AssignedAccess CSP
The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
- For a step-by-step guide for setting up devices to run in kiosk mode, see Set up a single-app kiosk on Windows 10/11.
- For a step-by-step guide for configuring multi-app kiosks, see Create a Windows 10 kiosk that runs multiple apps.
Important
The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
Warning
You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
Note
If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
The following list shows the AssignedAccess configuration service provider nodes:
- ./Vendor/MSFT/AssignedAccess
Configuration
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Vendor/MSFT/AssignedAccess/Configuration
This node accepts an AssignedAccessConfiguration xml as input.
The input XML specifies the settings that you can configure in the kiosk or device.
In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
In Windows 10, version 1909, Microsoft Edge kiosk mode support was added. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see Configure a Windows 10 kiosk that runs Microsoft Edge. Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like shift+alt+a, where shift and alt are the modifiers and a is the key.
In Windows 11, version 22H2 with KB5026446, AssignedAccessConfiguration schema was updated to add StartPins and TaskbarLayout nodes to support pinning apps to the Start Menu and Taskbar respectively.
- For more information about setting up a multi-app kiosk, see Create a Windows 10 kiosk that runs multiple apps.
- For more information on the schema, see AssignedAccessConfiguration XSD.
- For examples, see AssignedAccessConfiguration examples.
Note
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Examples:
For more examples, see AssignedAccessConfiguration examples.
Get Configuration
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Get> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/Configuration</LocURI> </Target> </Item> </Get> <Final /> </SyncBody> </SyncML>Delete Configuration
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Delete> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/Configuration</LocURI> </Target> </Item> </Delete> <Final /> </SyncBody> </SyncML>
KioskModeApp
Note
This policy is deprecated and may be removed in a future release.
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Vendor/MSFT/AssignedAccess/KioskModeApp
This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
Example: {"User":"domain\\user", "AUMID":"Microsoft. WindowsCalculator_8wekyb3d8bbwe!App"}.
When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same.
Tip
In the above example the double \\ is required because it's in JSON and JSON escapes \\ into \. If an MDM server uses JSON parser\composer, they should ask customers to type only one \, which will be \\ in the JSON. If user types \\, it'll become \\\\ in JSON, which will cause erroneous results. For the same reason, domain\user used in Configuration xml does not need \\ but only one \, because xml does not (need to) escape \.
This applies to both domain\user, AzureAD\someone@contoso.onmicrosoft.com, as long as a \ is used in JSON string.
- For more information about how to get the AUMID, see Find the Application User Model ID of an installed app.
- For more information about single-app kiosk, see Set up a single-app kiosk on Windows 10/11.
Important
- In Windows 10, version 1803, the Configuration node introduced single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in configuration xml for Configuration node to configure public-facing single app Kiosk.
- Additionally, starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. Add/Replace/Delete commands on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it's not effective.
- You can't set both KioskModeApp and ShellLauncher at the same time on the device.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Examples:
Add KioskModeApp
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Add> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI> </Target> <Meta> <Format xmlns="syncml:metinf">chr</Format> </Meta> <Data>{"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}</Data> </Item> </Add> <Final /> </SyncBody> </SyncML>Delete KioskModeApp
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Delete> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI> </Target> </Item> </Delete> <Final /> </SyncBody> </SyncML>Get KioskModeApp
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Get> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI> </Target> </Item> </Get> <Final /> </SyncBody> </SyncML>Replace KioskModeApp
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Replace> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI> </Target> <Meta> <Format xmlns="syncml:metinf">chr</Format> </Meta> <Data>{"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"}</Data> </Item> </Replace> <Final /> </SyncBody> </SyncML>
ShellLauncher
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Vendor/MSFT/AssignedAccess/ShellLauncher
This node accepts a ShellLauncherConfiguration xml as input.
In Windows 10, version 1903, Shell Launcher V2 was introduced to support both UWP and Win32 apps as the custom shell.
For more information, see Shell Launcher.
Important
You can't set both ShellLauncher and KioskModeApp at the same time on the device.
Note
Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature, if it is available within the SKU.
Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function. The ShellLauncher node is not supported in Windows 10 Pro.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
ShellLauncherConfiguration XSD:
Note
Shell Launcher V2 uses a separate XSD and namespace for backward compatibility. The original V1 XSD has a reference to the V2 XSD.
Shell Launcher V1 XSD
<?xml version="1.0" encoding="utf-8"?> <xs:schema elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration" xmlns:default="http://schemas.microsoft.com/ShellLauncher/2018/Configuration" xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration" targetNamespace="http://schemas.microsoft.com/ShellLauncher/2018/Configuration" > <xs:import namespace="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"/> <xs:complexType name="profile_list_t"> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:choice minOccurs="1" maxOccurs="1"> <xs:element name="DefaultProfile" type="default_profile_t"/> <xs:element name="Profile" type="profile_t"/> </xs:choice> <xs:element name="Profile" type="profile_t" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="default_profile_t"> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:element name="Shell" type="default_shell_t" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType> <xs:complexType name="default_shell_t"> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:element name="DefaultAction" type="default_action_t" minOccurs="0" maxOccurs="1"/> </xs:sequence> <xs:attribute name="Shell" type="xs:string" use="required"/> <xs:attribute ref="V2:AppType"/> <xs:attribute ref="V2:AllAppsFullScreen"/> </xs:complexType> <xs:complexType name="custom_shell_t"> <xs:all minOccurs="1" maxOccurs="1"> <xs:element name="ReturnCodeActions" type="return_code_action_list_t" minOccurs="0" maxOccurs="1"> <xs:unique name="ForbidDuplicatedReturnCodes"> <xs:selector xpath="default:ReturnCodeAction"/> <xs:field xpath="@ReturnCode"/> </xs:unique> </xs:element> <xs:element name="DefaultAction" type="default_action_t" minOccurs="0" maxOccurs="1"/> </xs:all> <xs:attribute name="Shell" type="xs:string" /> <xs:attribute ref="V2:AppType"/> <xs:attribute ref="V2:AllAppsFullScreen"/> </xs:complexType> <xs:complexType name="default_action_t"> <xs:attribute name="Action" type="system_action_t" use="required"/> </xs:complexType> <xs:simpleType name="system_action_t"> <xs:restriction base="xs:string"> <xs:enumeration value="RestartShell" /> <xs:enumeration value="RestartDevice" /> <xs:enumeration value="ShutdownDevice" /> <xs:enumeration value="DoNothing" /> </xs:restriction> </xs:simpleType> <xs:complexType name="profile_t"> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:element name="Shell" type="custom_shell_t" minOccurs="1" maxOccurs="1"/> </xs:sequence> <xs:attribute name="Id" type="guid_t" use="required"/> <xs:attribute name="Name" type="xs:string" use="optional"/> </xs:complexType> <xs:simpleType name="guid_t"> <xs:restriction base="xs:string"> <xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/> </xs:restriction> </xs:simpleType> <xs:complexType name="return_code_action_list_t"> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:element name="ReturnCodeAction" type="return_code_action_t" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="return_code_action_t"> <xs:attribute name="ReturnCode" type="xs:integer" use="required"/> <xs:attribute name="Action" type="system_action_t" use="required"/> </xs:complexType> <xs:complexType name="config_list_t"> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:element name="Config" type="config_t" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="config_t"> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:choice minOccurs="1" maxOccurs="1"> <xs:element name="Account" type="account_t" minOccurs="1" maxOccurs="1"> <xs:key name="mutexNameOrSID"> <xs:selector xpath="."/> <xs:field xpath="@Name|@Sid"/> </xs:key> </xs:element> <xs:element name="AutoLogonAccount" type="autologon_account_t" minOccurs="1" maxOccurs="1"/> </xs:choice> <xs:element name="Profile" type="profile_id_t" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType> <xs:complexType name="account_t"> <xs:attribute name="Name" type="xs:string" use="optional"/> <xs:attribute name="Sid" type="xs:string" use="optional"/> </xs:complexType> <xs:complexType name="autologon_account_t"> <xs:attribute name="HiddenId" type="guid_t" fixed="{50021E57-1CE4-49DF-99A9-8DB659E2C2DD}"/> </xs:complexType> <xs:complexType name="profile_id_t"> <xs:attribute name="Id" type="guid_t" use="required"/> </xs:complexType> <!--below is the definition of the config xml content--> <xs:element name="ShellLauncherConfiguration"> <xs:complexType> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:element name="Profiles" type="profile_list_t" minOccurs="1" maxOccurs="1"> <xs:unique name="ForbidDuplicatedProfiles"> <xs:selector xpath="default:Profile"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element> <xs:element name="Configs" type="config_list_t" minOccurs="0" maxOccurs="1"> <xs:unique name="ForbidDuplicatedConfigs_Name"> <xs:selector xpath="default:Config/default:Account"/> <xs:field xpath="@Name"/> </xs:unique> <xs:unique name="ForbidDuplicatedConfigs_Sid"> <xs:selector xpath="default:Config/default:Account"/> <xs:field xpath="@Sid"/> </xs:unique> <xs:unique name="ForbidDuplicatedAutoLogonAccount"> <xs:selector xpath="default:Config/default:AutoLogonAccount"/> <xs:field xpath="@HiddenId"/> </xs:unique> </xs:element> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>Shell Launcher V2 XSD
<?xml version="1.0" encoding="utf-8"?> <xs:schema elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/ShellLauncher/2019/Configuration" xmlns:default="http://schemas.microsoft.com/ShellLauncher/2019/Configuration" targetNamespace="http://schemas.microsoft.com/ShellLauncher/2019/Configuration" > <xs:attribute name="AppType"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="UWP"/> <xs:enumeration value="Desktop"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="AllAppsFullScreen" type="xs:boolean"/> </xs:schema>
Examples:
Add
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Add> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/ShellLauncher</LocURI> </Target> <Meta> <Format xmlns="syncml:metinf">chr</Format> </Meta> <Data> <![CDATA[ <?xml version="1.0" encoding="utf-8"?> <ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"> <Profiles> <!--default profile defines default shell and action for general purposes, should NOT be bound to any account--> <DefaultProfile> <Shell Shell="%SystemRoot%\explorer.exe"> <!--DefaultAction is optional; if not defined, the pre-defined default action is "restart shell"--> <DefaultAction Action="RestartShell"/> </Shell> </DefaultProfile> <Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"> <Shell Shell="%ProgramFiles%\Internet Explorer\iexplore.exe -k www.bing.com"> <!--ReturnCodeActions is optional, when none is provided, will always execute default action--> <ReturnCodeActions> <ReturnCodeAction ReturnCode="0" Action="RestartShell"/> <ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/> <ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/> </ReturnCodeActions> <!--restart device after shell exits, if its return code does not match any of the above--> <DefaultAction Action="RestartDevice"/> </Shell> </Profile> <Profile Id="{24A73092-4F3F-44CC-8375-53F13FE213F7}"> <Shell Shell="%SystemRoot%\System32\cmd.exe"/> <!--DefaultAction is optional, if none is supplied, will use DefaultAction defined in DefaultProfile--> </Profile> </Profiles> <Configs> <Config> <!--AutoLogon account--> <AutoLogonAccount/> <Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"/> </Config> <Config> <!--BUILTIN\Administrators SID--> <Account Sid="S-1-5-32-544"/> <Profile Id="{24A73092-4F3F-44CC-8375-53F13FE213F7}"/> </Config> <Config> <!--local account--> <Account Name="sluser1"/> <Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"/> </Config> </Configs> </ShellLauncherConfiguration> ]]> </Data> </Item> </Add> <Final /> </SyncBody> </SyncML>Add AutoLogon
This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed.
Note
The auto-logon function is designed to be used after OOBE with provisioning packages.
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Add> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/ShellLauncher</LocURI> </Target> <Meta> <Format xmlns="syncml:metinf">chr</Format> </Meta> <Data> <![CDATA[ <?xml version="1.0" encoding="utf-8"?> <ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"> <Profiles> <DefaultProfile> <Shell Shell="%SystemRoot%\explorer.exe"/> </DefaultProfile> <Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"> <Shell Shell="%ProgramFiles%\Internet Explorer\iexplore.exe -k www.bing.com"> <ReturnCodeActions> <ReturnCodeAction ReturnCode="0" Action="RestartShell"/> <ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/> <ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/> </ReturnCodeActions> <DefaultAction Action="RestartDevice"/> </Shell> </Profile> </Profiles> <Configs> <Config> <AutoLogonAccount/> <Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"/> </Config> </Configs> </ShellLauncherConfiguration> ]]> </Data> </Item> </Add> <Final /> </SyncBody> </SyncML>V2 Add
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Add> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/ShellLauncher</LocURI> </Target> <Meta> <Format xmlns="syncml:metinf">chr</Format> </Meta> <Data> <![CDATA[ <?xml version="1.0" encoding="utf-8"?> <!--Using the http://schemas.microsoft.com/ShellLauncher/2019/Configuration namespace will opt-in to customshellhost.exe experience which can run win32 and UWP apps--> <ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration" xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"> <Profiles> <DefaultProfile> <Shell Shell="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" V2:AppType="UWP" V2:AllAppsFullScreen="true"> <!--DefaultAction is optional; if not defined, the pre-defined default action is "restart shell"--> <DefaultAction Action="RestartShell"/> </Shell> </DefaultProfile> <Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"> <Shell Shell="%SystemRoot%\System32\notepad.exe" V2:AllAppsFullScreen="true"> <ReturnCodeActions> <ReturnCodeAction ReturnCode="0" Action="RestartShell"/> <ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/> <ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/> <ReturnCodeAction ReturnCode="1" Action="DoNothing"/> </ReturnCodeActions> <DefaultAction Action="RestartShell"/> </Shell> </Profile> </Profiles> <Configs> <Config> <Account Name="sluser1"/> <Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"/> </Config> </Configs> </ShellLauncherConfiguration> ]]> </Data> </Item> </Add> <Final /> </SyncBody> </SyncML>Get
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Get> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/ShellLauncher</LocURI> </Target> </Item> </Get> <Final /> </SyncBody> </SyncML>
Status
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Vendor/MSFT/AssignedAccess/Status
This read only node contains kiosk health event xml.
This allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to "On" or "OnWithAlerts". If the StatusConfiguration is "Off", a "node not found" error will be reported to the MDM server.
Starting in Windows 10, version 1809, Assigned Access runtime status supports monitoring single-app kiosk and multi-app modes. Here are the possible status codes:
| Status Code | Status | Description |
|---|---|---|
| 0 | Unknown | Unknown status. |
| 1 | Running | The AssignedAccess account (kiosk or multi-app) is running normally. |
| 2 | AppNotFound | The kiosk app isn't deployed to the machine. |
| 3 | ActivationFailed | The AssignedAccess account (kiosk or multi-app) failed to sign in. |
| 4 | AppNoResponse | The kiosk app launched successfully but is now unresponsive. |
Additionally, the Status payload includes the following fields:
- profileId: It can be used by the MDM server to correlate which account caused the error.
- OperationList: It gives the list of failed operations that occurred while applying the assigned access CSP, if any exist.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
AssignedAccessAlert XSD:
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2018/AssignedAccessAlert"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2018/AssignedAccessAlert"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2018/AssignedAccessAlert"
>
<xs:simpleType name="status_t">
<xs:restriction base="xs:int">
<xs:enumeration value="0"/> <!-- Unknown -->
<xs:enumeration value="1"/> <!-- Running -->
<xs:enumeration value="2"/> <!-- AppNotFound -->
<xs:enumeration value="3"/> <!-- ActivationFailed -->
<xs:enumeration value="4"/> <!-- AppNoResponse -->
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="operation_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="errorCode" type="xs:int" minOccurs="1" maxOccurs="1"/>
<xs:element name="data" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="operationlist_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Operation" type="operation_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="event_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="status" type="status_t" minOccurs="1" maxOccurs="1"/>
<xs:element name="profileId" type="guid_t" minOccurs="1" maxOccurs="1"/>
<xs:element name="errorCode" type="xs:int" minOccurs="0" maxOccurs="1"/>
<xs:element name="OperationList" type="operationlist_t" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Name" type="xs:string" use="required"/>
</xs:complexType>
<xs:element name="Events">
<xs:complexType>
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="Event" type="event_t" minOccurs="1" maxOccurs="1"/>
</xs:choice>
</xs:complexType>
</xs:element>
</xs:schema>
Example:
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/Status</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
StatusConfiguration
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Vendor/MSFT/AssignedAccess/StatusConfiguration
This node accepts a StatusConfiguration xml as input.
There are three possible values for StatusEnabled node inside StatusConfiguration xml:
- On
- OnWithAlerts
- Off
By default, the StatusConfiguration node doesn't exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node. Optionally, the MDM server can opt in to the MDM alert so that an MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node. This MDM alert header is defined as follows:
- MDMAlertMark:
Critical - MDMAlertType:
com.microsoft.mdm.assignedaccess.status - MDMAlertDataType:
string - Source:
./Vendor/MSFT/AssignedAccess - Target:
N/A
Note
MDM alert are only sent for errors.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
StatusConfiguration XSD:
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration"
>
<xs:simpleType name="status_enabled_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Off"/>
<xs:enumeration value="On"/>
<xs:enumeration value="OnWithAlerts"/>
</xs:restriction>
</xs:simpleType>
<!--below is the definition of the config xml content-->
<xs:element name="StatusConfiguration">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="StatusEnabled" type="status_enabled_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Examples:
Add StatusConfiguration with StatusEnabled set to OnWithAlerts
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Add> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI> </Target> <Meta> <Format xmlns="syncml:metinf">chr</Format> </Meta> <Data> <![CDATA[ <?xml version="1.0" encoding="utf-8" ?> <StatusConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration"> <StatusEnabled>OnWithAlerts</StatusEnabled> </StatusConfiguration> ]]> </Data> </Item> </Add> <Final /> </SyncBody> </SyncML>Delete StatusConfiguration
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Delete> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI> </Target> </Item> </Delete> <Final /> </SyncBody> </SyncML>Get StatusConfiguration
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Get> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI> </Target> </Item> </Get> <Final /> </SyncBody> </SyncML>Replace StatusEnabled value with On
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Replace> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI> </Target> <Meta> <Format xmlns="syncml:metinf">chr</Format> </Meta> <Data> <![CDATA[ <?xml version="1.0" encoding="utf-8" ?> <StatusConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration"> <StatusEnabled>On</StatusEnabled> </StatusConfiguration> ]]> </Data> </Item> </Replace> <Final /> </SyncBody> </SyncML>
AssignedAccessConfiguration XSD
Schema for AssignedAccessConfiguration.
<?xml version="1.0" encoding="utf-8"?> <xs:schema elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config" targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config" > <xs:import namespace="http://schemas.microsoft.com/AssignedAccess/201810/config"/> <xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/> <xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2021/config"/> <xs:complexType name="profile_list_t"> <xs:sequence minOccurs="1" > <xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="kioskmodeapp_t"> <xs:attribute name="AppUserModelId" type="xs:string"/> <xs:attributeGroup ref="ClassicApp_attributeGroup"/> </xs:complexType> <xs:attributeGroup name="ClassicApp_attributeGroup"> <xs:attribute ref="v4:ClassicAppPath"/> <xs:attribute ref="v4:ClassicAppArguments" use="optional"/> </xs:attributeGroup> <xs:complexType name="profile_t"> <xs:choice> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1"/> <xs:element ref="rs5:FileExplorerNamespaceRestrictions" minOccurs="0" maxOccurs="1"/> <xs:element name="StartLayout" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element ref="v5:StartPins" minOccurs="0" maxOccurs="1"/> <xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/> <xs:element ref="v5:TaskbarLayout" minOccurs="0" maxOccurs="1"/> </xs:sequence> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1"> <xs:key name="mutualExclusionAumidOrClassicAppPath"> <xs:selector xpath="."/> <xs:field xpath="@AppUserModelId|@v4:ClassicAppPath"/> </xs:key> <xs:unique name="mutualExclusionAumidOrClassicAppArgumentsOptional"> <xs:selector xpath="."/> <xs:field xpath="@AppUserModelId|@v4:ClassicAppArguments"/> </xs:unique> </xs:element> <xs:element ref="v4:BreakoutSequence" minOccurs="0" maxOccurs="1"/> </xs:sequence> </xs:choice> <xs:attribute name="Id" type="guid_t" use="required"/> <xs:attribute name="Name" type="xs:string" use="optional"/> </xs:complexType> <xs:complexType name="allappslist_t"> <xs:sequence minOccurs="1" > <xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1"> <xs:unique name="ForbidDupApps"> <xs:selector xpath="default:App"/> <xs:field xpath="@AppUserModelId|@DesktopAppPath"/> </xs:unique> <xs:unique name="OnlyOneAppCanHaveAutoLaunch"> <xs:selector xpath="default:App"/> <xs:field xpath="@rs5:AutoLaunch"/> </xs:unique> </xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="allowedapps_t"> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:element name="App" type="app_t" minOccurs="1" maxOccurs="unbounded"> <xs:key name="mutexAumidOrDesktopApp"> <xs:selector xpath="."/> <xs:field xpath="@AppUserModelId|@DesktopAppPath"/> </xs:key> </xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="app_t"> <xs:attribute name="AppUserModelId" type="xs:string"/> <xs:attribute name="DesktopAppPath" type="xs:string"/> <xs:attributeGroup ref="autoLaunch_attributeGroup"/> </xs:complexType> <xs:attributeGroup name="autoLaunch_attributeGroup"> <xs:attribute ref="rs5:AutoLaunch"/> <xs:attribute ref="rs5:AutoLaunchArguments" use="optional"/> </xs:attributeGroup> <xs:complexType name="taskbar_t"> <xs:attribute name="ShowTaskbar" type="xs:boolean" use="required"/> </xs:complexType> <xs:complexType name="profileId_t"> <xs:attribute name="Id" type="guid_t" use="required"/> </xs:complexType> <xs:simpleType name="guid_t"> <xs:restriction base="xs:string"> <xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/> </xs:restriction> </xs:simpleType> <xs:complexType name="config_list_t"> <xs:sequence minOccurs="1" > <xs:element ref="v3:GlobalProfile" minOccurs="0" maxOccurs="1"/> <xs:element name="Config" type="config_t" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="config_t"> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:choice> <xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/> <xs:element name="AutoLogonAccount" type="autologon_account_t" minOccurs="1" maxOccurs="1"/> <xs:element name="UserGroup" type="group_t" minOccurs="1" maxOccurs="1"/> <xs:element name="SpecialGroup" type="specialGroup_t" minOccurs="1" maxOccurs="1" /> </xs:choice> <xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType> <xs:complexType name="autologon_account_t"> <xs:attribute name="HiddenId" type="guid_t" fixed="{74331115-F68A-4DF9-8D2C-52BA2CE2ADB1}"/> <xs:attribute ref="rs5:DisplayName" use="optional" /> </xs:complexType> <xs:complexType name="group_t"> <xs:attribute name="Name" type="xs:string" use="required"/> <xs:attribute name="Type" type="groupType_t" use="required"/> </xs:complexType> <xs:complexType name="specialGroup_t"> <xs:attribute name="Name" type="specialGroupType_t" use="required"/> </xs:complexType> <xs:simpleType name="groupType_t"> <xs:restriction base="xs:string"> <xs:enumeration value="LocalGroup"/> <xs:enumeration value="ActiveDirectoryGroup"/> <xs:enumeration value="AzureActiveDirectoryGroup"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="specialGroupType_t"> <xs:restriction base="xs:string"> <xs:enumeration value="Visitor"/> <xs:enumeration value="DeviceOwner"/> </xs:restriction> </xs:simpleType> <xs:complexType name="fileExplorerNamespaceRestrictions_t"> <xs:sequence minOccurs="1"> <xs:element name="AllowedNamespace" type="allowedFileExplorerNamespace_t"/> </xs:sequence> </xs:complexType> <xs:complexType name="allowedFileExplorerNamespace_t"> <xs:attribute name="Name" type="allowedFileExplorerNamespaceValues_t"/> </xs:complexType> <xs:simpleType name="allowedFileExplorerNamespaceValues_t"> <xs:restriction base="xs:string"> <xs:enumeration value="Downloads"/> </xs:restriction> </xs:simpleType> <!--below is the definition of the config xml content--> <xs:element name="AssignedAccessConfiguration"> <xs:complexType> <xs:all minOccurs="1"> <xs:element name="Profiles" type="profile_list_t"> <xs:unique name="duplicateRolesForbidden"> <xs:selector xpath="default:Profile"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element> <xs:element name="Configs" type="config_list_t"> <xs:unique name="duplicateAutoLogonAccountForbidden"> <xs:selector xpath=".//default:AutoLogonAccount"/> <xs:field xpath="@HiddenId"/> </xs:unique> </xs:element> </xs:all> </xs:complexType> </xs:element> </xs:schema>);Schema for features introduced in Windows 10, version 1809 which added support for Microsoft Edge kiosk mode and breakout key sequence customization.
<?xml version="1.0" encoding="utf-8"?> <xs:schema elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning" vc:minVersion="1.1" xmlns="http://schemas.microsoft.com/AssignedAccess/2021/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2021/config" targetNamespace="http://schemas.microsoft.com/AssignedAccess/2021/config" > <xs:attribute name="ClassicAppPath" type="xs:string"/> <xs:attribute name="ClassicAppArguments" type="xs:string"/> <xs:element name="BreakoutSequence" type="BreakoutSequence_t" /> <xs:complexType name="BreakoutSequence_t"> <xs:attribute name="Key" type="xs:string" use="required"/> </xs:complexType> </xs:schema>Schema for new features introduced in Windows 10 1809 release.
<?xml version="1.0" encoding="utf-8"?> <xs:schema elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" targetNamespace="http://schemas.microsoft.com/AssignedAccess/201810/config" > <xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/> <xs:complexType name="fileExplorerNamespaceRestrictions_t"> <xs:choice> <xs:sequence minOccurs="0"> <xs:element name="AllowedNamespace" type="allowedFileExplorerNamespace_t" minOccurs="0"/> <xs:element ref="v3:AllowRemovableDrives" minOccurs="0" maxOccurs="1"/> </xs:sequence> <xs:element ref="v3:NoRestriction" minOccurs="0" maxOccurs="1" /> </xs:choice> </xs:complexType> <xs:complexType name="allowedFileExplorerNamespace_t"> <xs:attribute name="Name" type="allowedFileExplorerNamespaceValues_t" use="required"/> </xs:complexType> <xs:simpleType name="allowedFileExplorerNamespaceValues_t"> <xs:restriction base="xs:string"> <xs:enumeration value="Downloads"/> </xs:restriction> </xs:simpleType> <xs:element name="FileExplorerNamespaceRestrictions" type="fileExplorerNamespaceRestrictions_t" /> <xs:attribute name="AutoLaunch" type="xs:boolean"/> <xs:attribute name="AutoLaunchArguments" type="xs:string"/> <xs:attribute name="DisplayName" type="xs:string"/> </xs:schema>Schema for Windows 10 prerelease.
<?xml version="1.0" encoding="utf-8"?> <xs:schema elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning" vc:minVersion="1.1" targetNamespace="http://schemas.microsoft.com/AssignedAccess/2020/config" > <xs:simpleType name="guid_t"> <xs:restriction base="xs:string"> <xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/> </xs:restriction> </xs:simpleType> <xs:complexType name="globalProfile_t"> <xs:attribute name="Id" type="guid_t" /> </xs:complexType> <xs:element name="AllowRemovableDrives"/> <xs:element name="NoRestriction" /> <xs:element name="GlobalProfile" type="globalProfile_t" /> </xs:schema>
AssignedAccessConfiguration examples
Note
To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that was added in the 1809 release, use the below sample. Notice an alias r1809 is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:r1809="http://schemas.microsoft.com/AssignedAccess/201810/config"
>
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App DesktopAppPath="%SystemRoot%\system32\notepad.exe" r1809:AutoLaunch="true" r1809:AutoLaunchArguments="1.txt"/>
...
</AssignedAccessConfiguration>
Example XML configuration for a multi-app kiosk for Windows 11, version 22H2 with KB5026446.
Note
This example demonstrates the use of StartPins and TaskbarLayout elements. For more information, see Set up a multi-app kiosk on Windows 11 devices.
- StartPins element is used to pin apps to the Start menu and uses the pinnedList JSON format.
- TaskbarLayout element is used to pin apps to the taskbar and uses the TaskbarLayoutModification XML format.
<?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:v2="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config"> <Profiles> <Profile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"> <AllAppsList> <AllowedApps> <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!BCHost" /> <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!ContentProcess" /> <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!F12" /> <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" /> <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!PdfReader" /> <App DesktopAppPath="%SystemRoot%\system32\notepad.exe" /> <App DesktopAppPath="%SystemRoot%\system32\control.exe" /> <App DesktopAppPath="%SystemRoot%\system32\cmd.exe" /> <App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" /> <App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge_proxy.exe" /> <App AppUserModelId="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App" /> <App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\103.0.1264.62\identity_helper.exe" /> </AllowedApps> </AllAppsList> <v2:FileExplorerNamespaceRestrictions> <v3:NoRestriction /> </v2:FileExplorerNamespaceRestrictions> <StartLayout> <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> <LayoutOptions StartTileGroupCellWidth="6" /> <DefaultLayoutOverride> <StartLayoutCollection> <defaultlayout:StartLayout GroupCellWidth="6"> <start:Group Name="Life at a glance"> <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AppData%\Microsoft\Windows\Start Menu\Programs\Accessories\notepad.lnk" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%SystemRoot%\system32\cmd.exe" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%SystemRoot%\system32\control.exe" /> </start:Group> </defaultlayout:StartLayout> </StartLayoutCollection> </DefaultLayoutOverride> </LayoutModificationTemplate>]]> </StartLayout> <v5:StartPins> <![CDATA[{ "pinnedList": [ { "desktopAppId": "MSEdge" }, { "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" }, { "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" }, { "packagedAppId": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" }, { "desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk" }, { "desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk" } ] }]]> </v5:StartPins> <Taskbar ShowTaskbar="true"/> <v5:TaskbarLayout> <![CDATA[<LayoutModificationTemplate xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout" Version="1"> <CustomTaskbarLayoutCollection PinListPlacement="Replace"> <defaultlayout:TaskbarLayout> <taskbar:TaskbarPinList> <taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer" /> <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" /> </taskbar:TaskbarPinList> </defaultlayout:TaskbarLayout> </CustomTaskbarLayoutCollection> </LayoutModificationTemplate>]]> </v5:TaskbarLayout> </Profile> </Profiles> <Configs> <Config> <Account>MultiAppKioskUser</Account> <DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/> </Config> </Configs> </AssignedAccessConfiguration>Example XML configuration for a multi-app kiosk for Windows 10.
<?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> <Profiles> <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> <AllAppsList> <AllowedApps> <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> <App DesktopAppPath="%windir%\system32\mspaint.exe" /> <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> </AllowedApps> </AllAppsList> <StartLayout> <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> <LayoutOptions StartTileGroupCellWidth="6" /> <DefaultLayoutOverride> <StartLayoutCollection> <defaultlayout:StartLayout GroupCellWidth="6"> <start:Group Name="Group1"> <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> </start:Group> <start:Group Name="Group2"> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> </start:Group> </defaultlayout:StartLayout> </StartLayoutCollection> </DefaultLayoutOverride> </LayoutModificationTemplate> ]]> </StartLayout> <Taskbar ShowTaskbar="true"/> </Profile> </Profiles> <Configs> <Config> <Account>MultiAppKioskUser</Account> <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> </Config> </Configs> </AssignedAccessConfiguration>Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
<?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config" > <Profiles> <Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"> <KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/> </Profile> </Profiles> <Configs> <Config> <Account>EdgeKioskUser</Account> <DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/> </Config> </Configs> </AssignedAccessConfiguration>Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
Note
BreakoutSequence can be applied to any kiosk type, not just an Edge kiosk.
<?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config" > <Profiles> <Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"> <KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/> <v4:BreakoutSequence Key="Ctrl+A"/> </Profile> </Profiles> <Configs> <Config> <Account>EdgeKioskUser</Account> <DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/> </Config> </Configs> </AssignedAccessConfiguration>
Windows Holographic for Business edition example
This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see Configure HoloLens using a provisioning package.
<?xml version="1.0" encoding="utf-8" ?>
<!--
This is a sample Assigned Access XML file. The Profile specifies which apps are allowed
and their app IDs. An Assigned Access Config specifies the accounts or groups to which
a Profile is applicable.
!!! NOTE: Change the Account below to a user in the tenant being tested !!!
-->
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<!-- Learning app -->
<App AppUserModelId="GGVLearning_cw5n1h2txyewy!GGVLearning" />
<!-- Calibration app -->
<App AppUserModelId="ViewCalibrationApp_cw5n1h2txyewy!ViewCalibrationApp" />
<!-- Feedback Hub -->
<App AppUserModelId="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe!App" />
<!-- HoloSkype -->
<App AppUserModelId="Microsoft.SkypeApp_kzf8qxf38zg5c!App" />
</AllowedApps>
</AllAppsList>
<!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Life at a glance">
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.SkypeApp_kzf8qxf38zg5c!App" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<!-- IMPORTANT: Replace the account name here with an email address of the user you want to
be enabled for assigned access. The value in the Account node must begin with
AzureAD\ for AAD accounts. -->
<Config>
<Account>AzureAD\multiusertest@analogfre.onmicrosoft.com</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
Handling XML in Configuration
XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, you'll have nested CDATA, so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA.
Escape and CDATA are mechanisms used when handling xml in xml. Consider that it's a transportation channel to send the configuration xml as payload from server to client. It's transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
This example shows escaped XML of the Data node.
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Add> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/Configuration</LocURI> </Target> <Meta> <Format xmlns="syncml:metinf">chr</Format> </Meta> <Data> <?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> <Profiles> <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> <AllAppsList> <AllowedApps> <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> <App DesktopAppPath="%windir%\system32\mspaint.exe" /> <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> </AllowedApps> </AllAppsList> <StartLayout> <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> <LayoutOptions StartTileGroupCellWidth="6" /> <DefaultLayoutOverride> <StartLayoutCollection> <defaultlayout:StartLayout GroupCellWidth="6"> <start:Group Name="Group1"> <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> </start:Group> <start:Group Name="Group2"> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> </start:Group> </defaultlayout:StartLayout> </StartLayoutCollection> </DefaultLayoutOverride> </LayoutModificationTemplate> ]]> </StartLayout> <Taskbar ShowTaskbar="true"/> </Profile> </Profiles> <Configs> <Config> <Account>MultiAppKioskUser</Account> <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> </Config> </Configs> </AssignedAccessConfiguration> </Data> </Item> </Add> <Final /> </SyncBody> </SyncML>
This example shows CData for the XML.
<SyncML xmlns='SYNCML:SYNCML1.2'> <SyncBody> <Add> <CmdID>2</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/Configuration</LocURI> </Target> <Meta> <Format xmlns="syncml:metinf">chr</Format> </Meta> <Data> <![CDATA[<?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> <Profiles> <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> <AllAppsList> <AllowedApps> <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> <App DesktopAppPath="%windir%\system32\mspaint.exe" /> <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> </AllowedApps> </AllAppsList> <StartLayout> <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> <LayoutOptions StartTileGroupCellWidth="6" /> <DefaultLayoutOverride> <StartLayoutCollection> <defaultlayout:StartLayout GroupCellWidth="6"> <start:Group Name="Group1"> <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> </start:Group> <start:Group Name="Group2"> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> </start:Group> </defaultlayout:StartLayout> </StartLayoutCollection> </DefaultLayoutOverride> </LayoutModificationTemplate> ]]]]><![CDATA[> </StartLayout> <Taskbar ShowTaskbar="true"/> </Profile> </Profiles> <Configs> <Config> <Account>MultiAppKioskUser</Account> <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> </Config> </Configs> </AssignedAccessConfiguration> ]]> </Data> </Item> </Add> <Final /> </SyncBody> </SyncML>
Related articles
Feedback
Submit and view feedback for