deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-11 04:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/configuration/assigned-access/policy-settings.md
Chris J. Lin ef1c69b439
Release mcc ent (#1) 
* smb adds

* smb adds

* formatting

* private preview and support content

* edit removed and dep

* Fix blocking issues

* Acro-fix

* 24H2 CSP Updates

* Fix link

* fix link in dep page

* edit

* edit index file

* syntax-fix-24h2

* ltsc-edits

* ltsc-edits

* lichris-docs-1

* Acrolinx improvements

* refresh for maxado-8631996

* update link for maxado-8631993

* additional edits, acrolinx

* ltsc-tw

* contentsource-8914508

* contentsource-8914508

* Updates for 1 October release

* Set stale debug to false

* update gp link for 24h2

* additional changes

* Changes to updates, acrolinx changes

* fixes broken links

* Fixed alignment issues

* updates from Rafal

* fixed acrolinx

* so many link fixes

* added release notes and troubleshoot content

* updates

* Update security-compliance-toolkit-10.md

Added Windows 11 24H2

* Update get-support-for-security-baselines.md

Updated for Windows 11 24H2

* bump date

* bump date

* fix pde comment

* fixing broken link

* Fix broken redirections

* fix to rel link

* reset head, fix link

* add cli to deploy, add script to cli

* removing "mcce"

* edits to create page

* Update default and global release policies OS version and dates to latest release values

* emoved e from mcce and other changes

* updated example script

* added important notice to update page

* more update page changes

* clarified how proxy configuration is used

* anonymizing variables in example script

* revise example script

* acrolinx fixes to update page

* changes to other pages and content in overview page

* Update broken link

Update broken link

* Update windows-sandbox-configure-using-wsb-file.md

Update `HostFolder` value description in `MappedFolder`, specifying that the path could be absolute or relative, not only absolute as, instead, is for the `SandboxFolder` value.

* Remove bad link

Removed bad link. There is already a second link referring to content so no need to replace the link.

* docfx update for security book

* Correct TOC entry changing Windows 10 to Windows

* Update whats-new-do.md

- Vpn to VPN
- Minor improvements

* Updated date for freshness reporting

* Add EOS callout

Fix some obvious Acrolinx issues

* Fixed typo added clarity

* Update mcc-ent-deploy-to-windows.md

* Update .openpublishing.redirection.windows-deployment.json

* Update .openpublishing.redirection.windows-deployment.json

* Update policy-csp-localpoliciessecurityoptions.md

* Correct indentation and spacing

* Acrolinx: "Enteprise"

* Update mcc-ent-edu-overview.md

* refresh

* Remove redirection and final bits of store-for-business

store-for-business, AKA /microsoft-store/, is retired, and the content is archived in officearchive-pr. This archival was for ADO task 9268422.

* added support content and other changes

* fixed tabs

* fixed tabs

* Updated device reg policy and group information

* Update delivery-optimization-endpoints.md

Added a line item in MCC table for Outlook *res.cdn.office.net requirement

* freshness review

* Fix broken links

* Minor change

* content for faq

* changes to landing page

* more content to faqs

* pencil edit

* add copilot exps link

* edits and ren cli file temporarily

* ren file back and edit toc to lowercase

* edit

* edit

* edit

* Update windows-autopatch-configure-network.md

Adding a new network endpoint required for the service 'device.autopatch.microsoft.com' @tiaraquan

* Clarify some points and remove data that is confusing to customers.

* fix syntax

* Sentence correction

* Update windows/deployment/do/waas-delivery-optimization-faq.yml

Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com>

* Update windows/deployment/do/waas-delivery-optimization-faq.yml

Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com>

* moved shortcuts under policy settings article

---------

Co-authored-by: Alma Jenks <v-alje@microsoft.com>
Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Co-authored-by: Stacyrch140 <102548089+Stacyrch140@users.noreply.github.com>
Co-authored-by: Nidhi Doshi <77081571+doshnid@users.noreply.github.com>
Co-authored-by: Gary Moore <5432776+garycentric@users.noreply.github.com>
Co-authored-by: Vinay Pamnani (from Dev Box) <vinpa@microsoft.com>
Co-authored-by: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Co-authored-by: Aaron Czechowski <aczechowski@users.noreply.github.com>
Co-authored-by: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com>
Co-authored-by: Daniel H. Brown <32883970+DHB-MSFT@users.noreply.github.com>
Co-authored-by: David Strome <21028455+dstrome@users.noreply.github.com>
Co-authored-by: Padma Jayaraman <v-padmaj@microsoft.com>
Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Co-authored-by: Rebecca Agiewich <16087112+rjagiewich@users.noreply.github.com>
Co-authored-by: Rick Munck <33725928+jmunck@users.noreply.github.com>
Co-authored-by: Tanaka <Huios@users.noreply.github.com>
Co-authored-by: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Co-authored-by: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Co-authored-by: Davide Piccinini <davide.piccinini.95@gmail.com>
Co-authored-by: Phil Garcia <phil@thinkedge.com>
Co-authored-by: Learn Build Service GitHub App <Learn Build Service LearnBuild@microsoft.com>
Co-authored-by: tiaraquan <tiaraquan@microsoft.com>
Co-authored-by: Caitlin Hart <caithart@microsoft.com>
Co-authored-by: Harman Thind <63820404+hathin@users.noreply.github.com>
Co-authored-by: [cmknox] <[cmknox@gmail.com]>
Co-authored-by: Carmen Forsmann <cmforsmann@live.com>
2024-10-17 11:34:07 -07:00

17 KiB
Raw Blame History

title, description, ms.topic, ms.date
title description ms.topic ms.date
Assigned Access policy settings Learn about the policy settings enforced on a device configured with Assigned Access. reference 03/04/2024

Assigned Access policy settings

When the Assigned Access configuration is applied on a device, certain policy settings and AppLocker rules are enforced, impacting the users accessing the device. The policy settings use a combination of configuration service provider (CSP) and group policy (GPO) settings.

This reference article lists the policy settings and AppLocker rules applied by Assigned Access.

Note

It's not recommended to configure policy settings enforced by Assigned Access to different values using other channels. Assigned Access is optimized to provide a locked-down experience.

Device policy settings

The following policy settings are applied at the device level when you deploy a restricted user experience. Any user accessing the device is subject to the policy settings, including administrator accounts:

Type Path Name/Description
CSP ./Vendor/MSFT/Policy/Config/Experience/AllowCortana Disable Cortana
CSP ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDocuments Disable Start documents icon
CSP ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDownloads Disable Start downloads icon
CSP ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderFileExplorer Disable Start file explorer icon
CSP ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderHomeGroup Disable Start home group icon
CSP ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderMusic Disable Start music icon
CSP ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderNetwork Disable Start network icon
CSP ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderPersonalFolder Disable Start personal folder icon
CSP ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderPictures Disable Start pictures icon
CSP ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderSettings Disable Start settings icon
CSP ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderVideos Disable Start videos icon
CSP ./Vendor/MSFT/Policy/Config/Start/HideChangeAccountSettings Hide Change account settings from appearing in the user tile
CSP ./Vendor/MSFT/Policy/Config/Update/SetAutoRestartNotificationDisable Hides all update notifications
CSP ./Vendor/MSFT/Policy/Config/Update/UpdateNotificationLevel Disables auto restart notifications for updates
CSP ./Vendor/MSFT/Policy/Config/WindowsInkWorkspace/AllowWindowsInkWorkspace Access to ink workspace is disabled
CSP ./Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI Hide networks UI on the logon screen, as well as on "security options" UI

User policy settings

The following policy settings are applied to any nonadministrator account when you deploy a restricted user experience:

Type Path Name/Description
CSP ./User/Vendor/MSFT/Policy/Config/Start/DisableContextMenus Disable Context Menu for Start menu apps
CSP ./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar Hide People Bar from appearing on taskbar
CSP ./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps Hide recently added apps from appearing on the Start menu
CSP ./User/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists Hide recent jumplists from appearing on the Start menu/taskbar
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Clear history of recently opened documents on exit
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Disable showing balloon notifications as toast
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Do not allow pinning items in Jump Lists
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Do not allow pinning programs to the Taskbar
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Do not display or track items in Jump Lists from remote locations
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Hide and disable all items on the desktop
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Hide the Task View button
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Lock all taskbar settings
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Lock the Taskbar
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Prevent users from adding or removing toolbars
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Prevent users from customizing their Start Screen
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Prevent users from moving taskbar to another screen dock location
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Prevent users from rearranging toolbars
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Prevent users from resizing the taskbar
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Prevent users from uninstalling applications from Start
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Remove access to the context menus for the task bar
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Remove All Programs list from the Start menu
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Remove Control Center
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Remove frequent programs list from the Start Menu
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Remove Notification and Action Center
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Remove Quick Settings
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Remove Run menu from Start Menu
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Remove the Security and Maintenance icon
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Turn off all balloon notifications
GPO User Configuration\Administrative Templates\Start Menu and Taskbar Turn off feature advertisement balloon notifications
GPO User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications Turn off toast notifications
GPO User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options Remove Change Password
GPO User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options Remove Logoff
GPO User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options Remove Task Manager
GPO User Configuration\Administrative Templates\Windows Components\File Explorer Remove Map network drive and Disconnect Network Drive
GPO User Configuration\Administrative Templates\Windows Components\File Explorer Remove File Explorer's default context menu

The following policy settings are applied to the kiosk account when you configure a kiosk experience with Microsoft Edge:

Type Path Name/Description
GPO User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications Run only specified Windows applications > msedge.exe
GPO User Configuration\Administrative Templates\System Turn off toast notifications
GPO User Configuration\Administrative Templates\Windows Components\Attachment Manager Default risk level for file attachments > High risk
GPO User Configuration\Administrative Templates\Windows Components\Attachment Manager Inclusion list for low file types > .pdf;.epub
GPO User Configuration\Administrative Templates\Windows Components\File Explorer Remove File Explorer's default context menu

AppLocker rules

When you deploy an Assigned Access restricted user experience, AppLocker rules are generated to allow the apps that are listed in the configuration. Here are the predefined Assigned Access AppLocker rules:

Universal Windows Platform (UWP) app rules

  1. The default rule is to allow all users to launch the signed packaged apps
  2. The packaged app deny list is generated at runtime when the Assigned Access user signs in:
    1. Based on the installed apps available for the user account, Assigned Access generates the deny list. The list excludes the default allowed inbox packaged apps, which are critical for the system to function, and then exclude the allowed packages that are defined in the Assigned Access configuration
    2. If there are multiple apps within the same package, all the apps are excluded

The deny list is used to prevent the user from accessing the apps, which are currently available for the user but not in the allowed list

Note

You can't manage AppLocker rules that are generated by the restricted user experience in MMC snap-ins. Avoid creating AppLocker rules that conflict with AppLocker rules generated by Assigned Access.

Assigned access doesn't prevent the organization or users from installing UWP apps. When a new UWP app is installed during an Assigned Access session, the app isn't in the deny list. When the user signs out and signs in again, the installed app is included in the deny list. For apps deployed centrally that you want to allow, like line-of-biness apps, update the Assigned Access configuration and include the apps in the allow app list.

Desktop app rules

  1. The default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
  2. There's a predefined inbox desktop app deny list for the Assigned Access user account, which is updated based on the desktop app allow list that you defined in the Assigned Access configuration
  3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list

Keyboard shortcuts

The following keyboard shortcuts are blocked for the user accounts with Assigned Access:

Keyboard shortcut Action
Ctrl + Shift + Esc Open Task Manager
WIN + , (comma) Temporarily peek at the desktop
WIN + A Open Action center
WIN + Alt + D Display and hide the date and time on the desktop
WIN + Ctrl + F Find computer objects in Active Directory
WIN + D Display and hide the desktop
WIN + E Open File Explorer
WIN + F Open Feedback Hub
WIN + G Open Game bar when a game is open
WIN + I Open Settings
WIN + J Set focus to a Windows tip when one is available
WIN + O Lock device orientation
WIN + Q Open search
WIN + R Open the Run dialog box
WIN + S Open search
WIN + Shift + C Open Cortana in listening mode
WIN + X Open the Quick Link menu
LaunchApp1 Open the app that is assigned to this key
LaunchApp2 Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator
LaunchMail Open the default mail client

For information on how to customize keyboard shortcuts, see Assigned Access recommendations.