빠른 시작: 할당된 액세스를 사용하여 제한된 사용자 환경 구성
이 빠른 시작에서는 Windows에서 제한된 사용자 환경을 구성하는 방법에 대한 실용적인 예제를 제공합니다. 이 예제에서는 Microsoft Intune, PPKG(프로비저닝 패키지) 및 PowerShell과 같은 MDM(모바일 디바이스 관리 솔루션)을 사용하는 단계를 설명합니다. 다른 솔루션이 사용되지만 구성 설정 및 결과는 동일합니다.
예제는 특정 요구 사항에 맞게 수정할 수 있습니다. 예를 들어 허용된 앱 목록에서 애플리케이션을 추가하거나 제거하거나 Windows에 자동으로 로그인하는 사용자의 이름을 변경할 수 있습니다.
필수 구성 요소
이 빠른 시작을 완료하기 위한 요구 사항 목록은 다음과 같습니다.
- Windows 디바이스
- MDM을 사용하여 설정을 구성하려는 경우 Microsoft Intune 또는 비 Microsoft MDM 솔루션
- 프로비저닝 패키지를 사용하여 설정을 구성하려는 경우 Windows 구성 디자이너
- Windows PowerShell을 사용하여 구성을 테스트하려는 경우 psexec 도구에 액세스
제한된 사용자 환경 구성
다음 지침에서는 디바이스를 구성하는 방법에 대한 세부 정보를 제공합니다. 요구 사항에 가장 적합한 옵션을 선택합니다.
Intune/CSP
PPKG
PowerShell팁
다음 Graph 호출을 사용하여 할당이나 범위 태그 없이 Microsoft Intune 테넌트에서 사용자 지정 정책을 자동으로 만듭니다.
이 호출을 사용하는 경우 Graph Explorer 창에서 테넌트 인증을 수행합니다. Graph Explorer를 처음 사용하는 경우 애플리케이션에 테넌트 액세스 권한을 부여하거나 기존 권한을 수정해야 할 수 있습니다. 이 그래프 호출에는 DeviceManagementConfiguration.ReadWrite.All 권한이 필요합니다.
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
Content-Type: application/json
{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 10", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<AssignedAccessConfiguration\n xmlns:xs=\"http://www.w3.org/2001/XMLSchema\"\n xmlns=\"http://schemas.microsoft.com/AssignedAccess/2017/config\"\n xmlns:default=\"http://schemas.microsoft.com/AssignedAccess/2017/config\"\n xmlns:rs5=\"http://schemas.microsoft.com/AssignedAccess/201810/config\"\n xmlns:v3=\"http://schemas.microsoft.com/AssignedAccess/2020/config\">\n <Profiles>\n <Profile Id=\"{9A2A490F-10F6-4764-974A-43B19E722C23}\">\n <AllAppsList>\n <AllowedApps>\n <App AppUserModelId=\"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\" />\n <App AppUserModelId=\"Microsoft.Windows.Photos_8wekyb3d8bbwe!App\" />\n <App AppUserModelId=\"Microsoft.BingWeather_8wekyb3d8bbwe!App\" />\n <App DesktopAppPath=\"C:\\Windows\\system32\\cmd.exe\" />\n <App DesktopAppPath=\"%windir%\\System32\\WindowsPowerShell\\v1.0\\Powershell.exe\" />\n <App DesktopAppPath=\"%windir%\\explorer.exe\" />\n <App AppUserModelId=\"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\" />\n <App AppUserModelId=\"%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe\" />\n </AllowedApps>\n </AllAppsList>\n <rs5:FileExplorerNamespaceRestrictions>\n <rs5:AllowedNamespace Name=\"Downloads\"/>\n <v3:AllowRemovableDrives/>\n </rs5:FileExplorerNamespaceRestrictions>\n <StartLayout>\n <![CDATA[\n <LayoutModificationTemplate xmlns:defaultlayout=\"http://schemas.microsoft.com/Start/2014/FullDefaultLayout\" xmlns:start=\"http://schemas.microsoft.com/Start/2014/StartLayout\" Version=\"1\" xmlns=\"http://schemas.microsoft.com/Start/2014/LayoutModification\">\n <LayoutOptions StartTileGroupCellWidth=\"6\" />\n <DefaultLayoutOverride>\n <StartLayoutCollection>\n <defaultlayout:StartLayout GroupCellWidth=\"6\">\n <start:Group Name=\"\">\n <start:Tile Size=\"2x2\" Column=\"0\" Row=\"4\" AppUserModelID=\"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\" />\n <start:DesktopApplicationTile Size=\"2x2\" Column=\"2\" Row=\"4\" DesktopApplicationLinkPath=\"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk\" />\n <start:Tile Size=\"2x2\" Column=\"4\" Row=\"0\" AppUserModelID=\"Microsoft.BingWeather_8wekyb3d8bbwe!App\" />\n <start:DesktopApplicationTile Size=\"2x2\" Column=\"4\" Row=\"2\" DesktopApplicationLinkPath=\"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\File Explorer.lnk\" />\n <start:DesktopApplicationTile Size=\"2x2\" Column=\"2\" Row=\"2\" DesktopApplicationLinkPath=\"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk\" />\n <start:Tile Size=\"2x2\" Column=\"2\" Row=\"0\" AppUserModelID=\"Microsoft.Windows.Photos_8wekyb3d8bbwe!App\" />\n <start:Tile Size=\"2x2\" Column=\"0\" Row=\"0\" AppUserModelID=\"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\" />\n <start:DesktopApplicationTile Size=\"2x2\" Column=\"0\" Row=\"2\" DesktopApplicationLinkPath=\"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk\" />\n </start:Group>\n </defaultlayout:StartLayout>\n </StartLayoutCollection>\n </DefaultLayoutOverride>\n </LayoutModificationTemplate>\n ]]>\n </StartLayout>\n <Taskbar ShowTaskbar=\"true\"/>\n </Profile>\n </Profiles>\n <Configs>\n <Config>\n <AutoLogonAccount rs5:DisplayName=\"MS Learn Example\"/>\n <DefaultProfile Id=\"{9A2A490F-10F6-4764-974A-43B19E722C23}\"/>\n </Config>\n </Configs>\n</AssignedAccessConfiguration>" } ] }
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
Content-Type: application/json
{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 11", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<AssignedAccessConfiguration\n xmlns:xs=\"http://www.w3.org/2001/XMLSchema\"\n xmlns=\"http://schemas.microsoft.com/AssignedAccess/2017/config\"\n xmlns:default=\"http://schemas.microsoft.com/AssignedAccess/2017/config\"\n xmlns:rs5=\"http://schemas.microsoft.com/AssignedAccess/201810/config\"\n xmlns:v3=\"http://schemas.microsoft.com/AssignedAccess/2020/config\"\n xmlns:v5=\"http://schemas.microsoft.com/AssignedAccess/2022/config\">\n <Profiles>\n <Profile Id=\"{9A2A490F-10F6-4764-974A-43B19E722C23}\">\n <AllAppsList>\n <AllowedApps>\n <App AppUserModelId=\"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\" />\n <App AppUserModelId=\"Microsoft.Windows.Photos_8wekyb3d8bbwe!App\" />\n <App AppUserModelId=\"Microsoft.BingWeather_8wekyb3d8bbwe!App\" />\n <App DesktopAppPath=\"C:\\Windows\\system32\\cmd.exe\" />\n <App DesktopAppPath=\"%windir%\\System32\\WindowsPowerShell\\v1.0\\Powershell.exe\" />\n <App DesktopAppPath=\"%windir%\\explorer.exe\" />\n <App AppUserModelId=\"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\" />\n <App AppUserModelId=\"%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe\" />\n </AllowedApps>\n </AllAppsList>\n <rs5:FileExplorerNamespaceRestrictions>\n <rs5:AllowedNamespace Name=\"Downloads\"/>\n <v3:AllowRemovableDrives/>\n </rs5:FileExplorerNamespaceRestrictions>\n <v5:StartPins>\n <![CDATA[{\n \"pinnedList\":[\n {\"packagedAppId\":\"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\"},\n {\"packagedAppId\":\"Microsoft.Windows.Photos_8wekyb3d8bbwe!App\"},\n {\"packagedAppId\":\"Microsoft.BingWeather_8wekyb3d8bbwe!App\"},\n {\"desktopAppLink\":\"%APPDATA%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\System Tools\\\\Command Prompt.lnk\"},\n {\"desktopAppLink\":\"%APPDATA%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Windows PowerShell\\\\Windows PowerShell.lnk\"},\n {\"desktopAppLink\":\"%APPDATA%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\File Explorer.lnk\"},\n {\"packagedAppId\": \"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\"},\n {\"desktopAppLink\": \"%ALLUSERSPROFILE%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Microsoft Edge.lnk\"}\n ]\n }]]>\n </v5:StartPins>\n <Taskbar ShowTaskbar=\"true\"/>\n </Profile>\n </Profiles>\n <Configs>\n <Config>\n <AutoLogonAccount rs5:DisplayName=\"MS Learn Example\"/>\n <DefaultProfile Id=\"{9A2A490F-10F6-4764-974A-43B19E722C23}\"/>\n </Config>\n </Configs>\n</AssignedAccessConfiguration>" } ] }
구성하려는 디바이스 또는 사용자를 구성원으로 포함하는 그룹에 정책을 할당합니다.
또는 AssignedAccess CSP를 사용하여 사용자 지정 정책을 사용하여 디바이스를 구성할 수 있습니다.
-
설정:
./Vendor/MSFT/AssignedAccess/Configuration - 값:
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads" />
<v3:AllowRemovableDrives />
</rs5:FileExplorerNamespaceRestrictions>
<StartLayout><![CDATA[
<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="">
<start:Tile Size="2x2" Column="0" Row="4" AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="4" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:DesktopApplicationTile Size="2x2" Column="4" Row="2" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk" />
<start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]></StartLayout>
<Taskbar ShowTaskbar="true" />
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="MS Learn Example" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads" />
<v3:AllowRemovableDrives />
</rs5:FileExplorerNamespaceRestrictions>
<v5:StartPins><![CDATA[{
"pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
]
}]]></v5:StartPins>
<Taskbar ShowTaskbar="true" />
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="MS Learn Example" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
사용자 환경
설정이 적용된 후 디바이스를 다시 부팅합니다. 로컬 사용자 계정은 시작 메뉴에 고정된 제한된 애플리케이션 집합에 액세스하여 자동으로 로그인됩니다.
다음 단계
할당된 액세스 및 이를 구성하는 방법에 대해 자세히 알아봅니다.