4.5 KiB
title, description, ms.topic, ms.date, appliesto, zone_pivot_groups
| title | description | ms.topic | ms.date | appliesto | zone_pivot_groups |
|---|---|---|---|---|---|
| Quickstart: Configure a restricted user experience with Assigned Access | Learn how to configure a restricted user experience using Windows Configuration Designer, Microsoft Intune, PowerShell or GPO. | quickstart | 02/05/2024 | windows-versions-11-10 |
Quickstart: Configure a restricted user experience with Assigned Access
With a restricted user experience, you can configure Windows to run a limited set of applications in a locked down desktop. This is useful for scenarios where you want to provide a limited set of apps to a user, such as a library catalog, a school device, or a museum guide.
This quickstart provides practical examples of how to configure a restricted user experience on Windows. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
The examples can be modified to fit your specific requirements. For example, you can add or remove applications from the list of allowed apps, or change the name of the user that automatically signs in to Windows.
Prerequisites
[!div class="checklist"] Here's a list of requirements to complete this quickstart:
- A Windows device
- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM
- Windows Configuration Designer, if you want to configure the settings using a provisioning package
- Access to the psexec tool, if you want to test the configuration using Windows PowerShell
Configure a restricted user experience
[!INCLUDE tab-intro]
:::image type="icon" source="../images/icons/intune.svg"::: Intune/CSP
Tip
Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags.
When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires DeviceManagementConfiguration.ReadWrite.All permissions.
[!INCLUDE quickstart-restricted-experience-intune.md]
[!INCLUDE intune-custom-settings-2]
Alternatively, you can configure devices using a custom policy with the AssignedAccess CSP.
- Setting:
./Vendor/MSFT/AssignedAccess/Configuration - Value:
[!INCLUDE quickstart-restricted-experience-xml.md]
:::image type="icon" source="../images/icons/provisioning-package.svg"::: PPKG
[!INCLUDE provisioning-package-1]
- Path:
AssignedAccess/MultiAppAssignedAccessSettings - Value:
[!INCLUDE quickstart-restricted-experience-xml.md]
[!INCLUDE provisioning-package-2]
:::image type="icon" source="../images/icons/powershell.svg"::: PowerShell
[!INCLUDE powershell-wmi-bridge-1]
[!INCLUDE quickstart-restricted-experience-ps.md]
[!INCLUDE powershell-wmi-bridge-2]
User experience
After the settings are applied, reboot the device. A local user account is automatically signed in, with access to a limited set of applications, which are pinned to the Start menu.
::: zone pivot="windows-11" :::image type="content" source="images/restricted-user-experience-windows-11.png" alt-text="Screenshot of the Windows 11 desktop used for the quickstart." border="false":::
::: zone-end
::: zone pivot="windows-10" :::image type="content" source="images/restricted-user-experience-windows-10.png" alt-text="Screenshot of the Windows 10 desktop used for the quickstart." border="false":::
::: zone-end
Next steps
[!div class="nextstepaction"] Learn more about Assigned Access and how to configure it: