If a Windows 10 Upgrade Fails Should I Try It Again but on a Local Account Vs Signed Into Microsoft

Skip to main content

Set up a multi-app kiosk on Windows 10 devices

• Article
• 03/xvi/2022
• 27 minutes to read

Is this folio helpful?

Feedback volition exist sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.

In this article

Applies to

• Windows x Pro, Enterprise, and Pedagogy

Notation

Currently, multi-app kiosk is only supported on Windows ten. It's not supported on Windows 11.

A kiosk device typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows ten, version 1709, the AssignedAccess configuration service provider (CSP) was expanded to make it like shooting fish in a barrel for administrators to create kiosks that run more than 1 app. The do good of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them just the things they demand to use, and removing from their view the things they don't need to admission.

The following table lists changes to multi-app kiosk in recent updates.

New features and improvements	In update
- Configure a single-app kiosk profile in your XML file - Assign group accounts to a config profile - Configure an business relationship to sign in automatically	Windows x, version 1803
- Explicitly allow some known folders when user opens file dialog box - Automatically launch an app when the user signs in - Configure a display proper noun for the autologon business relationship	Windows x, version 1809 Important: To use features released in Windows ten, version 1809, brand sure that your XML file references https://schemas.microsoft.com/AssignedAccess/201810/config.

Warning

The assigned access feature is intended for corporate-owned fixed-purpose devices, similar kiosks. When the multi-app assigned access configuration is applied on the device, sure policies are enforced system-wide, and will touch on other users on the device. Deleting the kiosk configuration volition remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Showtime layout). A manufactory reset is needed to clear all the policies enforced via assigned access.

You lot can configure multi-app kiosks using Microsoft Intune or a provisioning parcel.

Configure a kiosk in Microsoft Intune

To configure a kiosk in Microsoft Intune, run into:

• Windows client and Windows Holographic for Business device settings to run as a defended kiosk using Intune
• Windows client device settings to run as a kiosk in Intune

Configure a kiosk using a provisioning bundle

Process:

1. Create XML file
2. Add XML file to provisioning bundle
3. Apply provisioning package to device

Watch how to utilize a provisioning package to configure a multi-app kiosk.

If you don't desire to use a provisioning parcel, you tin deploy the configuration XML file using mobile device management (MDM), or you can configure assigned access using the MDM Bridge WMI Provider.

Prerequisites

• Windows Configuration Designer (Windows 10, version 1709 or later)
• The kiosk device must be running Windows 10 (Due south, Pro, Enterprise, or Didactics), version 1709 or later

Note

For devices running versions of Windows 10 earlier than version 1709, you lot can create AppLocker rules to configure a multi-app kiosk.

Create XML file

Permit's start past looking at the basic structure of the XML file.

• A configuration xml can ascertain multiple profiles. Each profile has a unique Id and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.

• A configuration xml can have multiple config sections. Each config section associates a non-admin user business relationship to a default profile Id.

• Multiple config sections can be associated to the same profile.

• A profile has no issue if information technology'southward not associated to a config section.

  

You lot can showtime your file by pasting the following XML (or whatsoever other examples in this topic) into a XML editor, and saving the file equally filename.xml. Each section of this XML is explained in this topic. You tin meet a full sample version in the Assigned access XML reference.

                  <?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration     xmlns="https://schemas.microsoft.com/AssignedAccess/2017/config"     xmlns:rs5="https://schemas.microsoft.com/AssignedAccess/201810/config"     >     <Profiles>         <Profile Id="">             <AllAppsList>                 <AllowedApps/>             </AllAppsList>             <StartLayout/>             <Taskbar/>         </Profile>     </Profiles>     <Configs>         <Config>             <Account/>             <DefaultProfile Id=""/>         </Config>     </Configs> </AssignedAccessConfiguration>                                  

Profile

There are two types of profiles that you can specify in the XML:

• Lockdown profile: Users assigned a lockdown contour will see the desktop in tablet fashion with the specific apps on the Start screen.
• Kiosk profile: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the AssignedAccess CSP. Users assigned a kiosk profile will not come across the desktop, but only the kiosk app running in full-screen mode.

A lockdown profile department in the XML has the following entries:

• Id

• AllowedApps

• FileExplorerNamespaceRestrictions

• StartLayout

• Taskbar

A kiosk profile in the XML has the post-obit entries:

• Id

• KioskModeApp

Id

The contour Id is a GUID attribute to uniquely identify the profile. Yous tin can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.

                  <Profiles>   <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">…</Contour> </Profiles>                                  

AllowedApps

AllowedApps is a list of applications that are immune to run. Apps can exist Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, y'all can configure a single app in the AllowedApps list to run automatically when the assigned access user account signs in.

• For UWP apps, you lot demand to provide the App User Model ID (AUMID). Learn how to get the AUMID, or get the AUMID from the Start Layout XML.
• For desktop apps, you need to specify the full path of the executable, which can contain ane or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
• If an app has a dependency on some other app, both must be included in the immune apps list. For example, Internet Explorer 64-bit has a dependency on Net Explorer 32-bit, so yous must allow both "C:\Program Files\cyberspace explorer\iexplore.exe" and "C:\Program Files (x86)\Cyberspace Explorer\iexplore.exe".
• To configure a single app to launch automatically when the user signs in, include rs5:AutoLaunch="true" after the AUMID or path. Y'all can also include arguments to exist passed to the app. For an instance, encounter the AllowedApps sample XML.

When the multi-app kiosk configuration is applied to a device, AppLocker rules volition be generated to permit the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for UWP apps:

1. Default rule is to permit all users to launch the signed package apps.

2. The bundle app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny listing. This list will exclude the default allowed inbox parcel apps which are disquisitional for the arrangement to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If at that place are multiple apps within the same parcel, all these apps volition be excluded. This deny list will be used to forbid the user from accessing the apps which are currently bachelor for the user but not in the immune list.

   Notation

   Y'all cannot manage AppLocker rules that are generated past the multi-app kiosk configuration in MMC snap-ins. Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.

   Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the electric current assigned admission user session, this app will not exist in the deny list. When the user signs out and signs in again, the app will exist included in the deny list. If this is an enterprise-deployed line-of-business concern app and you want to allow it to run, update the assigned access configuration to include information technology in the allowed app list.

Here are the predefined assigned access AppLocker rules for desktop apps:

1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in guild for the system to boot and part. The dominion as well allows the admin user group to launch all desktop programs.
2. There is a predefined inbox desktop app deny list for the assigned admission user account, and this deny list is adjusted based on the desktop app permit list that yous defined in the multi-app configuration.
3. Enterprise-divers allowed desktop apps are added in the AppLocker let listing.

The following instance allows Groove Music, Movies & Telly, Photos, Weather, Figurer, Pigment, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file chosen 123.text when the user signs in.

                    <AllAppsList>         <AllowedApps>           <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />           <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />           <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />           <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />           <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />           <App DesktopAppPath="%windir%\system32\mspaint.exe" />           <App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt">         </AllowedApps> </AllAppsList>                                      

FileExplorerNamespaceRestrictions

Starting in Windows 10 version 1809, you lot can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including FileExplorerNamespaceRestrictions in your XML file. Currently, Downloads is the only binder supported. This can also be prepare using Microsoft Intune.

The post-obit example shows how to permit user access to the Downloads folder in the common file dialog box.

Tip

To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk beginning bill of fare.

                    <?xml version="1.0" encoding="utf-viii" ?> <AssignedAccessConfiguration     xmlns="https://schemas.microsoft.com/AssignedAccess/2017/config"     xmlns:rs5="https://schemas.microsoft.com/AssignedAccess/201810/config" >     <Profiles>         <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">             <AllAppsList>                 <AllowedApps>                     ...                 </AllowedApps>             </AllAppsList>             <rs5:FileExplorerNamespaceRestrictions>                 <rs5:AllowedNamespace Name="Downloads"/>             </rs5:FileExplorerNamespaceRestrictions>             <StartLayout>                 ...             </StartLayout>             <Taskbar ShowTaskbar="truthful"/>         </Contour>     </Profiles> </AssignedAccessConfiguration>                                      

FileExplorerNamespaceRestriction has been extended in current Windows ten Prerelease for effectively granularity and easier use, see in the Assigned access XML reference. for full samples. The changes volition let IT Admin to configure if user can access Downloads folder, Removable drives, or no restriction at all by using certain new elements. Notation that FileExplorerNamesapceRestrictions and AllowedNamespace:Downloads are available in namespace https://schemas.microsoft.com/AssignedAccess/201810/config, AllowRemovableDrives and NoRestriction are defined in a new namespace https://schemas.microsoft.com/AssignedAccess/2020/config.

• When FileExplorerNamespaceRestrictions node is not used, or used only left empty, user will not be able to access whatsoever folder in common dialog (e.chiliad. Save Equally in Microsoft Border browser).
• When Downloads is mentioned in allowed namespace, user volition exist able to access Downloads folder.
• When AllowRemovableDrives is used, user volition be to admission removable drives.
• When NoRestriction is used, no brake volition be practical to the dialog.
• AllowRemovableDrives and AllowedNamespace:Downloads can be used at the same time.

StartLayout

Later on you define the list of allowed applications, you lot can customize the Start layout for your kiosk experience. You can choose to pin all the immune apps on the Start screen or merely a subset, depending on whether you want the end user to directly access them on the First screen.

The easiest manner to create a customized Starting time layout to apply to other Windows client devices is to fix the Start screen on a exam device and then export the layout. For detailed steps, encounter Customize and export Kickoff layout.

A few things to annotation here:

• The test device on which you customize the Outset layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration.
• Since the multi-app assigned access feel is intended for fixed-purpose devices, to ensure the device experiences are consistent and anticipated, use the full Start layout choice instead of the fractional Start layout.
• There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the <CustomTaskbarLayoutCollection> tag in a layout modification XML as role of the assigned access configuration.
• The post-obit instance uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesn't have a shortcut link on the target device, learn how to provision .lnk files using Windows Configuration Designer.

This instance pins Groove Music, Movies & TV, Photos, Weather, Calculator, Pigment, and Notepad apps on Start.

                    <StartLayout>         <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="https://schemas.microsoft.com/Kickoff/2014/FullDefaultLayout" xmlns:first="https://schemas.microsoft.com/Starting time/2014/StartLayout" Version="1" xmlns="httsp://schemas.microsoft.com/Showtime/2014/LayoutModification">                       <LayoutOptions StartTileGroupCellWidth="6" />                       <DefaultLayoutOverride>                         <StartLayoutCollection>                           <defaultlayout:StartLayout GroupCellWidth="vi">                             <offset:Group Proper noun="Group1">                               <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />                               <start:Tile Size="2x2" Cavalcade="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />                               <start:Tile Size="2x2" Column="four" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />                               <start:Tile Size="2x2" Cavalcade="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />                               <starting time:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />                             </outset:Group>                             <start:Group Proper noun="Group2">                               <start:DesktopApplicationTile Size="2x2" Cavalcade="two" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />                               <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Beginning Card\Programs\Accessories\Notepad.lnk" />                             </beginning:Group>                           </defaultlayout:StartLayout>                         </StartLayoutCollection>                       </DefaultLayoutOverride>                     </LayoutModificationTemplate>                 ]]> </StartLayout>                                      

Note

If an app isn't installed for the user, simply is included in the Start layout XML, the app isn't shown on the Start screen.

Taskbar

Define whether you lot want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't adhere a keyboard and mouse, y'all tin hibernate the taskbar equally part of the multi-app experience if you want.

The following example exposes the taskbar to the finish user:

                    <Taskbar ShowTaskbar="true"/>                                      

The following example hides the taskbar:

                    <Taskbar ShowTaskbar="false"/>                                      

Note

This is dissimilar from the Automatically hide the taskbar pick in tablet fashion, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting ShowTaskbar equally false will always proceed the taskbar hidden.

KioskModeApp

KioskModeApp is used for a kiosk profile just. Enter the AUMID for a single app. You can only specify 1 kiosk profile in the XML.

                    <KioskModeApp AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>                                      

Important

The kiosk profile is designed for public-facing kiosk devices. We recommend that y'all use a local, non-administrator account. If the device is connected to your visitor network, using a domain or Azure Agile Directory account could potentially compromise confidential data.

Configs

Under Configs, ascertain which user account will exist associated with the profile. When this user account signs in on the device, the associated assigned admission profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device direction (MDM) policies set as part of the multi-app feel.

The total multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access contour; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.

Y'all can assign:

• A local standard user account that signs in automatically (Applies to Windows 10, version 1803 only)
• An private account, which can be local, domain, or Azure Active Directory (Azure AD)
• A grouping account, which can be local, Agile Directory (domain), or Azure AD (Applies to Windows 10, version 1803 just).

Notation

Configs that specify group accounts cannot utilize a kiosk profile, merely a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the asking.

Config for AutoLogon Business relationship

When you use <AutoLogonAccount> and the configuration is practical to a device, the specified account (managed by Assigned Admission) is created on the device as a local standard user account. The specified account is signed in automatically after restart.

The following instance shows how to specify an business relationship to sign in automatically.

                    <Configs>   <Config>     <AutoLogonAccount/>     <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>   </Config> </Configs>                                      

Starting with Windows x version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Business relationship that shows the name "How-do-you-do World".

                    <Configs>   <Config>     <AutoLogonAccount rs5:DisplayName="Howdy World"/>     <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>   </Config> </Configs>                                      

On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To testify the AutoLogonAccount on the sign-in screen, enable the following Group Policy setting: Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers. (The corresponding MDM policy setting is WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP.)

Important

When Commutation Active Sync (EAS) password restrictions are active on the device, the autologon feature does non work. This behavior is by design. For more informations, encounter How to turn on automated logon in Windows.

Config for individual accounts

Individual accounts are specified using <Business relationship>.

• Local account can be entered as machinename\account or .\account or simply account.
• Domain account should be entered equally domain\account.
• Azure Advert account must be specified in this format: AzureAD\{e-mail address}. AzureAD must be provided AS IS (consider it's a stock-still domain proper noun), and then follow with the Azure AD email address, east.yard. AzureAD\someone@contoso.onmicrosoft.com.

Alarm

Assigned admission can exist configured via WMI or CSP to run its applications under a domain user or service business relationship, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access awarding might proceeds access to sensitive domain resource that take been inadvertently left accessible to whatever domain account. We recommend that customers proceed with caution when using domain accounts with assigned admission, and consider the domain resources potentially exposed past the decision to exercise and so.

Before applying the multi-app configuration, make certain the specified user business relationship is bachelor on the device, otherwise it will neglect.

Note

For both domain and Azure AD accounts, it's non required that target account is explicitly added to the device. As long equally the device is Advertizement-joined or Azure AD-joined, the business relationship tin exist discovered in the domain woods or tenant that the device is joined to. For local accounts, it is required that the account exist earlier yous configure the business relationship for assigned access.

                    <Configs>   <Config>     <Account>MultiAppKioskUser</Account>     <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>   </Config> </Configs>                                      

Config for grouping accounts

Group accounts are specified using <UserGroup>. Nested groups are not supported. For instance, if user A is member of Group ane, Grouping 1 is member of Grouping ii, and Group ii is used in <Config/>, user A will not take the kiosk feel.

• Local group: Specify the group type equally LocalGroup and put the group name in Name aspect. Whatever Azure AD accounts that are added to the local grouping will not have the kiosk settings applied.

                          <Config>   <UserGroup Blazon="LocalGroup" Name="mygroup" />   <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> </Config>                                              

• Domain group: Both security and distribution groups are supported. Specify the group type as ActiveDirectoryGroup. Use the domain proper noun equally the prefix in the proper noun attribute.

                          <Config>   <UserGroup Blazon="ActiveDirectoryGroup" Name="mydomain\mygroup" />   <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> </Config>                                              

• Azure Advertisement group: Employ the group object ID from the Azure portal to uniquely place the group in the Name attribute. You lot can find the object ID on the overview page for the group in Users and groups > All groups. Specify the group blazon as AzureActiveDirectoryGroup. The kiosk device must accept cyberspace connectivity when users that vest to the group sign in.

                          <Config>   <UserGroup Type="AzureActiveDirectoryGroup" Name="a8d36e43-4180-4ac5-a627-fb8149bba1ac" />   <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> </Config>                                              

  Note

  If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD grouping must change their countersign (subsequently the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user volition exist immediately signed out.

[Preview] Global Contour

Global profile is added in Windows ten. There are times when It Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback contour is wished to use. Global Profile is designed for these scenarios.

Usage is demonstrated below, by using the new xml namespace and specify GlobalProfile from that namespace. When GlobalProfile is configured, a non-admin business relationship logs in, if this user does not have designated contour in Assigned Admission, or Assigned Access fails to make up one's mind a profile for electric current user, global profile will exist applied for the user.

Note:

1. GlobalProfile tin can only be multi-app contour
2. Only one GlobalProfile tin can be used in i AssignedAccess Configuration Xml
3. GlobalProfile can be used as the only config, or it tin exist used amidst with regular user or group Config.

                      <?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration     xmlns="https://schemas.microsoft.com/AssignedAccess/2017/config"     xmlns:v2="https://schemas.microsoft.com/AssignedAccess/201810/config"     xmlns:v3="https://schemas.microsoft.com/AssignedAccess/2020/config" >     <Profiles>         <Contour Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">             <AllAppsList>                 <AllowedApps>                     <App AppUserModelId="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe!Microsoft.Microsoft3DViewer" v2:AutoLaunch="true" v2:AutoLaunchArguments="123"/>                     <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />                     <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />                     <App DesktopAppPath="%SystemRoot%\system32\notepad.exe" />                 </AllowedApps>             </AllAppsList>             <StartLayout>                 <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="https://schemas.microsoft.com/Offset/2014/FullDefaultLayout" xmlns:start="https://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="https://schemas.microsoft.com/Start/2014/LayoutModification">                       <LayoutOptions StartTileGroupCellWidth="6" />                       <DefaultLayoutOverride>                         <StartLayoutCollection>                           <defaultlayout:StartLayout GroupCellWidth="vi">                             <starting time:Group Proper noun="Life at a glance">                               <showtime:Tile Size="2x2" Column="0" Row="0" AppUserModelID="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsLive.calendar" />                               <start:Tile Size="4x2" Cavalcade="0" Row="iv" AppUserModelID="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />                               <!-- A link file is required for desktop applications to show on offset layout, the link file can be placed nether                                    "%AllUsersProfile%\Microsoft\Windows\Showtime Menu\Programs" if the link file is shared for all users or                                    "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only                                     see document https://docs.microsoft.com/windows/configuration/starting time-layout-xml-desktop                               -->                               <!-- for inbox desktop applications, a link file might already be and can be used directly -->                               <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Starting time Menu\Programs\Accessories\paint.lnk" />                               <!-- for tertiary party desktop application, identify the link file under appropriate folder -->                               <start:DesktopApplicationTile Size="2x2" Column="four" Row="0" DesktopApplicationLinkPath="%AppData%\Microsoft\Windows\Start Menu\Programs\MyLOB.lnk" />                             </kickoff:Group>                           </defaultlayout:StartLayout>                         </StartLayoutCollection>                       </DefaultLayoutOverride>                     </LayoutModificationTemplate>                 ]]>             </StartLayout>             <Taskbar ShowTaskbar="truthful"/>         </Profile>     </Profiles>     <Configs>         <v3:GlobalProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>     </Configs> </AssignedAccessConfiguration>                                          

Add together XML file to provisioning package

Before yous add together the XML file to a provisioning package, you can validate your configuration XML against the XSD.

Use the Windows Configuration Designer tool to create a provisioning parcel. Learn how to install Windows Configuration Designer.

Important

When you build a provisioning package, you lot may include sensitive information in the project files and in the provisioning packet (.ppkg) file. Although y'all have the option to encrypt the .ppkg file, project files are not encrypted. You should store the projection files in a secure location and delete the project files when they are no longer needed.

1. Open Windows Configuration Designer (by default, %systemdrive%\Program Files (x86)\Windows Kits\ten\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).

2. Cull Advanced provisioning.

3. Name your project, and click Next.

4. Cull All Windows desktop editions and click Next.

5. On New project, click Stop. The workspace for your package opens.

6. Aggrandize Runtime settings > AssignedAccess > MultiAppAssignedAccessSettings.

7. In the eye pane, click Browse to locate and select the assigned access configuration XML file that you created.

   

8. (Optional: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this stride.) Create an admin user account in Runtime settings > Accounts > Users. Provide a UserName and Countersign, and select UserGroup equally Administrators. With this account, you can view the provisioning status and logs if needed.

9. (Optional: If you already accept a non-admin account on the kiosk device, skip this stride.) Create a local standard user business relationship in Runtime settings > Accounts > Users. Make sure the UserName is the same as the account that you specify in the configuration XML. Select UserGroup as Standard Users.

10. On the File menu, select Save.

11. On the Export menu, select Provisioning package.

12. Change Owner to IT Admin, which volition prepare the precedence of this provisioning parcel college than provisioning packages applied to this device from other sources, and and so select Next.

13. Optional. In the Provisioning package security window, you can choose to encrypt the package and enable package signing.

    • Enable parcel encryption - If you select this choice, an auto-generated password volition be shown on the screen.

    • Enable package signing - If you select this option, you must select a valid document to use for signing the package. You can specify the certificate past clicking Browse and choosing the certificate yous desire to utilise to sign the package.

14. Click Adjacent to specify the output location where y'all want the provisioning package to become when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.

    Optionally, you can click Browse to modify the default output location.

15. Click Adjacent.

16. Click Build to start building the package. The provisioning bundle doesn't accept long to build. The project data is displayed in the build page and the progress bar indicates the build condition.

    If you need to cancel the build, click Cancel. This cancels the electric current build process, closes the wizard, and takes you dorsum to the Customizations Folio.

17. If your build fails, an mistake message will show up that includes a link to the project binder. You lot tin can scan the logs to decide what caused the error. Once yous fix the event, effort building the bundle again.

    If your build is successful, the proper noun of the provisioning bundle, output directory, and projection directory will be shown.

    • If you choose, you can build the provisioning packet again and pick a unlike path for the output package. To do this, click Dorsum to change the output packet name and path, and then click Next to start some other build.
    • If you lot are done, click Stop to close the wizard and go dorsum to the Customizations Page.

18. Copy the provisioning package to the root directory of a USB bulldoze.

Apply provisioning parcel to device

Provisioning packages tin can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").

Tip

In improver to the methods below, you lot tin can employ the PowerShell comdlet install-provisioningpackage with -LogsDirectoryPath to become logs for the operation.

During initial setup, from a USB drive

1. Outset with a computer on the get-go-run setup screen. If the PC has gone by this screen, reset the PC to start over. To reset the PC, become to Settings > Update & security > Recovery > Reset this PC.

   

2. Insert the USB drive. Windows Setup volition recognize the drive and enquire if you want to fix up the device. Select Prepare.

   

3. The next screen asks you to select a provisioning source. Select Removable Media and tap Next.

   

4. Select the provisioning package (*.ppkg) that you desire to apply, and tap Next.

   

5. Select Yeah, add information technology.

   

After setup, from a USB drive, network binder, or SharePoint site

1. Sign in with an admin account.
2. Insert the USB bulldoze to a desktop figurer, navigate to Settings > Accounts > Access work or school > Add together or remove a provisioning package > Add a package, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.

Note

if your provisioning parcel doesn't include the assigned admission user account creation, make certain the business relationship you specified in the multi-app configuration XML exists on the device.

Use MDM to deploy the multi-app configuration

Multi-app kiosk mode is enabled by the AssignedAccess configuration service provider (CSP). Your MDM policy can contain the assigned admission configuration XML.

If your device is enrolled with a MDM server which supports applying the assigned access configuration, y'all can use it to apply the setting remotely.

The OMA-URI for multi-app policy is ./Device/Vendor/MSFT/AssignedAccess/Configuration.

Considerations for Windows Mixed Reality immersive headsets

With the appearance of mixed reality devices (video link), you might want to create a kiosk that can run mixed reality apps.

To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the AllowedApps listing:

                        <App AppUserModelId="MixedRealityLearning_cw5n1h2txyewy!MixedRealityLearning" /> <App AppUserModelId="HoloShell_cw5n1h2txyewy!HoloShell" /> <App AppUserModelId="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy!App" /> <App AppUserModelId="Microsoft.MixedReality.Portal_8wekyb3d8bbwe!App" />                                              

These are in addition to any mixed reality apps that yous let.

Before your kiosk user signs in: An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user would not have permissions to download and and so their setup of the Mixed Reality Portal would fail.

After the admin has completed setup, the kiosk account tin can sign in and repeat the setup. The admin user may want to consummate the kiosk user setup earlier providing the PC to employees or customers.

There is a deviation between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the Mixed Reality home. The Mixed Reality home is a shell that runs in "silent" fashion when the PC is configured every bit a kiosk. When a kiosk user connects a mixed reality device, they will see only a blank display in the device, and will not take access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Commencement screen.

Policies set by multi-app kiosk configuration

It is not recommended to set up policies enforced in assigned admission multi-app mode to dissimilar values using other channels, equally the multi-app mode has been optimized to provide a locked-downward experience.

When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-broad, and volition touch on other users on the device.

Grouping Policy

The following local policies bear upon all non-ambassador users on the system, regardless whether the user is configured as an assigned access user or non. This includes local users, domain users, and Azure Agile Directory users.

Setting	Value
Remove admission to the context menus for the chore bar	Enabled
Articulate history of recently opened documents on leave	Enabled
Foreclose users from customizing their Start Screen	Enabled
Preclude users from uninstalling applications from Start	Enabled
Remove All Programs listing from the Start menu	Enabled
Remove Run bill of fare from Start Carte	Enabled
Disable showing balloon notifications as toast	Enabled
Practice not allow pinning items in Jump Lists	Enabled
Do not allow pinning programs to the Taskbar	Enabled
Do not display or track items in Spring Lists from remote locations	Enabled
Remove Notifications and Action Heart	Enabled
Lock all taskbar settings	Enabled
Lock the Taskbar	Enabled
Prevent users from adding or removing toolbars	Enabled
Prevent users from resizing the taskbar	Enabled
Remove frequent programs list from the Beginning Bill of fare	Enabled
Remove 'Map Network Drive' and 'Disconnect Network Drive'	Enabled
Remove the Security and Maintenance icon	Enabled
Turn off all balloon notifications	Enabled
Plough off feature advertizing airship notifications	Enabled
Turn off toast notifications	Enabled
Remove Task Managing director	Enabled
Remove Alter Countersign pick in Security Options UI	Enabled
Remove Sign Out option in Security Options UI	Enabled
Remove All Programs listing from the Starting time Menu	Enabled – Remove and disable setting
Prevent access to drives from My Computer	Enabled - Restrict all drivers

Note

When Foreclose access to drives from My Computer is enabled, users can browse the directory structure in File Explorer, simply they cannot open folders and access the contents. Also, they cannot employ the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. The icons representing the specified drives withal appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not preclude users from using programs to admission local and network drives. Information technology does non foreclose users from using the Deejay Management snap-in to view and change drive characteristics.

MDM policy

Some of the MDM policies based on the Policy configuration service provider (CSP) affect all users on the system (i.e. system-broad).

Setting	Value	System-wide
Experience/AllowCortana	0 - Non allowed	Yes
Start/AllowPinnedFolderDocuments	0 - Shortcut is hidden and disables the setting in the Settings app	Yes
Beginning/AllowPinnedFolderDownloads	0 - Shortcut is subconscious and disables the setting in the Settings app	Yes
Start/AllowPinnedFolderFileExplorer	0 - Shortcut is hidden and disables the setting in the Settings app	Aye
Start/AllowPinnedFolderHomeGroup	0 - Shortcut is hidden and disables the setting in the Settings app	Yeah
Offset/AllowPinnedFolderMusic	0 - Shortcut is hidden and disables the setting in the Settings app	Yes
Start/AllowPinnedFolderNetwork	0 - Shortcut is hidden and disables the setting in the Settings app	Yes
Start/AllowPinnedFolderPersonalFolder	0 - Shortcut is subconscious and disables the setting in the Settings app	Aye
Get-go/AllowPinnedFolderPictures	0 - Shortcut is subconscious and disables the setting in the Settings app	Yes
Commencement/AllowPinnedFolderSettings	0 - Shortcut is hidden and disables the setting in the Settings app	Yes
Start/AllowPinnedFolderVideos	0 - Shortcut is subconscious and disables the setting in the Settings app	Aye
Beginning/DisableContextMenus	1 - Context menus are hidden for Start apps	No
Start/HidePeopleBar	ane - True (hibernate)	No
Start/HideChangeAccountSettings	i - True (hide)	Yes
WindowsInkWorkspace/AllowWindowsInkWorkspace	0 - Access to ink workspace is disabled and the feature is turned off	Yeah
Start/StartLayout	Configuration dependent	No
WindowsLogon/DontDisplayNetworkSelectionUI	<Enabled/>	Yes

Provision .lnk files using Windows Configuration Designer

Commencement, create your desktop app's shortcut file past installing the app on a test device, using the default installation location. Right-click the installed application, and choose Send to > Desktop (create shortcut). Rename the shortcut to <appName>.lnk

Side by side, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install.

                          msiexec /I "<appName>.msi" /qn /norestart copy <appName>.lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\<appName>.lnk"                                                  

In Windows Configuration Designer, under ProvisioningCommands > DeviceContext:

• Under CommandFiles, upload your batch file, your .lnk file, and your desktop app installation file.

  Of import

  Paste the total file path to the .lnk file in the CommandFiles field. If you browse to and select the .lnk file, the file path will exist changed to the path of the target of the .lnk.

• Nether CommandLine, enter cmd /c *FileName*.bat.

Other methods

Environments that utilise WMI can utilize the MDM Span WMI Provider to configure a kiosk.

vanleuvenwaallovar.blogspot.com

Source: https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps