Assigned Access policy settings
When the Assigned Access configuration is applied on a device, certain policy settings and AppLocker rules are enforced, impacting the users accessing the device. The policy settings use a combination of configuration service provider (CSP) and group policy (GPO) settings.
This reference article lists the policy settings and AppLocker rules applied by Assigned Access.
Note
It's not recommended to configure policy settings enforced by Assigned Access to different values using other channels. Assigned Access is optimized to provide a locked-down experience.
Device policy settings
The following policy settings are applied at the device level when you deploy a restricted user experience. Any user accessing the device is subject to the policy settings, including administrator accounts:
| Type | Path | Name/Description |
|---|---|---|
| CSP | ./Vendor/MSFT/Policy/Config/Experience/AllowCortana |
Disable Cortana |
| CSP | ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDocuments |
Disable Start documents icon |
| CSP | ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDownloads |
Disable Start downloads icon |
| CSP | ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderFileExplorer |
Disable Start file explorer icon |
| CSP | ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderHomeGroup |
Disable Start home group icon |
| CSP | ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderMusic |
Disable Start music icon |
| CSP | ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderNetwork |
Disable Start network icon |
| CSP | ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderPersonalFolder |
Disable Start personal folder icon |
| CSP | ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderPictures |
Disable Start pictures icon |
| CSP | ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderSettings |
Disable Start settings icon |
| CSP | ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderVideos |
Disable Start videos icon |
| CSP | ./Vendor/MSFT/Policy/Config/Start/HideChangeAccountSettings |
Hide Change account settings from appearing in the user tile |
| CSP | ./Vendor/MSFT/Policy/Config/Update/SetAutoRestartNotificationDisable |
Hides all update notifications |
| CSP | ./Vendor/MSFT/Policy/Config/Update/UpdateNotificationLevel |
Disables auto restart notifications for updates |
| CSP | ./Vendor/MSFT/Policy/Config/WindowsInkWorkspace/AllowWindowsInkWorkspace |
Access to ink workspace is disabled |
| CSP | ./Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI |
Hide networks UI on the logon screen, as well as on "security options" UI |
User policy settings
The following policy settings are applied to any nonadministrator account when you deploy a restricted user experience:
| Type | Path | Name/Description |
|---|---|---|
| CSP | ./User/Vendor/MSFT/Policy/Config/Start/DisableContextMenus |
Disable Context Menu for Start menu apps |
| CSP | ./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar |
Hide People Bar from appearing on taskbar |
| CSP | ./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps |
Hide recently added apps from appearing on the Start menu |
| CSP | ./User/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists |
Hide recent jumplists from appearing on the Start menu/taskbar |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Clear history of recently opened documents on exit |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Disable showing balloon notifications as toast |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not allow pinning items in Jump Lists |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not allow pinning programs to the Taskbar |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not display or track items in Jump Lists from remote locations |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide and disable all items on the desktop |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide the Task View button |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Lock all taskbar settings |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Lock the Taskbar |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from adding or removing toolbars |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from customizing their Start Screen |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from moving taskbar to another screen dock location |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from rearranging toolbars |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from resizing the taskbar |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from uninstalling applications from Start |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove access to the context menus for the task bar |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove All Programs list from the Start menu |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Control Center |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove frequent programs list from the Start Menu |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Notification and Action Center |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Quick Settings |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Run menu from Start Menu |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove the Security and Maintenance icon |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Turn off all balloon notifications |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar | Turn off feature advertisement balloon notifications |
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Turn off toast notifications |
| GPO | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Change Password |
| GPO | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Logoff |
| GPO | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Task Manager |
| GPO | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove Map network drive and Disconnect Network Drive |
| GPO | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove File Explorer's default context menu |
The following policy settings are applied to the kiosk account when you configure a kiosk experience with Microsoft Edge:
| Type | Path | Name/Description |
|---|---|---|
| GPO | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Run only specified Windows applications > msedge.exe |
| GPO | User Configuration\Administrative Templates\System | Turn off toast notifications |
| GPO | User Configuration\Administrative Templates\Windows Components\Attachment Manager | Default risk level for file attachments > High risk |
| GPO | User Configuration\Administrative Templates\Windows Components\Attachment Manager | Inclusion list for low file types > .pdf;.epub |
| GPO | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove File Explorer's default context menu |
AppLocker rules
When you deploy an Assigned Access restricted user experience, AppLocker rules are generated to allow the apps that are listed in the configuration. Here are the predefined Assigned Access AppLocker rules:
Universal Windows Platform (UWP) app rules
- The default rule is to allow all users to launch the signed packaged apps
- The packaged app deny list is generated at runtime when the Assigned Access user signs in:
- Based on the installed apps available for the user account, Assigned Access generates the deny list. The list excludes the default allowed inbox packaged apps, which are critical for the system to function, and then exclude the allowed packages that are defined in the Assigned Access configuration
- If there are multiple apps within the same package, all the apps are excluded
The deny list is used to prevent the user from accessing the apps, which are currently available for the user but not in the allowed list
Note
You can't manage AppLocker rules that are generated by the restricted user experience in MMC snap-ins. Avoid creating AppLocker rules that conflict with AppLocker rules generated by Assigned Access.
Assigned access doesn't prevent the organization or users from installing UWP apps. When a new UWP app is installed during an Assigned Access session, the app isn't in the deny list. When the user signs out and signs in again, the installed app is included in the deny list. For apps deployed centrally that you want to allow, like line-of-biness apps, update the Assigned Access configuration and include the apps in the allow app list.
Desktop app rules
- The default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
- There's a predefined inbox desktop app deny list for the Assigned Access user account, which is updated based on the desktop app allow list that you defined in the Assigned Access configuration
- Enterprise-defined allowed desktop apps are added in the AppLocker allow list
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for