From fd2b58090a77e64c76e3ad794d337aa3dd43f9f3 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 5 Mar 2024 17:00:16 -0500
Subject: [PATCH] Update kiosk experience configuration

---
 .../configuration/assigned-access/index.md    |  9 +++---
 .../configuration/assigned-access/overview.md | 20 +------------
 .../assigned-access/policy-settings.md        | 28 +++++++++++++++++--
 3 files changed, 31 insertions(+), 26 deletions(-)

diff --git a/windows/configuration/assigned-access/index.md b/windows/configuration/assigned-access/index.md
index 179ca7e1b6..4dacb660a5 100644
--- a/windows/configuration/assigned-access/index.md
+++ b/windows/configuration/assigned-access/index.md
@@ -25,15 +25,15 @@ Windows offers two different experiences for public or specialized use:
     :::column-end:::
 :::row-end:::
 
-This experience runs a single application in full screen, and people using the device can only use that app. When the designated kiosk account signs in, the kiosk app launches automatically. If the kiosk app is closed, it will automatically restart. This experience is sometimes referred to as *single-app kiosk*.
+This experience runs a single application in full screen, and people using the device can only use that app. When the designated kiosk account signs in, the kiosk app launches automatically. This experience is sometimes referred to as *single-app kiosk*.
 
 Windows offers two different features to configure a kiosk experience:
 
-- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen above the lock screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it will automatically restart
-- **Shell Launcher**: used to configure a device to execure a Windows desktop application as the user interface. The application that you specify replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen.
+- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen above the lock screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it automatically restarts
+- **Shell Launcher**: used to configure a device to execute a Windows desktop application as the user interface. The application that you specify replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen
 
 >[!IMPORTANT]
->Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
+>The kiosk experience isn't supported over a remote desktop connection. The kiosk users must sign in on the console that is set up as a kiosk.
 
 :::row:::
     :::column span="1":::
@@ -58,7 +58,6 @@ When you're considering a kiosk or restricted user experience, you need to choos
 | **🔲** | *Desktop experience or custom?* <br>If your users require access to the desktop with a custom Start menu, then you can build a **restricted user experience** with **Assigned Access**. If your users require access to multiple applications but with a custom UI, then you can build a **restricted user experience** with **Shell Launcher**.|
 | **🔲** | *In single-app scenario, which type of app will your kiosk run?* <br>If the kiosk requires a Universal Windows Platform (UWP) app or Microsoft Edge, you can build a **kiosk experience** with **Assigned Access**. If the kiosk requires a desktop app, you can build a **kiosk experience** with **Shell Launcher**.|
 | **🔲** | *Which edition of Windows client will the kiosk run?"* <br>**Assigned Access** is supported on Windows Pro and Enterprise/Education. **Shell Launcher** is only supported on Windows Enterprise and Education editions.|
-| **🔲** | *Which type of user account will be the kiosk account?*<br>The kiosk account can be a local standard user account, a domain account, or a Microsoft Entra account. Use a local account when the apps offered by the kiosk don't require the users to authenticate, and when you require the designated kiosk user to automatically sign in. |
 
 ## Next steps
 
diff --git a/windows/configuration/assigned-access/overview.md b/windows/configuration/assigned-access/overview.md
index 8a7d2d8036..4c77ca8c24 100644
--- a/windows/configuration/assigned-access/overview.md
+++ b/windows/configuration/assigned-access/overview.md
@@ -18,13 +18,11 @@ Assigned Access is a Windows feature that you can use to configure a device as a
     :::column-end:::
 :::row-end:::
 
-When you configure a kiosk experience, a single UWP application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it will automatically restart. Practical examples include:
+When you configure a kiosk experience, a single UWP application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it automatically restarts. Practical examples include:
 
 - Public browsing
 - Interactive digital signage
 
-This experience is sometimes referred to as *single-app kiosk*.
-
 :::row:::
     :::column span="1":::
     :::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false":::
@@ -40,29 +38,13 @@ When you configure a restricted user experience, users can execute a defined lis
 - Student devices
 - Lab devices
 
-This experience is sometimes referred to as *multi-app kiosk*.
-
 [!INCLUDE [assigned-access](../../../includes/licensing/assigned-access.md)]
 
 ## Locked-down experience
 
 When applying an Assigned Access configuration to a device, different policy settings and AppLocker rules are enforced, creating a locked down experience to the users.
 
-When the multi-app kiosk configuration is applied to a device, AppLocker rules are generated to allow the apps that are listed in the configuration. Here are the predefined Assigned Access AppLocker rules.
 
-For UWP apps,
-
-1. Default rule is to allow all users to launch the signed package apps
-1. The package app deny list is generated at runtime when the Assigned Access user signs in. Based on the installed/provisioned package apps available for the user account, Assigned Access generates the deny list. This list excludes the default allowed inbox package apps, which are critical for the system to function, and then exclude the allowed packages that enterprises
-1. defined in the Assigned Access configuration. If there are multiple apps within the same package, all these apps are excluded. This deny list is used to prevent the user from accessing the apps, which are currently available for the user but not in the allowed list
-
-> [!NOTE]
-> Assigned access multi-app mode doesn't block the enterprises or the users from installing UWP apps. When a new UWP app is installed during the current Assigned Access user session, this app won't be in the deny list. When the user signs out and signs in back next time, it will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the Assigned Access configuration to include it in the allowed app list.
-
-For desktop apps,
-
-1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. 2. There's a predefined inbox desktop app deny list for the Assigned Access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
-1. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
 
 ## Guidelines for choosing an app for a kiosk experience
 
diff --git a/windows/configuration/assigned-access/policy-settings.md b/windows/configuration/assigned-access/policy-settings.md
index 385b302cea..04094dc2af 100644
--- a/windows/configuration/assigned-access/policy-settings.md
+++ b/windows/configuration/assigned-access/policy-settings.md
@@ -7,9 +7,9 @@ ms.date: 03/04/2024
 
 # Assigned Access policy settings
 
-When the Assigned Access configuration is applied on a device, certain policy settings are enforced, impacting other users using the device. The policy settings are appllied using a combination of configuration service provider (CSP) and group policy (GPO) settings.
+When the Assigned Access configuration is applied on a device, certain policy settings and AppLocker rules are enforced, impacting the users accessing the device. The policy settings are appllied using a combination of configuration service provider (CSP) and group policy (GPO) settings.
 
-This reference article lists the policy settings applied by Assigned Access.
+This reference article lists the policy settings and AppLocker rules applied by Assigned Access.
 
 >[!NOTE]
 >It's not recommended to configure policy settings enforced by Assigned Access to different values using other channels. Assigned Access is optimized to provide a locked-down experience.
@@ -78,3 +78,27 @@ The following policy settings are applied to any nonadministrator account access
 | **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options          | Remove Task Manager                                               |
 | **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer     | Remove *Map network drive* and *Disconnect Network Drive*         |
 | **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer     | Remove File Explorer's default context menu                       |
+
+## AppLocker rules
+
+When you deploy an Assigned Access restricted user experience, AppLocker rules are generated to allow the apps that are listed in the configuration. Here are the predefined Assigned Access AppLocker rules:
+
+### UWP app rules
+
+1. The default rule is to allow all users to launch the signed *packaged apps*
+1. The packaged app *deny list* is generated at runtime when the Assigned Access user signs in:
+    1. Based on the installed apps available for the user account, Assigned Access generates the deny list. The list excludes the default allowed inbox packaged apps, which are critical for the system to function, and then exclude the allowed packages that are defined in the Assigned Access configuration
+    1. If there are multiple apps within the same package, all the apps are excluded
+
+The deny list is used to prevent the user from accessing the apps, which are currently available for the user but not in the allowed list
+
+> [!NOTE]
+> You can't manage AppLocker rules that are generated by the restricted user experience in MMC snap-ins. Avoid creating AppLocker rules that conflict with AppLocker rules generated by Assigned Access.
+>
+> Assigned access doesn't prevent the organization or users from installing UWP apps. When a new UWP app is installed during an Assigned Access session, the app isn't in the deny list. When the user signs out and signs in again, the installed app is included in the deny list. For apps deployed centrally that you want to allow, like line-of-biness apps, update the Assigned Access configuration and include the apps in the *allow app list*.
+
+### Desktop app rules
+
+1. The default rule is to allow all users to launch the desktop programs signed with *Microsoft Certificate* for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
+1. There's a predefined inbox desktop app deny list for the Assigned Access user account, which is updated based on the *desktop app allow list* that you defined in the Assigned Access configuration
+1. Enterprise-defined allowed desktop apps are added in the AppLocker allow list