to the **Pinned** section o
| Key | Description |
|--|--|
| `packagedAppID` | Used for Universal Windows Platform (UWP) apps. To pin a UWP app, use the app's AUMID. |
| `desktopAppID` | Used for desktop apps. To pin a desktop app, use the app's AUMID. If the app doesn't have an AUMID, use the `desktopAppLink` instead. |
| `desktopAppLink` | Used for desktop apps that don't have an associated AUMID. To pin this type of app, use the path to the `.lnk` shortcut that points to the app. |
|`packagedAppID`| Used for Universal Windows Platform (UWP) apps. To pin a UWP app, use the app's AUMID. |
|`desktopAppID`| Used for desktop apps. To pin a desktop app, use the app's AUMID. If the app doesn't have an AUMID, use the `desktopAppLink` instead. |
|`desktopAppLink`| Used for desktop apps that don't have an associated AUMID. To pin this type of app, use the path to the `.lnk` shortcut that points to the app. |
|`secondaryTile`| Used for Microsoft Edge pinned sites. |
::: zone-end

21
windows/configuration/toc.yml
View File

@ -7,17 +7,34 @@ items:
href: start/toc.yml
- name: Taskbar
href: taskbar/toc.yml
- name: Desktop and lock screen backgrounds
href: background/index.md
- name: Windows spotlight
href: windows-spotlight/index.md
- name: Settings page visibility
href: settings/page-visibility.md
- name: Microsoft Store
href: store/toc.yml
- name: Cellular settings
href: cellular/provisioning-apn.md
- name: Kiosks and restricted user experiences
href: assigned-access/toc.yml
- name: Windows kiosk options
href: kiosk/toc.yml
- name: Multi-user and guest devices
href: shared-pc/toc.yml
- name: Provisioning packages
href: provisioning-packages/toc.yml
- name: Windows Configuration Designer
href: wcd/toc.yml
- name: Unbranded boot
href: unbranded-boot/index.md
- name: Unified write filter
href: unified-write-filter/toc.yml
- name: Keyboard Filter
href: keyboard-filter/toc.yml
- name: Custom Logon
items:
- name: Configure Custom Logon
href: custom-logon/index.md
- name: Troubleshoot
href: custom-logon/troubleshoot.md

239
windows/configuration/unified-write-filter/toc.yml
View File

@ -1,126 +1,123 @@
items:
- name: Unified Write Filter
- name: Overview
href: index.md
- name: Hibernate Once/Resume Many (HORM)
href: hibernate-once-resume-many-horm.md
- name: Exclusions
href: uwfexclusions.md
- name: Overlay
href: uwfoverlay.md
- name: Enable
href: uwf-turnonuwf.md
- name: Command Line Utility (uwfmgr.exe)
href: uwfmgrexe.md
- name: Servicing
items:
- name: Servicing protected devices
href: service-uwf-protected-devices.md
- name: Antimalware support
href: uwf-antimalware-support.md
- name: Windows Updates
href: uwf-apply-windows-updates.md
- name: OEM Updates
href: uwf-apply-oem-updates.md
- name: Servicing master script
href: uwf-master-servicing-script.md
- name: Servicing screen saver
href: uwf-servicing-screen-saver.md
- name: Troubleshooting
href: uwftroubleshooting.md
- name: WMI Provider Reference
items:
- name: Overview
href: index.md
- name: Hibernate Once/Resume Many (HORM)
href: hibernate-once-resume-many-horm.md
- name: Exclusions
href: uwfexclusions.md
- name: Overlay
href: uwfoverlay.md
- name: Enable
href: uwf-turnonuwf.md
- name: Command Line Utility (uwfmgr.exe)
href: uwfmgrexe.md
- name: Servicing
items:
- name: Servicing protected devices
href: service-uwf-protected-devices.md
- name: Antimalware support
href: uwf-antimalware-support.md
- name: Windows Updates
href: uwf-apply-windows-updates.md
- name: OEM Updates
href: uwf-apply-oem-updates.md
- name: Servicing master script
href: uwf-master-servicing-script.md
- name: Servicing screen saver
href: uwf-servicing-screen-saver.md
- name: Troubleshooting
href: uwftroubleshooting.md
- name: WMI Provider Reference
href: uwf-wmi-provider-reference.md
- name: Class UWF_ExcludedFile
href: uwf-excludedfile.md
- name: Class UWF_ExcludedRegistryKey
href: uwf-excludedregistrykey.md
- name: Class UWF_Filter
items:
- name: Overview
href: uwf-wmi-provider-reference.md
- name: Class UWF_ExcludedFile
href: uwf-excludedfile.md
- name: Class UWF_ExcludedRegistryKey
href: uwf-excludedregistrykey.md
- name: Class UWF_Filter
items:
- name: Overview
href: uwf-filter.md
- name: Disable
href: uwf-filterdisable.md
- name: Enable
href: uwf-filterdisable.md
- name: ResetSettings
href: uwf-filterresetsettings.md
- name: RestartSystem
href: uwf-filterrestartsystem.md
- name: ShutdownSystem
href: uwf-filtershutdownsystem.md
- name: Class UWF_Overlay
items:
- name: Overview
href: uwf-overlay.md
- name: GetOverlayFiles
href: uwf-overlaygetoverlayfiles.md
- name: OverlayFile
href: uwf-overlayfile.md
- name: SetCriticalThreshold
href: uwf-overlaysetcriticalthreshold.md
- name: SetWarningThreshold
href: uwf-overlaysetwarningthreshold.md
- name: Class UWF_OverlayConfig
items:
- name: Overview
href: uwf-overlayconfig.md
- name: SetMaximumSize
href: uwf-overlayconfigsetmaximumsize.md
- name: SetType
href: uwf-overlayconfigsettype.md
- name: Class UWF_RegistryFilter
items:
- name: Overview
href: uwf-registryfilter.md
- name: AddExclusion
href: uwf-registryfilteraddexclusion.md
- name: CommitRegistry
href: uwf-registryfiltercommitregistry.md
- name: CommitRegistryDeletion
href: uwf-registryfiltercommitregistrydeletion.md
- name: FindExclusion
href: uwf-registryfilterfindexclusion.md
- name: GetExclusions
href: uwf-registryfiltergetexclusions.md
- name: RemoveExclusion
href: uwf-registryfilterremoveexclusion.md
- name: Class UWF_Servicing
items:
- name: Overview
href: uwf-servicing.md
- name: Disable
href: uwf-servicingdisable.md
- name: Enable
href: uwf-servicingenable.md
- name: UpdateWindows
href: uwf-servicingupdatewindows.md
- name: Class UWF_Volume
items:
- name: Overview
href: uwf-volume.md
- name: AddExclusion
href: uwf-volumeaddexclusion.md
- name: CommitFile
href: uwf-volumecommitfile.md
- name: CommitFileDeletion
href: uwf-volumecommitfiledeletion.md
- name: FindExclusion
href: uwf-volumefindexclusion.md
- name: GetExclusions
href: uwf-volumegetexclusions.md
- name: protect
href: uwf-volumeprotect.md
- name: RemoveAllExclusions
href: uwf-volumeremoveallexclusions.md
- name: RemoveExclusion
href: uwf-volumeremoveexclusion.md
- name: SetBindByDriveLetter
href: uwf-volumesetbindbydriveletter.md
- name: Unprotect
href: uwf-volumeunprotect.md
- name: Migration from Enhanced Write Filter
href: uwf-wes7-ewf-to-win10-uwf.md
href: uwf-filter.md
- name: Disable
href: uwf-filterdisable.md
- name: Enable
href: uwf-filterdisable.md
- name: ResetSettings
href: uwf-filterresetsettings.md
- name: RestartSystem
href: uwf-filterrestartsystem.md
- name: ShutdownSystem
href: uwf-filtershutdownsystem.md
- name: Class UWF_Overlay
items:
- name: Overview
href: uwf-overlay.md
- name: GetOverlayFiles
href: uwf-overlaygetoverlayfiles.md
- name: OverlayFile
href: uwf-overlayfile.md
- name: SetCriticalThreshold
href: uwf-overlaysetcriticalthreshold.md
- name: SetWarningThreshold
href: uwf-overlaysetwarningthreshold.md
- name: Class UWF_OverlayConfig
items:
- name: Overview
href: uwf-overlayconfig.md
- name: SetMaximumSize
href: uwf-overlayconfigsetmaximumsize.md
- name: SetType
href: uwf-overlayconfigsettype.md
- name: Class UWF_RegistryFilter
items:
- name: Overview
href: uwf-registryfilter.md
- name: AddExclusion
href: uwf-registryfilteraddexclusion.md
- name: CommitRegistry
href: uwf-registryfiltercommitregistry.md
- name: CommitRegistryDeletion
href: uwf-registryfiltercommitregistrydeletion.md
- name: FindExclusion
href: uwf-registryfilterfindexclusion.md
- name: GetExclusions
href: uwf-registryfiltergetexclusions.md
- name: RemoveExclusion
href: uwf-registryfilterremoveexclusion.md
- name: Class UWF_Servicing
items:
- name: Overview
href: uwf-servicing.md
- name: Disable
href: uwf-servicingdisable.md
- name: Enable
href: uwf-servicingenable.md
- name: UpdateWindows
href: uwf-servicingupdatewindows.md
- name: Class UWF_Volume
items:
- name: Overview
href: uwf-volume.md
- name: AddExclusion
href: uwf-volumeaddexclusion.md
- name: CommitFile
href: uwf-volumecommitfile.md
- name: CommitFileDeletion
href: uwf-volumecommitfiledeletion.md
- name: FindExclusion
href: uwf-volumefindexclusion.md
- name: GetExclusions
href: uwf-volumegetexclusions.md
- name: protect
href: uwf-volumeprotect.md
- name: RemoveAllExclusions
href: uwf-volumeremoveallexclusions.md
- name: RemoveExclusion
href: uwf-volumeremoveexclusion.md
- name: SetBindByDriveLetter
href: uwf-volumesetbindbydriveletter.md
- name: Unprotect
href: uwf-volumeunprotect.md
- name: Migration from Enhanced Write Filter
href: uwf-wes7-ewf-to-win10-uwf.md

BIN
windows/configuration/windows-spotlight/images/contoso-lockscreen-10.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 48 KiB

After

Width:  |  Height:  |  Size: 120 KiB

BIN
windows/configuration/windows-spotlight/images/contoso-lockscreen-11.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 62 KiB

After

Width:  |  Height:  |  Size: 127 KiB

18
windows/configuration/windows-spotlight/index.md
View File

@ -94,22 +94,9 @@ Here's a sorted list of the policy settings to configure Windows spotlight:
## Custom lock screen and background images
You can replace the Windows spotlight lock screen and background images with a custom image. When you do so, users can still see suggestions, fun facts, tips, or organizational messages on the lock screen, but the background image is replaced with the custom image.
You can replace the Windows spotlight lock screen and background images with a custom image. When you do so, users can still receive suggestions, fun facts, tips, or organizational messages, but the background image is replaced with the custom image.
To configure the lock screen and background images, use the [Personalization CSP][CSP-2].
|Policy name| CSP | GPO |
|-|-|-|
|[DesktopImageUrl](/windows/client-management/mdm/personalization-csp#desktopimageurl)|✅|✅|
|[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp#lockscreenimageurl)|✅|✅|
>[!NOTE]
> A concern with custom images is how they'll appear on different screen sizes and resolutions. A custom image created in `16:9` aspect ratio (for example, `1600x900`) scales properly on devices using a `16:9` resolution, such as `1280x720` or `1920x1080`. On devices using other aspect ratios, such as `4:3` (`1024x768`) or `16:10` (`1280x800`), height scales correctly and width is cropped to a size equal to the aspect ratio. The image remains centered on the screen.
>
> Lock screen images created at other aspect ratios might scale and center unpredictably on your device when changing aspect ratios. The recommendation for custom images that include text (such as a legal statement), is to create the lock screen image in `16:9` resolution with text contained in the `4:3` region, allowing the text to remain visible at any aspect ratio.
> [!TIP]
> You also have the option to configure a custom lock screen image using [organizational messages in the Microsoft 365 admin center][M365-1].
To learn more, see [Configure the desktop and lock screen background](../background/index.md).
## User experience
@ -137,6 +124,5 @@ To learn more about organizational messages, see:
<!--links-->
[CSP-1]: /windows/client-management/mdm/policy-csp-experience
[CSP-2]: /windows/client-management/mdm/personalization-csp
[INT-1]: /mem/intune/remote-actions/organizational-messages-overview
[M365-1]: /microsoft-365/admin/misc/organizational-messages-microsoft-365?view=o365-worldwide

25
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -1866,20 +1866,37 @@ You can turn off Windows Update by setting the following registry entries:
-OR-
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** to **Enabled**
This is applicable to Windows 10.
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** to **Enabled**.
-and-
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features** to **Enabled**
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features** to **Enabled**.
-and-
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** to **Enabled** and ensure all Option settings (Intranet Update Service, Intranet Statistics Server, Alternate Download Server) are set to **" "**
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** to **Enabled** and ensure the settings under **Options** (intranet update service, intranet statistics server, and alternate download server) are set to **" "**.
-and-
- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Computer Configurations** to **0 (zero)**.
- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Configure notifications** to **0 - Do not show any notifications**.
This is applicable to Windows 11.
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Manage updates offered from Windows Server Update Service** > **Do not connect to any Windows Update Internet locations** to **Enabled**.
-and-
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Manage updates offered from Windows Server Update Service** > **Specify intranet Microsoft update service location** to **Enabled** and ensure the settings under **Options** (intranet update service, intranet statistics server, and alternate download server) are set to **" "**.
-and-
- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Manage updates offered from Windows Server Update Service** > **Remove access to use all Windows Update features** to **Enabled** and then set **Configure notifications** to **0 - Do not show any notifications**.
-and-
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication settings** > **Turn off access to all Windows Update features** to **Enabled**.
You can turn off automatic updates by doing the following. This isn't recommended.

21
windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md
View File

@ -2,7 +2,7 @@
title: App Control and AppLocker Overview
description: Compare Windows application control technologies.
ms.localizationpriority: medium
ms.date: 09/11/2024
ms.date: 03/09/2025
ms.topic: concept-article
---
@ -18,21 +18,21 @@ App Control was introduced with Windows 10 and allows organizations to control w
App Control policies apply to the managed computer as a whole and affects all users of the device. App Control rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries
- Attributes of the codesigning certificate used to sign an app and its binaries
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md)
- The identity of the process that initiated the installation of the app and its binaries ([managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md))
- The [path from which the app or file is launched](design/select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
- The [path where the app or file exists on disk](design/select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
- The process that launched the app or binary
> [!NOTE]
> App Control was originally released as part of Device Guard and called configurable code integrity. Device Guard and configurable code integrity are no longer used except to find where to deploy App Control policy via Group Policy.
> App Control for Business was originally released as part of Device Guard and called configurable code integrity. The terms "Device Guard" and "configurable code integrity" are no longer used with App Control except when deploying policies through Group Policy.
### App Control System Requirements
App Control policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. App Control policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy App Control policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019.
For more information on which individual App Control features are available on specific App Control builds, see [App Control feature availability](feature-availability.md).
For more information on which individual App Control features are available on your version of Windows, see [App Control feature availability](feature-availability.md).
## AppLocker
@ -40,9 +40,9 @@ AppLocker was introduced with Windows 7, and allows organizations to control whi
AppLocker policies can apply to all users on a computer, or to individual users and groups. AppLocker rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries.
- Attributes of the codesigning certificate used to sign an app and its binaries.
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file.
- The path from which the app or file is launched.
- The path where the app or file exists on disk.
AppLocker is also used by some features of App Control, including [managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md) and the [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md).
@ -59,6 +59,11 @@ However, in some cases, AppLocker might be the more appropriate technology for y
- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
- You need to apply different policies for different users or groups on shared computers.
- You don't want to enforce application control on application files such as DLLs or drivers.
AppLocker can also be deployed as a complement to App Control to add user or group-specific rules for shared device scenarios, where it's important to prevent some users from running specific apps. As a best practice, you should enforce App Control at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.
## What you should read next
- If you want to use App control, one of the most powerful security features in Windows, you must plan and prepare if you want to succeed. Start that by exploring the [App Control for Business Design Guide](design/appcontrol-design-guide.md).
- If you're ready to jump in and start creating policies, revisit Smart App Control and [Use the Smart App Control policy to build your own starter policy](design/create-appcontrol-policy-for-lightly-managed-devices.md).

35
windows/security/application-security/application-control/app-control-for-business/appcontrol.md
View File

@ -4,7 +4,7 @@ description: Application Control restricts which applications users are allowed
ms.localizationpriority: medium
ms.collection:
- tier3
ms.date: 10/25/2024
ms.date: 03/09/2025
ms.topic: overview
---
@ -12,27 +12,27 @@ ms.topic: overview
[!INCLUDE [Feature availability note](includes/feature-availability-note.md)]
With thousands of new malicious files created every day, using traditional methods like antivirus solutions-signature-based detection to fight against malware-provides an inadequate defense against new attacks.
Your organization's data is one of its most valuable assets... and adversaries want it. No matter what security controls you apply over your data, there are no controls to fully protect your most vulnerable target: the trusted user sitting at the keyboard. When a user runs a process, that process shares the same access to your data that the user has. So your sensitive information is easily transmitted, modified, deleted, or encrypted when a user, intentionally or not, runs malicious software. And with thousands of new malicious files created every day, relying solely on traditional methods like antivirus (AV) solutions gives you an inadequate defense against new attacks.
In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software.
Application control changes Windows from a place where all code runs unless your AV solution confidently predicts it's bad, to one where code runs only if your policy says so. The cyber threats you face change rapidly, and your defenses need to change too. Government and security organizations, like the Australian Signals Directorate, frequently cite application control as one of the most effective ways to address the threat of executable file-based malware (.exe, .dll, etc.). It works alongside your AV solution to help mitigate security threats by restricting the apps that users can run and even what code runs in the System Core (kernel).
Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes).
> [!IMPORTANT]
> Although application control can significantly harden your computers against malicious code, it's not a replacement for antivirus. You should continue to maintain an active antivirus solution alongside App Control for a well-rounded enterprise security portfolio.
Application control is a crucial line of defense for protecting enterprises given today's threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand the significance of application control and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).
Although we call it application control, the code running on your system isn't always an app. Application control extends beyond apps to also cover scripts and Microsoft installers (MSI), command-line batch files, and even interactive sessions of Windows PowerShell, which run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes).
> [!NOTE]
> Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
Windows includes two application control technologies you can use depending on your organization's specific scenarios and requirements:
Windows 10 and Windows 11 include two technologies that can be used for application control depending on your organization's specific scenarios and requirements:
- **App Control for Business**; and
- **App Control for Business (app control)**; and
- **AppLocker**
## App Control and Smart App Control
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on App Control. App control enables enterprise customers to create a policy that offers the same security and compatibility as Smart App Control with the capability to customize policies to run line-of-business (LOB) apps. To make it easier to implement policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) brings robust application control to consumers and to some small businesses with simpler app portfolios. Smart App Control ensures only signed code runs or code predicted to be safe by our intelligent cloud-powered security service. When code is unsigned and the service is unable to predict with confidence that it's safe to run, then we block it. Over time, the code's reputation might change as the service processes new signals it receives. Meanwhile, code determined to be unsafe is always blocked.
Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect.
While Smart App Control is designed for consumers, we believe it's the ideal starting point for most organizations. And since we built it entirely upon App Control for Business, you can create a policy with the same security and compatibility as Smart App Control that also trusts the line-of-business (LOB) apps your organization needs. The service Smart App Control uses to predict what code is safe to run is also available in App Control for Business and called the Intelligent Security Graph (ISG).
Smart App Control starts in evaluation mode and switches off within 48 hours for enterprise managed devices unless the user turns it on first. If you want to proactively turn off Smart App Control across your organization's endpoints, set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must run [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect.
| Value | Description |
|-------|-------------|
@ -43,11 +43,12 @@ Smart App Control is only available on clean installation of Windows 11 version
> [!IMPORTANT]
> Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
The App Control policy used for Smart App Control comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool and is also found as an [example policy](design/example-appcontrol-base-policies.md) at *%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml*. To use this example policy as a starting point for your own policy, see [Use the Smart App Control Policy to build your own base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#use-the-smart-app-control-policy-to-build-your-starter-policy). When using the Smart App Control example policy as the basis for your own custom policy, you must remove the option **Enabled:Conditional Windows Lockdown Policy** so it's ready for use as an App Control for Business policy.
[!INCLUDE [windows-defender-application-control-wdac](../../../../../includes/licensing/windows-defender-application-control-wdac.md)]
## Related articles
## What you should read next
- [App Control design guide](design/appcontrol-design-guide.md)
- [App Control deployment guide](deployment/appcontrol-deployment-guide.md)
- [App Control operational guide](operations/appcontrol-operational-guide.md)
- [AppLocker overview](applocker/applocker-overview.md)
- To learn more about the two application control technologies available in Windows, read [App Control for Business and AppLocker Overview](./appcontrol-and-applocker-overview.md).
- To jump right in and get started creating policies, go revisit Smart App Control and [Use the Smart App Control policy to build your own starter policy](design/create-appcontrol-policy-for-lightly-managed-devices.md).

13
windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md
View File

@ -2,7 +2,7 @@
title: Allow COM object registration in an App Control policy
description: You can allow COM object registration in an App Control for Business policy.
ms.localizationpriority: medium
ms.date: 09/11/2024
ms.date: 02/01/2025
ms.topic: how-to
---
@ -14,13 +14,10 @@ The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-
## COM object configurability in App Control policy
App Control for Business enforces a built-in allowlist for COM object registration. While this list works for most common application usage scenarios, you may need to allow more COM objects to support the apps used in your organization. You can specify allowed COM objects via their GUID in your App Control policy as described in this article.
App Control for Business enforces a built-in allowlist for COM object registration. While this list works for most common application usage scenarios, you might need to allow more COM objects to support the apps used in your organization. You can specify allowed COM objects via their GUID in your App Control policy as described in this article.
> [!NOTE]
> To add this functionality to other versions of Windows 10, you can install the following or later updates.
- [Windows 10, 1809 June 18, 2019-KB4501371 (OS Build 17763.592)](https://support.microsoft.com/help/4501371/windows-10-update-kb4501371)
- [Windows 10, 1607 June 18, 2019-KB4503294 (OS Build 14393.3053)](https://support.microsoft.com/help/4503294/windows-10-update-kb4503294)
> [!WARNING]
> When App Control is enforced, .NET doesn't load certain COM objects if their registration GUID doesn't match the one calculated by the system at runtime. When that happens, the user sees a general COM load error dialog, but no events or other information is logged to the system. The COM allowlist mechanism described in this article **doesn't affect .NET's GUID validation check for COM objects** leaving those .NET apps incompatible with App Control at this time. For more information, see [App Control Admin Tips & Known Issues: .NET doesn't load COM objects with mismatched GUIDs](../operations/known-issues.md#net-doesnt-load-component-object-model-com-objects-with-mismatched-guids).
### Get COM object GUID
@ -131,7 +128,7 @@ To add this CLSID to the existing policy, follow these steps:
PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath <path to policy xml>\AppControl_policy.xml -Key "{f8d253d9-89a4-4daa-87b6-1168369f0b21}" -Provider WSH -Value true -ValueName EnterpriseDefinedClsId -ValueType Boolean
```
Once the command has run, find the following section added to the policy XML.
Once the command runs, find the following section added to the policy XML.
```XML
<Settings>

31
windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md
View File

@ -2,43 +2,46 @@
title: App Control for Business and .NET
description: Understand how App Control and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime.
ms.localizationpriority: medium
ms.date: 09/11/2024
ms.date: 02/13/2025
ms.topic: article
---
# App Control for Business and .NET
> [!WARNING]
> When App Control is enforced, .NET doesn't load certain Component Object Model (COM) objects if their registration GUID doesn't match the one calculated by the system at runtime. When that happens, the user sees a general COM load error dialog, but no events or other information is logged to the system. For more information, see [App Control Admin Tips & Known Issues: .NET doesn't load COM objects with mismatched GUIDs](../operations/known-issues.md#net-doesnt-load-component-object-model-com-objects-with-mismatched-guids).
.NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with an App Control user mode policy, it first checks whether the original IL file passes the current App Control policies. If so, .NET sets an NTFS extended attribute (EA) on the generated NI file so that App Control knows to trust it as well. When the .NET app runs, App Control sees the EA on the NI file and allows it.
The EA set on the NI file only applies to the currently active App Control policies. If one of the active App Control policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, App Control will block the NI file. .NET handles the block gracefully and falls back to the original IL code. If the IL still passes the latest App Control policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you might notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the App Control EA for all code that passes the latest App Control policies.
The EA set on the NI file only applies to the currently active App Control policies. If one of the active App Control policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, App Control will block the NI file. .NET handles the block gracefully and falls back to the original IL code. If the IL still passes the latest App Control policies, then the app runs without any functional issue. Since the IL is now being compiled at runtime, you might notice a slight reduction in performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the App Control EA for all code that passes the latest App Control policies.
In some cases, if an NI file is blocked, you might see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [App Control Admin Tips & Known Issues](../operations/known-issues.md#net-native-images-may-generate-false-positive-block-events).
To mitigate any performance impact caused when the App Control EA isn't valid or missing:
To mitigate any performance reduction caused when the App Control EA isn't valid or is missing:
- Avoid updating the App Control policies often.
- Run `ngen update` (on all machine architectures) to force .NET to regenerate all NI files immediately after applying changes to your App Control policies.
- Migrate applications to .NET Core (.NET 6 or greater).
## App Control and .NET hardening
## App Control and .NET Dynamic Code Security hardening
Security researchers found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent App Control controls.
To address this potential vulnerability, App Control includes an option called *Dynamic Code Security* that works with .NET to verify code loaded at runtime.
Security researchers found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent App Control. To address this potential vulnerability, App Control includes an option called *Dynamic Code Security* that works with .NET to verify code loaded at runtime.
When the Dynamic Code Security option is enabled, the App Control policy is applied to libraries that .NET loads from external sources. For example, any remote sources, such as the internet or a network share.
When Dynamic Code Security is enabled, your App Control policy is applied to libraries that .NET loads from external or remote sources, like the internet or a network share. It also detects tampering in code generated to disk by .NET and blocks loading code that is tampered. Additionally, some .NET loading features not supported with Dynamic Code Security, including loading unsigned assemblies built with System.Reflection.Emit, are always blocked.
Usually, when dynamic code is blocked, its parent process is stopped or crashes. To prevent this using ASP.NET, you can precompile the dynamic code for deployment only. See ["Precompiling for Deployment Only" in the ASP.NET Precompilation Overview](/previous-versions/aspnet/bb398860(v=vs.100)#precompiling-for-deployment-only).
> [!IMPORTANT]
> .Net dynamic code security hardening is *turned on and enforced* if any App Control policy with UMCI enabled has set option **19 Enabled:Dynamic Code Security**. There is no audit mode for this feature. You should test your apps with this option set before turning it on across large numbers of devices.
> .NET Dynamic Code Security works in audit mode only on Windows 11 24H2 and later, and Windows Server 2025 and later. There's no audit mode for Dynamic Code Security on Windows 10, or on earlier versions of Windows 11 and Windows Server. If any App Control policy sets option **19 Enabled:Dynamic Code Security** on those earlier versions, then dynamic code security hardening is *turned on and enforced* even if the policy is in audit mode. Always test your apps thoroughly and use safe deployment practices when deploying app control policies to production.
Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that was tampered with.
Dynamic Code Security mitigates potential attack techniques often referred to as "second order" attacks. That means that the attacker has access to the system and is able to run code. The second order attacks might be attempts to gain persistence or further obscure the attackers activities. Although Dynamic Code Security is important and recommended, Microsoft also recommends testing the policy in audit mode on systems running Windows 11 24H2 and later, or Windows Server 2025 and later before you enforce it.
Dynamic Code Security isn't enabled by default because existing policies might not account for externally loaded libraries.
Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
Code blocked by Dynamic Code Security is logged using event ID 3114 in the **CodeIntegrity - Operational** event log. Except for code loaded using one of the unsupported .NET features like System.Reflection.Emit, you can create rules to allow blocked dynamic code using information from the events. See [Use the App Control Wizard to create rules from the App Control Event Logs](./appcontrol-wizard-parsing-event-logs.md).
Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/previous-versions/aspnet/bb398860(v=vs.100)) document for how to fix that.
> [!NOTE]
> .NET attempts two different methods to run dynamically generated code. If your App Control policy blocks the first method, .NET tries the second one. Each of the two attempts raises a distinct 3114 event. When a 3114 event occurs in isolation, it's safe to ignore as a "false positive" because it only covers the first attempt by .NET to run the code. Only when you see two 3114 events back-to-back within milliseconds for the same code does it indicate an actual issue to review.
To enable Dynamic Code Security, add the following option to the `<Rules>` section of your App Control policy:
To enable Dynamic Code Security, add option **19 - Enabled:Dynamic Code Security** to your App Control policy using the App Control Wizard, the set-ruleoption PowerShell cmdlet, or by adding the following to the `<Rules>` section of your App Control policy XML:
```xml
<Rule>

7
windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
View File

@ -2,7 +2,7 @@
title: Applications that can bypass App Control and how to block them
description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.
ms.localizationpriority: medium
ms.date: 09/11/2024
ms.date: 02/23/2025
ms.topic: reference
---
@ -36,7 +36,6 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- lxssmanager.dll
- lxrun.exe
- Microsoft.Build.dll
- Microsoft.Build.Framework.dll
- Microsoft.Workflow.Compiler.exe
- msbuild.exe<sup>2</sup>
- msbuild.dll
@ -101,7 +100,7 @@ If you wish to use this blocklist policy on Windows Server 2016, locate the deny
- msxml6.dll
- jscript9.dll
The blocklist policy that follows includes "Allow all" rules for both kernel and user mode that make it safe to deploy as a standalone App Control policy. On Windows versions 1903 and above, Microsoft recommends converting this policy to multiple policy format using the *Set-CiPolicyIdInfo* cmdlet with the *-ResetPolicyId* switch. Then, you can deploy it as a Base policy side-by-side with any other policies in your environment. To instead add these rules to an existing Base policy, you can merge the policy that follows using the *Merge-CIPolicy* cmdlet. If merging into an existing policy that includes an explicit allowlist, you should first remove the two "Allow all" rules and their corresponding FileRuleRefs from the blocklist policy.
The blocklist policy that follows includes "Allow all" rules for both kernel and user mode that make it safe to deploy as a standalone App Control policy. On Windows versions 1903 and above, Microsoft recommends converting this policy to multiple policy formats using the *Set-CiPolicyIdInfo* cmdlet with the *-ResetPolicyId* switch. Then, you can deploy it as a Base policy side-by-side with any other policies in your environment. To instead add these rules to an existing Base policy, you can merge the policy that follows using the *Merge-CIPolicy* cmdlet. If merging into an existing policy that includes an explicit allowlist, you should first remove the two "Allow all" rules and their corresponding FileRuleRefs from the blocklist policy.
**App Control policy XML**:
@ -168,7 +167,6 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and
<Deny ID="ID_DENY_INTUNE_AGENT" FriendlyName="IntuneWindowsAgent.exe" FileName="Microsoft.Management.Services.IntuneWindowsAgent.exe" MinimumFileVersion="1.46.204.0" />
<Deny ID="ID_DENY_MFC40" FriendlyName="mfc40.dll" FileName="mfc40.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MSBUILD" FriendlyName="MSBuild.exe" FileName="MSBuild.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MSBUILD_DLL" FriendlyName="MSBuild.dll" FileName="MSBuild.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
@ -871,7 +869,6 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and
<FileRuleRef RuleID="ID_DENY_INTUNE_AGENT" />
<FileRuleRef RuleID="ID_DENY_MFC40" />
<FileRuleRef RuleID="ID_DENY_MS_BUILD" />
<FileRuleRef RuleID="ID_DENY_MS_BUILD_FMWK" />
<FileRuleRef RuleID="ID_DENY_MWFC" />
<FileRuleRef RuleID="ID_DENY_MSBUILD" />
<FileRuleRef RuleID="ID_DENY_MSBUILD_DLL" />

24
windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md
View File

@ -2,7 +2,7 @@
title: Policy creation for common App Control usage scenarios
description: Develop a plan for deploying App Control for Business in your organization based on these common scenarios.
ms.localizationpriority: medium
ms.date: 09/11/2024
ms.date: 01/31/2025
ms.topic: install-set-up-deploy
---
@ -10,20 +10,24 @@ ms.topic: install-set-up-deploy
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
Whenever possible, App Control for Business (app control) should be enabled when setting up a device for the first time and before installing any apps. This ensures the system is in a "clean" state when App Control starts, and is especially important for apps allowed because they were installed by a managed installer or because the Intelligent Security Graph (ISG) determined that the app was safe to run.
Typically, deployment of App Control for Business happens best in phases, rather than being a feature that you simply "turn on." The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying App Control in your organization. It's common for organizations to have device use cases across each of the categories described.
## Types of devices
## Common use cases
| Type of device | How App Control relates to this type of device |
| Use case | How App Control relates to this use case |
|------------------------------------|------------------------------------------------------|
| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | App Control for Business can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. |
| **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request for more software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline App Control for Business policy can be established and enforced. Whenever the IT department approves more applications, it updates the App Control policy and (for unsigned LOB applications) the catalog. |
| **Block undesirable apps**: Few companies manage all apps centrally, needing a long discovery period before they can even begin to decide what to allow. <BR> Instead, the IT department's focus shifts to block a set of apps they consider problems, while they build their inventory of apps. | Using App Control, deploy a blocklist-only policy alongside an audit allowlist policy to gather information about the apps and processes running on your devices. |
| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run specific apps, like the organization's antivirus solution or its helpdesk client management tools. | App Control for Business can be used to help protect the kernel, and to let users run apps that are signed, are installed by the company's app deployment solution like Intune, were installed to locations where only an admin can write files, and any app with good reputation. |
| **Fully managed devices**: Allowed software is restricted by your IT department.<br>Users can request for more software, or install from a list of applications provided by the IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline App Control for Business policy can be established and enforced. Whenever the IT department approves more applications, they may update the App Control policy as part of their app packaging and deployment processes. Alternatively, they may create and sign app catalog files that are then distributed as a dependency of the app. |
| **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | App Control for Business can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After App Control for Business deployment, only approved applications can run. This rule is because of protections offered by App Control. |
| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, App Control for Business doesn't apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. |
| **"Dirty" systems**: Introducing an app control solution on systems that are already in use is much more challenging than when you apply it to a new device that hasn't installed any apps yet. Sometimes, trade-offs must be made to maintain productivity even if some apps might be unwanted by the organization. | Using a script to apply App Control policies, organizations can create a policy by scanning each device and creating rules for every binary or script file observed. This set of rules is used to supplement the more restrictive Base policy applied to fresh devices, newly configured. This way, any previously installed app keeps working, but all future installs must pass the organizations newly enforced app control rules. |
## An introduction to Lamna Healthcare Company
In the next set of articles, we'll explore each of the above scenarios using a fictional organization called Lamna Healthcare Company.
In the next set of articles, we'll explore policies to handle scenarios like the ones in the table using a fictional company called Lamna Healthcare Company.
Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff.
@ -33,4 +37,10 @@ Recently, Lamna experienced a ransomware event that required an expensive recove
## Up next
- [Create an App Control for Business policy for lightly managed devices](create-appcontrol-policy-for-lightly-managed-devices.md)
Now, let's create our initial policy using the [Smart App Control](../appcontrol.md#app-control-and-smart-app-control) "circle of trust" as our starting point.
- [Use the Smart App Control policy to build your starter base policy](./create-appcontrol-policy-for-lightly-managed-devices.md).
Or, if you prefer:
- [Use an App Control policy to block specific apps](./create-appcontrol-deny-policy.md).

209
windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md
View File

@ -1,146 +1,106 @@
---
title: Create an App Control policy for lightly managed devices
title: Use the Smart App Control policy to build your starter base policy
description: App Control for Business restricts which applications users are allowed to run and the code that runs in the system core.
ms.topic: how-to
ms.localizationpriority: medium
ms.date: 09/11/2024
ms.date: 03/09/2025
---
# Create an App Control policy for lightly managed devices
# Use the Smart App Control policy to build your starter policy
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
This section outlines the process to create an App Control for Business policy for **lightly managed devices** within an organization. Typically, organizations that are new to App Control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their App Control-managed devices as described in later articles.
This article describes how to create an App Control for Business policy using the Smart App Control policy as a template. [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) is an app control-based security solution designed for consumer users. It uses the same technology as App Control for Business so it's easy to use as the basis for an equally robust but flexible enterprise policy.
> [!NOTE]
> Some of the App Control for Business options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's App Control policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
> [!TIP]
> Microsoft recommends the policy created in this article as the ideal starter policy for most App Control deployments to end users' devices. Typically, organizations new to App Control are most successful if they start with a permissive policy like the one described in this article. You can harden the policy over time to achieve a stronger overall security posture on your App Control-managed devices as described in later articles.
As in [App Control for Business deployment in different scenarios: types of devices](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices.
As we did in [App Control for Business deployment in different scenarios](common-appcontrol-use-cases.md), let's use the fictional example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna intends to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices.
**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and use different policies for different workloads.
**Alice Pena (she/her)** is the IT team lead tasked with the rollout of App Control. Lamna currently has relaxed application usage policies and a culture of maximum app flexibility for users. So, Alice knows they need to take an incremental approach to App Control and likely use different policies for different user segments. But for now, Alice wants a policy that can cover most users without any modifications, Smart App Control's "Signed & Reputable" policy adapted for Lamna.
For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value.
## Analyze how Smart App Control's "circle-of-trust" fits for you
Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads Microsoft's online help articles about Smart App Control to understand it well. From that reading, Alice learns that Smart App Control allows only publicly trusted signed code or unsigned code that the [Intelligent Security Graph (ISG)](./use-appcontrol-with-intelligent-security-graph.md) predicts to be safe. Publicly trusted signed code means the signing certificate's issuer is one of the certificate authorities (CA) in Microsoft's Trusted Root Program. Unsigned code is blocked from running if the ISG can't predict that the code is safe to run. And code determined to be unsafe is always blocked.
Now Alice considers how to adapt the policy for Lamna's use. Alice wants to create an initial policy that is as relaxed as possible, but still provides durable security value. Some within Lamna advocate a more aggressive approach than Alice plans. They want to immediately lockdown end users' devices and hope for limited fallout. But the leadership team agrees with Alice that Lamna's app culture, formed slowly over time, won't just go away overnight and so the initial policy needs much flexibility.
### Consider the key factors about your organization
Alice next identifies the key factors about Lamna's environment that affect the company's "circle-of-trust." The policy must be flexible to meet the needs of the business in the short- and medium-term. That gives Lamna time to introduce new app management processes and policies to make it practical for a more restrictive app control policy in the future. The key factors also help Alice choose which systems to include in the first deployment. Alice writes down these factors in the planning document:
- **User privileges:** Most users are standard user, but nearly a quarter have local admin rights on their devices and the option to run any app they choose is a major contributing factor.
- **Operating Systems:** Windows 11 runs most user devices, but Lamna expects ~10% of clients to remain on Windows 10 through the next fiscal year, particularly in smaller satellite offices. Lamna's servers and specialized equipment are out of scope at this time.
- **Client management:** Lamna uses Microsoft Intune for all Windows 11 devices, deployed as Microsoft Entra cloud-native. They continue to use Microsoft Endpoint Configuration Manager (MEMCM) for most Windows 10 devices, deployed as Microsoft Entra hybrid join.
- **App management:** Lamna has hundreds of line-of-business (LOB) apps across its business units. Alice's team deploys most, but not all, of these apps using Intune. And there's a long tail of apps used by smaller teams, including many "Shadow IT" apps, that have no official charter, but are critical to the employees who use them.
- **App development and code signing:** Lamna business units aren't standardized on development platforms and frameworks, so significant variability and complexity is likely. Almost all of the apps use unsigned, or mostly unsigned, code. Although the company now requires codesigning, Lamna's codesigning certificates come from its corporate Public Key Infrastructure (PKI), and require custom rules in the policy.
## Define the "circle-of-trust" for lightly managed devices
Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly managed devices, which currently include most end-user devices:
Based on these factors, Alice writes the pseudo-rules for the Lamna version of Microsoft's Signed & Reputable policy:
- All clients are running Windows 10 version 1903 and above, or Windows 11;
- All clients are managed by Configuration Manager or with Intune.
- Some, but not all, apps are deployed using Configuration Manager;
- Most users are local administrators on their devices;
- Some teams may need more rules to authorize specific apps that don't apply generally to all other users.
1. **"Windows and Microsoft-certified kernel drivers"** One or more signer rules allowing:
- Windows and its components.
- Kernel drivers signed by the Windows Hardware Quality Labs (WHQL) certificate authority.
Based on the above, Alice defines the pseudo-rules for the policy:
2. **"Publicly-trusted signed code"** One or more signer rules allowing:
- Code signed with certificates issued from any certificate authority participating in the [Microsoft Trusted Root Program ("AuthRoot")](/security/trusted-root/program-requirements) or non-OS code signed by Microsoft.
1. **"Windows works"** rules that authorize:
- Windows
- WHQL (third-party kernel drivers)
- Windows Store signed apps
3. **Lamna signed code** One or more signer rules allowing:
- Code signed by certificates issued from Lamna Codesigning private certificate authority (PCA), the intermediate cert issued from their own internal PKI.
1. **"ConfigMgr works"** rules that include:
- Signer and hash rules for Configuration Manager components to properly function.
- **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer.
4. **Allow apps based on their "reputation"** A policy option allowing:
- Apps predicted to be "safe" by the ISG.
1. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
5. **Allow Managed Installer** A policy option allowing:
- Code written to the system by a process designated by policy as a managed installer. For Lamna's managed installer policy, Alice includes the Intune Management Extension, and also well-known autoupdater processes for widely used apps. Alice also includes a filepath rule, "D:\ Lamna Helpdesk\*" where Lamna's helpdesk admins are trained to copy the app installers and scripts they use to repair user's apps and systems.
1. **Signed apps** using a certificate issued by a Windows Trusted Root Program certificate authority
6. **Admin-only path rules** One or more filepath rules for the following locations:
- "C:\Program Files\*"
- "C:\Program Files (x86)\*"
- "%windir%\*"
- "D:\Lamna Helpdesk\*"
1. **Admin-only path rules** for the following locations:
- C:\Program Files\*
- C:\Program Files (x86)\*
- %windir%\*
## Modify the "Signed & Reputable" policy template for your organization
## Create a custom base policy using an example App Control base policy
Alice downloads the App Control Policy Wizard from https://aka.ms/appcontrolwizard and runs it.
Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use the example `SmartAppControl.xml` to create the initial base policy and then customize it to meet Lamna's needs.
1. On the **Welcome** page, Alice sees three options: **Policy Creator**, **Policy Editor**, and **Policy Merger**. Alice selects **Policy Creator** which takes her to the next page.
Alice follows these steps to complete this task:
2. On **Select a Policy Type**, Alice must choose whether to create a *Multiple Policy Format* or *Single Policy Format* policy. Since all of the end users' devices run Windows 11 or current versions of Windows 10, Alice leaves the default *Multiple Policy Format*. Similarly, the choice between *Base Policy* and *Supplemental Policy* is straightforward and, here too, leaves the default *Base Policy* selected. Alice selects **Next** to continue.
1. On a client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
3. The next page is where Alice will **Select a Base Template for the Policy**. The App Control Wizard offers three template policies to use when creating a new Base Policy. Each template policy applies slightly different rules to alter its circle-of-trust and security model of the policy. The three template policies are:
> [!NOTE]
> If you prefer to use a different [example App Control for Business base policy](example-appcontrol-base-policies.md), substitute the example policy path with your preferred base policy in this step.
[![Screenshot that shows selecting a base template for the policy.](../images/appcontrol-wizard-template-selection.png)](../images/appcontrol-wizard-template-selection.png#lightbox)
```powershell
$PolicyPath = $env:userprofile+"\Desktop\"
$PolicyName= "Lamna_LightlyManagedClients_Audit"
$LamnaPolicy=Join-Path $PolicyPath "$PolicyName.xml"
$ExamplePolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml"
```
| Template Base Policy | Description |
|---------------------------------|-------------------------------------------------------------------|
| **Default Windows mode** | Default Windows mode authorizes the following components: </br><ul><li>Windows operating system components - any binary installed by a fresh install of Windows</li><li>MSIX packaged apps signed by the Microsoft Store MarketPlace signer</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>[WHQL signed drivers](/windows-hardware/drivers/install/whql-release-signature)</li></ul>|
| **Allow Microsoft mode** | Allow Microsoft mode authorizes the following components: </br><ul><li>All code allowed by Default Windows mode, plus...</li><li>*All Microsoft-signed software*</li></ul>|
| **Signed and Reputable mode** | Signed and Reputable mode authorizes the following components: </br><ul><li>All code allowed by Allow Microsoft mode, plus...<</li><li>*Files created or installed by a process configured as a [managed installer](./configure-authorized-apps-deployed-with-a-managed-installer.md)*</li><li>*Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-appcontrol-with-intelligent-security-graph.md)*</li></ul>|
Alice selects the **Signed and Reputable mode** template and then **Next**, accepting the defaults for the policy filename and location.
1. Copy the example policy to the desktop:
4. On **Configure Policy Template - Policy rules**, Alice reviews the set of options enabled for the policy. The template already has most options set as recommended by Microsoft. The only changes Alice makes are to check the options for **Managed Installer** and **Require WHQL**. This way apps installed by Intune or any of the other managed installers are automatically allowed, and only kernel drivers built for Windows 10 or higher can run. Selecting **Next** advances the wizard.
```powershell
Copy-Item $ExamplePolicy $LamnaPolicy
```
> [!div class="mx-imgBorder"]
> [![Screenshot that shows rule options UI for Windows Allowed mode policy.](../images/appcontrol-wizard-rule-options-UI-advanced-collapsed.png)](../images/appcontrol-wizard-rule-options-UI-advanced-collapsed.png#lightbox)
1. Modify the policy to remove unsupported rule:
5. The **File Rules** page shows the rules from the Signed and Reputable mode template policy. Alice adds the Signer rule to trust Lamna-signed code, and the filepath rules to allow code in admin-writable-only locations under the two Program Files directories, the Windows directory, and Lamna's Helpdesk folder.
> [!NOTE]
> `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy includes "Enabled:Conditional Windows Lockdown Policy" rule that is unsupported for enterprise App Control policies and must be removed. For more information, see [App Control and Smart App Control](../appcontrol.md#app-control-and-smart-app-control). If you are using an example policy other than `SmartAppControl.xml`, skip this step.
To create each rule, Alice selects **+ Add Custom** which opens the **Custom Rules** dialog where the conditions for the rule are defined. For the first rule, the default selections for **Rule Scope** and **Rule Action** are correct. For the **Rule Type** dropdown, the **Publisher** option is the correct choice to create a Signer rule. Alice then selects **Browse** and picks a file signed by a cert issued by the Lamna Codesigning PCA. The Wizard shows the signature information and information pulled from the resource header section (RSRC) of the file, like ***product name*** and the ***original file name*** with checkboxes by each element. In this case, since they intend to allow everything signed with Lamna's internal codesigning certs, Alice leaves only ***Issuing CA*** and ***Publisher*** checked. With the rule conditions for the Lamna Codesigning PCA rule set, Alice selects **Create Rule** and sees the rule is included in the list. Alice repeats these steps for the rest of Lamna's custom rules.
```powershell
[xml]$xml = Get-Content $LamnaPolicy
$ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable)
$ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI)
$node = $xml.SelectSingleNode("//ns:Rules/ns:Rule[ns:Option[.='Enabled:Conditional Windows Lockdown Policy']]", $ns)
$node.ParentNode.RemoveChild($node)
$xml.Save($LamnaPolicy)
```
[![Screenshot that shows custom filepublisher file rule creation.](../images/appcontrol-wizard-custom-publisher-rule.png)](../images/appcontrol-wizard-custom-publisher-rule.png#lightbox)
1. Give the new policy a unique ID, descriptive name, and initial version number:
6. Now that all of the edits described in the pseudo-rules are done, Alice selects **Next** and the wizard creates the App Control policy files. The output files include an XML form and a compiled binary form of the policy. Alice does a cursory review of the XML policy file to confirm the result looks good and then closes the wizard.
```powershell
Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
```
Alice uploads both files to a GitHub repository created specifically for Lamna's app control policy files.
1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to the client device running Windows 10 version 1903 and above, or Windows 11. Merge the Configuration Manager policy with the example policy.
Alice's starter policy is now ready to deploy in audit mode to Lamna's managed devices.
> [!NOTE]
> If you do not use Configuration Manager, skip this step.
## Security considerations of this policy
```powershell
$ConfigMgrPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$ConfigMgrPolicy
Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
```
1. Modify the policy to set additional policy rules:
```powershell
Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
```
1. Add rules to allow the Windows and Program Files directories:
```powershell
$PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
$PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
$PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
```
1. If appropriate, add more signer or file rules to further customize the policy for your organization.
1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the App Control for Business policy to a binary format:
```powershell
[xml]$PolicyXML = Get-Content $LamnaPolicy
$LamnaPolicyBin = Join-Path $PolicyPath "$($PolicyXML.SiPolicy.PolicyID).cip"
ConvertFrom-CIPolicy $LamnaPolicy $LamnaPolicyBin
```
1. Upload your base policy XML and the associated binary to a source control solution, such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
## Security considerations of this lightly managed policy
In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
In order to minimize the potential to negatively affect user productivity, Alice defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
- **Users with administrative access**
@ -148,18 +108,18 @@ In order to minimize user productivity impact, Alice has defined a policy that m
Possible mitigations:
- Use signed App Control policies and UEFI BIOS access protection to prevent tampering of App Control policies.
- To remove the requirement for managed installer, create and deploy signed catalog files as part of the app deployment process.
- Use device attestation to detect the configuration state of App Control at boot time and use that information to condition access to sensitive corporate resources.
- To prevent tampering of App Control policies, use signed App Control policies on systems running Unified Extensible Firmware Interface (UEFI) firmware.
- To remove the need for trusting managed installer, create and deploy signed catalog files or deploy updated policies as part of your regular app deployment and app updating procedures.
- To control access to other corporate resources and data, use the boot time measurement of App Control configuration state from the Trusted Computing Group (TCG) log with device attestation.
- **Unsigned policies**
Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
Any process running as administrator can replace or remove unsigned policies without consequence. Similarly, unsigned supplemental policies can alter the "circle-of-trust" for an unsigned base policy that includes option **17 Enabled:Allow Supplemental Policies**.
Possible mitigations:
- Use signed App Control policies and UEFI BIOS access protection to prevent tampering of App Control policies.
- Limit who can elevate to administrator on the device.
- To prevent tampering of App Control policies, use signed App Control policies on systems running UEFI firmware.
- To minimize the risk, limit who can elevate to administrator on the device.
- **Managed installer**
@ -167,8 +127,8 @@ In order to minimize user productivity impact, Alice has defined a policy that m
Possible mitigations:
- To remove the requirement for managed installer, create and deploy signed catalog files as part of the app deployment process.
- Limit who can elevate to administrator on the device.
- To remove the need for trusting managed installer, create and deploy signed catalog files or deploy updated policies as part of your regular app deployment and app updating procedures.
- To minimize the risk, limit who can elevate to administrator on the device.
- **Intelligent Security Graph (ISG)**
@ -176,12 +136,12 @@ In order to minimize user productivity impact, Alice has defined a policy that m
Possible mitigations:
- Implement policies that require apps be managed by IT. Audit existing app usage and deploy authorized apps using a software distribution solution, like Microsoft Intune. Move from ISG to managed installer or signature-based rules.
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
- To remove the need for trusting ISG, perform a comprehensive audit of existing app usage and installation. Onboard any apps you find that aren't currently managed to your software distribution solution, like Microsoft Intune. Implement policies to require apps become managed by IT. Then transition from ISG to managed installer, signed catalog files and/or updated policy rules and deploy them as part of your regular app deployment and app updating procedures.
- To collect more data for use in security incident investigations and post-incident reviews, deploy a highly restrictive app control policy in audit mode. The data captured in the App Control event logs contains useful information about all code that runs that isn't Windows signed. To prevent your policy from impacting your device performance and functionality, be sure it minimally allows Windows code that runs as part of the boot process.
- **Supplemental policies**
Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
Supplemental policies are designed to expand the "circle-of-trust" defined by the base policy. If the base policy is also unsigned, then any process running as administrator can place an unsigned supplemental policy and expand the "circle-of-trust" of the base policy without restriction.
Possible mitigations:
@ -195,17 +155,18 @@ In order to minimize user productivity impact, Alice has defined a policy that m
Possible mitigations:
- Limit who can elevate to administrator on the device.
- Migrate from filepath rules to managed installer or signature-based rules.
- Transition from filepath rules to managed installer or signature-based rules.
- **Signed files**
- **Signed malware**
Although files that are code-signed verify the author's identity and ensures that the code hasn't been altered by anyone other than the author, it doesn't guarantee that the signed code is safe.
Code signing alone isn't a security solution, but it does provide two critical building blocks that make security solutions like App Control possible. First, code signing strongly associates code with a real-world identity... and a real world identity can face consequences that a nameless, shadowy figure responsible for unsigned malware doesn't. Second, code signing provides cryptographic proof that the code running remains untampered since the publisher signed it. An app control policy that requires all code is signed, or the policy explicitly allows it, raises the stakes and the costs for an attacker. But there remain ways for a motivated attacker to get their malicious code signed and trusted, at least for a while. And even when software comes from a trustworthy source, it doesn't mean it's safe to run. Any code can expose powerful capabilities that a malicious actor could exploit for their own ill-intent. And vulnerabilities can turn the most benign code into something truly dangerous.
Possible mitigations:
- Use a reputable antimalware or antivirus software with real-time protection, such as Microsoft Defender, to protect your devices from malicious files, adware, and other threats.
- Use a reputable anti-malware or antivirus software with real-time protection, such as Microsoft Defender, to protect your devices from malicious files, adware, and other threats.
## Up next
## What you should read next
- [Create an App Control for Business policy for fully managed devices](create-appcontrol-policy-for-fully-managed-devices.md)
- [Prepare to deploy App Control for Business policies](../deployment/appcontrol-deployment-guide.md)
- Learn more about managed installers: how they work, how to set them up, and what are their limitations in [Automatically allow apps deployed by a managed installer](./configure-authorized-apps-deployed-with-a-managed-installer.md).
- Learn how to deploy your starter policy and see it in action in [Deploying App Control for Business policies](../deployment/appcontrol-deployment-guide.md).

16
windows/security/application-security/application-control/app-control-for-business/design/example-appcontrol-base-policies.md
View File

@ -3,7 +3,7 @@ title: Example App Control for Business base policies
description: When creating an App Control for Business policy for an organization, start from one of the many available example base policies.
ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/11/2024
ms.date: 03/09/2025
---
# App Control for Business example base policies
@ -14,18 +14,18 @@ When you create policies for use with App Control for Business, start from an ex
| Example Base Policy | Description | Where it can be found |
|-------------------------|---------------------------------------------------------------|--------|
| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for the [Microsoft Intune product family](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml <br> %ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\DefaultWindows_Audit.xml |
| **AllowMicrosoft.xml** | This example policy includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml <br> %ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\AllowMicrosoft.xml |
| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for the [Microsoft Intune product family](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\DefaultWindows_\*.xml |
| **AllowMicrosoft.xml** | This example policy includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\AllowMicrosoft.xml |
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml |
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using App Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml |
| **DenyAllAudit.xml** | ***Warning: Will cause boot issues on Windows Server 2019 and earlier. Do not use on those operating systems.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml |
| **Microsoft Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in App Control integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise App Control policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example base policy](create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml <br>%ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\SignedReputable.xml |
| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise App Control policies and must be removed. For more information about using this example policy, see [Use the Smart App Control policy to build your starter Base policy](create-appcontrol-policy-for-lightly-managed-devices.md#use-the-smart-app-control-policy-to-build-your-starter-policy). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml <br>%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\SignedReputable.xml |
| **Example supplemental policy** | This example policy shows how to use supplemental policy to expand the DefaultWindows_Audit.xml allow a single Microsoft-signed file. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Supplemental.xml |
| **Microsoft Recommended Block List** | This policy includes a list of Windows and Microsoft-signed code that Microsoft recommends blocking when using App Control, if possible. | [Microsoft recommended block rules](applications-that-can-bypass-appcontrol.md) <br> %ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\Recommended_UserMode_Blocklist.xml |
| **Microsoft recommended driver blocklist** | This policy includes rules to block known vulnerable or malicious kernel drivers. | [Microsoft recommended driver block rules](microsoft-recommended-driver-block-rules.md) <br> %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\RecommendedDriverBlock_Enforced.xml <br> %ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\Recommended_Driver_Blocklist.xml |
| **Windows S mode** | This policy includes the rules used to enforce [Windows S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85). | %ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\WinSiPolicy.xml.xml |
| **Windows 11 SE** | This policy includes the rules used to enforce [Windows 11 SE](/education/windows/windows-11-se-overview), a version of Windows built for use in schools. | %ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\WinSEPolicy.xml.xml |
| **Microsoft Recommended Block List** | This policy includes a list of Windows and Microsoft-signed code that Microsoft recommends blocking when using App Control, if possible. | [Microsoft recommended block rules](applications-that-can-bypass-appcontrol.md) <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\Recommended_UserMode_Blocklist.xml |
| **Microsoft recommended driver blocklist** | This policy includes rules to block known vulnerable or malicious kernel drivers. | [Microsoft recommended driver block rules](microsoft-recommended-driver-block-rules.md) <br> %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\RecommendedDriverBlock_Enforced.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\Recommended_Driver_Blocklist.xml |
| **Windows S mode** | This policy includes the rules used to enforce [Windows S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85). | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\WinSiPolicy.xml.xml |
| **Windows 11 SE** | This policy includes the rules used to enforce [Windows 11 SE](/education/windows/windows-11-se-overview), a version of Windows built for use in schools. | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\WinSEPolicy.xml.xml |
> [!NOTE]
> Not all policies shown available at %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies can be found on all versions of Windows.

30
windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md
View File

@ -2,7 +2,7 @@
title: App Control Admin Tips & Known Issues
description: App Control Known Issues
ms.manager: jsuther
ms.date: 09/11/2024
ms.date: 02/13/2025
ms.topic: troubleshooting
ms.localizationpriority: medium
---
@ -28,21 +28,21 @@ For **single policy format App Control policies**, in addition to the two preced
- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b
> [!NOTE]
> A multiple policy format App Control policy using the single policy format GUID `{A244370E-44C9-4C06-B551-F6016E563076}` may exist under any of the policy file locations.
> A multiple policy format App Control policy using the single policy format GUID `{A244370E-44C9-4C06-B551-F6016E563076}` might exist under any of the policy file locations.
## File Rule Precedence Order
When the App Control engine evaluates files against the active set of policies on the device, rules are applied in the following order. Once a file encounters a match, App Control stops further processing.
1. Explicit deny rules - a file is blocked if any explicit deny rule exists for it, even if other rules are created to try to allow it. Deny rules can use any [rule level](../design/select-types-of-rules-to-create.md#app-control-for-business-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend.
1. Any file matching an explicit deny rule is blocked, even if you create other rules to try to allow it. Deny rules can use any [rule level](../design/select-types-of-rules-to-create.md#app-control-for-business-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend.
2. Explicit allow rules - if any explicit allow rule exists for the file, the file runs.
2. Any file matching an explicit allow rule runs.
3. App Control then checks for the [Managed Installer extended attribute (EA)](../design/configure-authorized-apps-deployed-with-a-managed-installer.md) or the [Intelligent Security Graph (ISG) EA](../design/use-appcontrol-with-intelligent-security-graph.md) on the file. If either EA exists and the policy enables the corresponding option, then the file is allowed.
3. Any file that has a [Managed Installer](../design/configure-authorized-apps-deployed-with-a-managed-installer.md) or [Intelligent Security Graph (ISG)](../design/use-appcontrol-with-intelligent-security-graph.md) extended attribute (EA) runs if the policy enables the matching option (managed installer or ISG).
4. Lastly, App Control makes a cloud call to the ISG to get reputation about the file, if the policy enables the ISG option.
4. Any file that isn't allowed based on the preceding conditions, is checked for reputation using the ISG when that option is enabled in the policy. The file runs if the ISG decides that it's safe and a new ISG EA is written on the file.
5. Any file not allowed by an explicit rule or based on ISG or MI is blocked implicitly.
5. Any file not allowed by an explicit rule, or based on ISG or managed installer, is blocked implicitly.
## Known issues
@ -51,19 +51,29 @@ When the App Control engine evaluates files against the active set of policies o
Until you apply the Windows security update released on or after April 9, 2024, your device is limited to 32 active policies. If the maximum number of policies is exceeded, the device bluescreens referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your App Control policies. Any [Windows inbox policies](inbox-appcontrol-policies.md) that are active on the device also count towards this limit. To remove the maximum policy limit, install the Windows security update released on, or after, April 9, 2024 and then restart the device. Otherwise, reduce the number of policies on the device to remain below 32 policies.
> [!NOTE]
> The policy limit was not removed on Windows 11 21H2, and will remain limited to 32 policies.
> The policy limit wasn't removed on Windows 11 21H2, and remains limited to 32 policies.
### Audit mode policies can change the behavior for some apps or cause app crashes
Although App Control audit mode is designed to avoid impact to apps, some features are always on/always enforced with any App Control policy that turns on user mode code integrity (UMCI) with the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode:
Although App Control audit mode is designed to avoid any effect on apps, some features are always on/always enforced with any App Control policy that turns on user mode code integrity (UMCI) with the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode:
- Some script hosts might block code or run code with fewer privileges even in audit mode. See [Script enforcement with App Control](../design/script-enforcement.md) for information about individual script host behaviors.
- Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option. See [App Control and .NET](../design/appcontrol-and-dotnet.md#app-control-and-net-hardening).
- Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option on some versions of Windows and Windows Server. See [App Control and .NET](../design/appcontrol-and-dotnet.md#app-control-and-net-dynamic-code-security-hardening).
### .NET native images may generate false positive block events
In some cases, the code integrity logs where App Control for Business errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window. To prevent that, consider compiling your .NET application ahead of time using the [Native AOT](/dotnet/core/deploying/native-aot) feature.
### .NET doesn't load Component Object Model (COM) objects with mismatched GUIDs
COM objects make it easy for different software components to communicate and work together. To be used by another component, COM objects must be registered with the operating system. The registration includes a GUID that is calculated based on the object's code. Loading and activation of the COM object is done using another part of the registration called the type name. Sometimes a mismatch exists between the registered GUID and the actual GUID of the activated COM object's code. Mismatches might come from bugs in the app's COM object registration code or if the COM object's code is changed in a way that affects the GUID. Normally, Windows and .NET are forgiving about this condition and runs the COM objects code regardless. But allowing COM objects to load where there are GUID mismatches leaves the system vulnerable to attackers who can exploit the GUID confusion to run unintended code.
To increase App Control's protective effectiveness on a system vulnerable to this attack technique, .NET applies an extra validation to check that the registered COM object GUID matches the system calculated one. If a mismatch is found, .NET doesn't load the COM object and a general COM load error is raised. Apps using COM objects with this condition might behave in unexpected ways and must be updated to fix issues with the app's COM object registration code.
Since this behavior only occurs when App Control policy is enforced on user mode code, you can't detect it while in audit mode. There's no logging or other events when a COM object fails to load due to the extra validation check. Repairing or reinstalling the app can resolve the issue temporarily, but an app update is needed to fix the COM registration issue and prevent future instances of the problem.
There are no policy control options to manage .NET's GUID verification check, meaning the check is always performed. If you see COM object failures after an App Control policy is deployed, contact the software developer or the Independent Software Vendor (ISV) who produces the app to request a fix for the issue.
### Signatures using elliptical curve cryptography (ECC) aren't supported
App Control signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If App Control blocks a file based on ECC signatures, the corresponding 3089 signature information events show VerificationError = 23. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA.

2
windows/security/book/includes/local-security-authority-protection.md
View File

@ -13,7 +13,7 @@ By loading only trusted, signed code, LSA provides significant protection agains
[!INCLUDE [new-24h2](new-24h2.md)]
To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Microsoft Entra joined, hybrid, and local). For new installs, it is enabled immediately. For upgrades, it is enabled after rebooting after an evaluation period of 10 days.
To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Microsoft Entra joined, hybrid, and local). For new installs, it's enabled immediately. For upgrades, it's enabled after rebooting after an evaluation period of five days.
Users have the ability to manage the LSA protection state in the Windows Security application under **Device Security** > **Core Isolation** > **Local Security Authority protection**.

3
windows/security/index.yml
View File

@ -7,6 +7,7 @@ metadata:
ms.topic: landing-page
ms.collection:
- tier1
- essentials-security
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
@ -173,4 +174,4 @@ landingContent:
- text: Universal Print
url: /universal-print
- text: Remote wipe
url: /windows/client-management/mdm/remotewipe-csp
url: /windows/client-management/mdm/remotewipe-csp

2
windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
View File

@ -9,7 +9,7 @@ ms.topic: how-to
The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
- [Microsoft Account](https://account.microsoft.com/account/faq)
- [Microsoft Account](https://support.microsoft.com/account-billing/ace6f3b3-e2d3-aeb1-6b96-d2e9e7e52133)
- [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)