设置多应用展台Set up a multi-app kiosk

适用范围Applies to

  • Windows 10 专业版、企业版和教育版Windows 10 Pro, Enterprise, and Education

展台设备通常只运行一个应用,用户无法从展台应用之外访问设备上的任何特性或功能。A kiosk device typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. 在 Windows 10 版本1709中, AssignedAccess 配置服务提供商(CSP)已扩展,使管理员能够轻松地创建运行多个应用的网亭。In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) was expanded to make it easy for administrators to create kiosks that run more than one app. 仅运行一个或多个指定应用的展台的好处是,只需在它们前面放置他们需要使用的功能,并从他们的视图中删除他们不需要访问的信息,即可为个人提供易于理解的体验。The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.

下表列出了 "最近的更新" 中的多应用展台的更改。The following table lists changes to multi-app kiosk in recent updates.

新增功能和改进功能New features and improvements 在更新中In update
-配置 XML 文件中的单应用展台配置文件- Configure a single-app kiosk profile in your XML file

-将组帐户分配给配置文件- Assign group accounts to a config profile

-将帐户配置为自动登录- Configure an account to sign in automatically
Windows 10 版本 1803Windows 10, version 1803
-在用户打开 "文件" 对话框时明确允许某些已知文件夹- Explicitly allow some known folders when user opens file dialog box

- 当用户登录时自动启动应用- Automatically launch an app when the user signs in

-为自动登录帐户配置显示名称- Configure a display name for the autologon account
Windows 10 版本 1809Windows 10, version 1809

重要提示: 若要使用 Windows 10 版本1809中发布的功能,请确保你的 XML 文件引用https://schemas.microsoft.com/AssignedAccess/201810/configImportant: To use features released in Windows 10, version 1809, make sure that your XML file references https://schemas.microsoft.com/AssignedAccess/201810/config.

警告

分配的访问权限功能专用于企业拥有的固定用途设备,例如展台。The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. 如果对设备应用多应用分配的访问权限配置,则会在系统范围内强制执行某些策略,这将会影响该设备上的其他用户。When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. 删除 kiosk 配置将删除与用户相关联的已分配访问锁定配置文件,但不能还原所有强制的策略(如 "开始" 布局)。Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). 需要恢复出厂设置,才能清除通过分配的访问权限强制执行的所有策略。A factory reset is needed to clear all the policies enforced via assigned access.

你可以使用 Microsoft Intune预配包来配置多应用展台。You can configure multi-app kiosks using Microsoft Intune or a provisioning package.

提示

确保在设置展台之前检查配置建议Be sure to check the configuration recommendations before you set up your kiosk.

在 Microsoft Intune 中配置展台Configure a kiosk in Microsoft Intune

若要在 Microsoft Intune 中配置展台,请参阅windows 10 和 Windows 全息版 For Business 设备设置,以使用 Intune 作为专用展台运行To configure a kiosk in Microsoft Intune, see Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune. 有关特定设置的说明,请参阅Windows 10 和更高版本设备设置以在 Intune 中作为展台运行For explanations of the specific settings, see Windows 10 and later device settings to run as a kiosk in Intune.

使用预配包配置展台Configure a kiosk using a provisioning package

过程:Process:

  1. 创建 XML 文件Create XML file
  2. 将 XML 文件添加到预配包中Add XML file to provisioning package
  3. 将预配包应用于设备Apply provisioning package to device

观看如何使用预配包来配置多应用展台。Watch how to use a provisioning package to configure a multi-app kiosk.

如果你不想使用预配包,则可以使用移动设备管理 (MDM) 部署配置 XML 文件,也可以使用 MDM Bridge WMI 提供程序配置分配的访问权限。If you don't want to use a provisioning package, you can deploy the configuration XML file using mobile device management (MDM) or you can configure assigned access using the MDM Bridge WMI Provider.

先决条件Prerequisites

  • Windows 配置设计器(Windows 10 版本1709或更高版本)Windows Configuration Designer (Windows 10, version 1709 or later)
  • 展台设备必须运行 Windows 10 (S、Pro、Enterprise 或教育版)、版本1709或更高版本The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later

备注

对于运行 1709 版本之前的 Windows 10 版本的设备,你可以创建 AppLocker 规则以配置多应用展台。For devices running versions of Windows 10 earlier than version 1709, you can create AppLocker rules to configure a multi-app kiosk.

创建 XML 文件Create XML file

让我们首先看看 XML 文件的基本结构。Let's start by looking at the basic structure of the XML file.

  • 配置 XML 可以定义多个配置文件A configuration xml can define multiple profiles. 每个配置文件都有唯一的 ID,并定义了一组可运行的应用程序(无论任务栏是否可见),可以包括自定义“开始”布局。Each profile has a unique Id and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.

  • 配置 XML 可以具有多个配置部分。A configuration xml can have multiple config sections. 每个配置部分都将非管理员用户帐户关联到默认配置文件 IDEach config section associates a non-admin user account to a default profile Id.

  • 多个配置部分可关联到同一个配置文件。Multiple config sections can be associated to the same profile.

  • 配置文件如果未关联到配置部分,则不产生任何影响。A profile has no effect if it’s not associated to a config section.

    配置文件 = 应用,配置 = 帐户

你可以通过将以下 XML(或本主题中的任何其他示例)粘贴到 XML 编辑器中并将该文件另存为 文件名.xml 来启动你的文件。You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as filename.xml. 此 XML 的每个部分将在本主题中介绍。Each section of this XML is explained in this topic. 你可以在分配的 ACCESS XML 引用中看到完整的示例版本。You can see a full sample version in the Assigned access XML reference.

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
    xmlns="https://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="https://schemas.microsoft.com/AssignedAccess/201810/config"
    >
    <Profiles>
        <Profile Id="">
            <AllAppsList>
                <AllowedApps/>
            </AllAppsList>
            <StartLayout/>
            <Taskbar/>
        </Profile>
    </Profiles>
    <Configs>
        <Config>
            <Account/>
            <DefaultProfile Id=""/>
        </Config>
    </Configs>
</AssignedAccessConfiguration>

个人资料Profile

可以在 XML 中指定两种类型的配置文件:There are two types of profiles that you can specify in the XML:

  • 锁定配置文件:分配了锁定配置文件的用户将看到平板电脑模式下的桌面和 "开始" 屏幕上的特定应用。Lockdown profile: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
  • 展台配置文件:新增在 Windows 10 版本1803中,此配置文件替换AssignedAccess CSP的 KioskModeApp 节点。Kiosk profile: New in Windows 10, version 1803, this profile replaces the KioskModeApp node of the AssignedAccess CSP. 分配了展台配置文件的用户将看不到桌面,但只能看到在全屏模式下运行的展台应用。Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.

XML 中的 "锁定配置文件" 部分包含以下条目:A lockdown profile section in the XML has the following entries:

XML 中的展台配置文件具有以下条目:A kiosk profile in the XML has the following entries:

IDId

配置文件 ID 是 GUID 属性,用于唯一地标识该配置文件。The profile Id is a GUID attribute to uniquely identify the profile. 你可以使用 GUID 生成器创建 GUID。You can create a GUID using a GUID generator. 该 GUID 在此 XML 文件中必须是唯一的。The GUID just needs to be unique within this XML file.

<Profiles>
  <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">…</Profile>
</Profiles>
AllowedAppsAllowedApps

AllowedApps 是允许运行的应用程序的列表。AllowedApps is a list of applications that are allowed to run. 应用可以是通用 Windows 平台(UWP)应用或 Windows 桌面应用程序。Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. 在 Windows 10 版本1809中,你可以将AllowedApps列表中的单个应用配置为在分配的 access 用户帐户登录时自动运行。In Windows 10, version 1809, you can configure a single app in the AllowedApps list to run automatically when the assigned access user account signs in.

  • 对于 UWP 应用,你需要提供应用用户模型 ID (AUMID)。For UWP apps, you need to provide the App User Model ID (AUMID). 了解如何获取 AUMID从“开始”布局 XML 获取 AUMIDLearn how to get the AUMID, or get the AUMID from the Start Layout XML.
  • 对于桌面应用,你需要指定可执行文件的完整路径,其中可能包含一个或多个采用以下格式的系统环境变量:%variableName%(即 %systemroot%、%windir%)。For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
  • 如果应用依赖于另一个应用,则该应用必须包含在 "允许的应用" 列表中。If an app has a dependency on another app, both must be included in the allowed apps list. 例如,Internet Explorer 64 位依赖于 Internet Explorer 32 位,因此你必须同时允许 "C:\Program Files\internet explorer\iexplore.exe" 和 "C:\Program Files (x86) \Internet Explorer\iexplore.exe"。For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both "C:\Program Files\internet explorer\iexplore.exe" and “C:\Program Files (x86)\Internet Explorer\iexplore.exe”.
  • 若要将单个应用配置为在用户登录时自动启动,请rs5:AutoLaunch="true"在 AUMID 或路径之后添加。To configure a single app to launch automatically when the user signs in, include rs5:AutoLaunch="true" after the AUMID or path. 你还可以包括要传递给应用的参数。You can also include arguments to be passed to the app. 有关示例,请参阅AllowedApps 示例 XMLFor an example, see the AllowedApps sample XML.

将多应用展台配置应用到设备时,将生成 AppLocker 规则,以允许配置中列出的应用。When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. 下面是为 UWP 应用预定义的分配的访问权限 AppLocker 规则:Here are the predefined assigned access AppLocker rules for UWP apps:

  1. 默认规则就是允许所有用户启动已签名的程序包应用。Default rule is to allow all users to launch the signed package apps.

  2. 在分配的访问权限用户登录时,将在运行时生成程序包应用拒绝列表。The package app deny list is generated at runtime when the assigned access user signs in. 根据可用于用户帐户的已安装/预配包应用,分配的访问权限可生成拒绝列表。Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. 此列表将排除允许的默认程序包应用(这些应用对于系统正常运行至关重要),然后排除企业已在分配的访问权限配置中定义的允许程序包。This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. 如果同一个程序包中有多个应用,则将排除所有这些应用。If there are multiple apps within the same package, all these apps will be excluded. 此拒绝列表将用于阻止用户访问当前可供该用户使用的应用,但是允许列表中的应用除外。This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list.

    备注

    你不能在 MMC 管理单元中管理根据多应用展台配置生成的 AppLocker 规则。请不要创建与多应用展台配置生成的 AppLocker 规则冲突的 AppLocker 规则。You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in MMC snap-ins. Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.

    在多应用展台模式下,不会阻止企业或用户安装 UWP 应用。Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. 在当前分配的访问权限用户会话期间安装新的 UWP 应用时,此应用将不在拒绝列表中。When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. 当用户注销并再次登录时,该应用将包含在拒绝列表中。When the user signs out and signs in again, the app will be included in the deny list. 如果这是企业部署的业务线应用,并且你想要允许该应用运行,请更新分配的访问权限配置,以将其包括在允许的应用列表中。If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.

下面是为桌面应用预定义的分配的访问权限 AppLocker 规则:Here are the predefined assigned access AppLocker rules for desktop apps:

  1. 默认规则就是允许所有用户启动使用 Microsoft 证书进行签名的桌面程序,以便于系统启动并正常运行。Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. 该规则也允许管理员用户组启动所有桌面程序。The rule also allows the admin user group to launch all desktop programs.
  2. 这是为分配的访问权限用户帐户预定义的收件箱桌面应用拒绝列表,此拒绝列表根据你已在多应用配置中定义的桌面应用允许列表进行调整。There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
  3. 企业定义的允许的桌面应用添加在 AppLocker 允许列表中。Enterprise-defined allowed desktop apps are added in the AppLocker allow list.

以下示例允许在设备上运行 Groove 音乐、电影 & 电视、照片、天气、计算器、画图和记事本应用,并将 "记事本" 配置为在用户登录时自动启动并123.text创建一个名为的文件。The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called 123.text when the user signs in.

<AllAppsList>
        <AllowedApps>
          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
          <App DesktopAppPath="%windir%\system32\mspaint.exe" />
          <App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt">
        </AllowedApps>
</AllAppsList>
FileExplorerNamespaceRestrictionsFileExplorerNamespaceRestrictions

从 Windows 10 版本1809开始,你可以通过在 XML 文件中包括FileExplorerNamespaceRestrictions ,在用户尝试打开具有多个应用的 access 中的 "文件" 对话框时显式允许访问某些已知文件夹。Starting in Windows 10, version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including FileExplorerNamespaceRestrictions in your XML file. 目前,下载是唯一受支持的文件夹。Currently, Downloads is the only folder supported. 这也可以使用 Microsoft Intune 进行设置。This can also be set using Microsoft Intune.

以下示例显示了如何允许用户访问 "通用文件" 对话框中的 "下载" 文件夹。The following example shows how to allow user access to the Downloads folder in the common file dialog box.

提示

若要通过文件资源管理器授予对 "下载" 文件夹的访问权限,请将 "store.exe" 添加到所允许的应用列表中,并将文件资源管理器快捷方式固定到展台的 "开始" 菜单。To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk start menu.

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
    xmlns="https://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="https://schemas.microsoft.com/AssignedAccess/201810/config"
>     <Profiles>
        <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
            <AllAppsList>
                <AllowedApps>
                    ...
                </AllowedApps>
            </AllAppsList>
            <rs5:FileExplorerNamespaceRestrictions>
                <rs5:AllowedNamespace Name="Downloads"/>
            </rs5:FileExplorerNamespaceRestrictions>
            <StartLayout>
                ...
            </StartLayout>
            <Taskbar ShowTaskbar="true"/>
        </Profile>
    </Profiles>
</AssignedAccessConfiguration>

FileExplorerNamespaceRestriction 已在当前 Windows 10 预发布版中进行了扩展,以使粒度更精细且更易于使用,请参阅 "分配的 ACCESS XML 参考"。FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerelease for finer granularity and easier use, see in the Assigned access XML reference. 获取完整示例。for full samples. 所做的更改将允许 IT 管理员通过使用某些新元素来配置用户是否可以访问 "下载" 文件夹、可移动驱动器或根本没有限制。The changes will allow IT Admin to configure if user can access Downloads folder, Removable drives, or no restriction at all by using certain new elements. 请注意,FileExplorerNamesapceRestrictions 和 AllowedNamespace:在命名空间https://schemas.microsoft.com/AssignedAccess/201810/config、AllowRemovableDrives 和 NoRestriction 中提供了可在新命名https://schemas.microsoft.com/AssignedAccess/2020/config空间中定义的下载。Note that FileExplorerNamesapceRestrictions and AllowedNamespace:Downloads are available in namespace https://schemas.microsoft.com/AssignedAccess/201810/config, AllowRemovableDrives and NoRestriction are defined in a new namespace https://schemas.microsoft.com/AssignedAccess/2020/config.

  • 当 FileExplorerNamespaceRestrictions 节点未使用或已使用但保留为空时,用户将无法访问 "普通" 对话框中的任何文件夹(例如,Microsoft Edge 浏览器中另存为)。When FileExplorerNamespaceRestrictions node is not used, or used but left empty, user will not be able to access any folder in common dialog (e.g. Save As in Microsoft Edge browser).
  • 在允许的命名空间中提及下载时,用户将能够访问 "下载" 文件夹。When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder.
  • 当使用 AllowRemovableDrives 时,用户将访问可移动驱动器。When AllowRemovableDrives is used, user will be to access removable drives.
  • 使用 NoRestriction 时,不会对对话框应用任何限制。When NoRestriction is used, no restriction will be applied to the dialog.
  • AllowRemovableDrives 和 AllowedNamespace:可以同时使用下载。AllowRemovableDrives and AllowedNamespace:Downloads can be used at the same time.
StartLayoutStartLayout

定义了允许的应用程序列表后,你可以针对自己的展台体验自定义“开始”布局。After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. 你可以选择将所有允许的应用固定到“开始”屏幕,也可以仅将一部分应用固定到该屏幕,具体取决于你是否希望最终用户直接在“开始”屏幕上访问它们。You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.

创建自定义“开始”屏幕布局以应用到其他 Windows 10 设备的最简方法是,在测试设备上设置“开始”屏幕,然后导出该布局。The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. 有关详细步骤,请参阅自定义和导出“开始”布局For detailed steps, see Customize and export Start layout.

下面是值得注意的一些事项:A few things to note here:

  • 自定义“开始”布局的测试设备应与你计划部署多应用分配的访问权限配置的设备上安装的操作系统版本相同。The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration.
  • 由于多应用分配的访问权限体验仅适用于固定用途设备,因此,为了确保设备体验一致且可预测,请使用完整“开始”布局选项,而非部分“开始”布局。Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the full Start layout option instead of the partial Start layout.
  • 在多应用模式下,应用不固定到任务栏上,并且在分配访问权限配置中,不支持使用布局修改 XML 中的 <CustomTaskbarLayoutCollection> 标记配置“任务栏”布局。There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the <CustomTaskbarLayoutCollection> tag in a layout modification XML as part of the assigned access configuration.
  • 以下示例使用 DesktopApplicationLinkPath 将桌面应用固定到“开始”屏幕。The following example uses DesktopApplicationLinkPath to pin the desktop app to start. 当桌面应用在目标设备上没有快捷方式链接时,请了解如何使用 Windows 配置设计器预配 .lnk 文件When the desktop app doesn’t have a shortcut link on the target device, learn how to provision .lnk files using Windows Configuration Designer.

此示例将 Groove 音乐、电影和电视、照片、天气、计算器、画图和记事本应用固定在“开始”屏幕上。This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start.

<StartLayout>
        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="https://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="https://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="httsp://schemas.microsoft.com/Start/2014/LayoutModification">
                      <LayoutOptions StartTileGroupCellWidth="6" />
                      <DefaultLayoutOverride>
                        <StartLayoutCollection>
                          <defaultlayout:StartLayout GroupCellWidth="6">
                            <start:Group Name="Group1">
                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
                            </start:Group>
                            <start:Group Name="Group2">
                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
                            </start:Group>
                          </defaultlayout:StartLayout>
                        </StartLayoutCollection>
                      </DefaultLayoutOverride>
                    </LayoutModificationTemplate>
                ]]>
</StartLayout>

备注

如果没有为用户安装应用,但它包含在“开始”布局 XML 中,则该应用将不显示在“开始”屏幕上。If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.

应用 XML 示例时的“开始”屏幕外观

任务栏Taskbar

定义你是否希望在展台设备中显示任务栏。Define whether you want to have the taskbar present in the kiosk device. 对于基于平板电脑或支持触摸的一体化展台,如果你未连接键盘和鼠标,则可以在多应用体验中隐藏任务栏(如果你希望)。For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.

以下示例向最终用户显示任务栏:The following example exposes the taskbar to the end user:

<Taskbar ShowTaskbar="true"/>

以下示例会隐藏任务栏:The following example hides the taskbar:

<Taskbar ShowTaskbar="false"/>

备注

在平板电脑模式下,这不同于自动隐藏任务栏选项,后者在向上轻扫或将鼠标指针向下移动到屏幕底部时会显示任务栏。This is different from the Automatically hide the taskbar option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. ShowTaskbar 设置为 false 将始终保持任务栏处于隐藏状态。Setting ShowTaskbar as false will always keep the taskbar hidden.

KioskModeAppKioskModeApp

KioskModeApp仅用于展台档案KioskModeApp is used for a kiosk profile only. 为单个应用输入 AUMID。Enter the AUMID for a single app. 你只能在 XML 中指定一个展台配置文件。You can only specify one kiosk profile in the XML.

<KioskModeApp AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>

重要

展台配置文件专为面向公众的展台设备而设计。The kiosk profile is designed for public-facing kiosk devices. 我们建议您使用本地非管理员帐户。We recommend that you use a local, non-administrator account. 如果设备已连接到你的公司网络,则使用域或 Azure Active Directory 帐户可能会危害机密信息。If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information.

配置Configs

配置下,定义哪个用户帐户将与配置文件关联。Under Configs, define which user account will be associated with the profile. 当此用户帐户登录设备时,作为多应用体验的一部分,将强制执行关联的分配的访问权限配置文件,包括允许的应用、“开始”布局、任务栏配置,以及其他本地组策略或移动设备管理 (MDM) 策略集。When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.

该完整的多应用分配的访问权限体验只能适用于非管理员用户。The full multi-app assigned access experience can only work for non-admin users. 不支持将管理员用户关联到分配的访问权限配置文件;在此管理员用户登录时,在 XML 文件中执行此操作将导致意外/不受支持的体验。It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.

您可以分配:You can assign:

备注

指定组帐户的配置不能使用展台配置文件,只能使用锁定配置文件。Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. 如果组配置为展台配置文件,则 CSP 将拒绝该请求。If a group is configured to a kiosk profile, the CSP will reject the request.

用于自动登录帐户的配置Config for AutoLogon Account

使用<AutoLogonAccount>和配置应用到设备时,将在设备上以本地标准用户帐户的形式创建指定帐户(由分配的访问管理)。When you use <AutoLogonAccount> and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. 指定帐户会在重启后自动登录。The specified account is signed in automatically after restart.

以下示例显示了如何指定帐户自动登录。The following example shows how to specify an account to sign in automatically.

<Configs>
  <Config>
    <AutoLogonAccount/>
    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
  </Config>
</Configs>

在 Windows 10 版本1809中,你可以配置在用户登录时将显示的显示名称。In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. 以下示例显示了如何创建显示名称 "Hello World" 的自动登录帐户。The following example shows how to create an AutoLogon Account that shows the name "Hello World".

<Configs>
  <Config>
    <AutoLogonAccount rs5:DisplayName="Hello World"/>
    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
  </Config>
</Configs>

在加入域的设备上,默认情况下,本地用户帐户不会显示在登录屏幕上。On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. 若要在登录屏幕上显示AutoLogonAccount ,请启用以下组策略设置:计算机配置 > 管理模板 > 系统 > 登录 > 枚举加入域的计算机上的本地用户To show the AutoLogonAccount on the sign-in screen, enable the following Group Policy setting: Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers. (相应的 MDM 策略设置是策略 CSP 中的 WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers。)(The corresponding MDM policy setting is WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP.)

重要

当设备上的 Exchange Active Sync (EAS)密码限制处于活动状态时,自动登录功能将不起作用。When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. 此行为是设计使然。This behavior is by design. 有关详细信息,请参阅如何在 Windows 中打开自动登录For more informations, see How to turn on automatic logon in Windows.

个人帐户的配置Config for individual accounts

使用<Account>来指定单个帐户。Individual accounts are specified using <Account>.

  • 可以将本地帐户输入为 machinename\account.\account 或仅限 accountLocal account can be entered as machinename\account or .\account or just account.
  • 应将域帐户输入为 domain\accountDomain account should be entered as domain\account.
  • 必须采用以下格式指定 Azure AD 帐户:AzureAD\{email address}Azure AD account must be specified in this format: AzureAD\{email address}. AzureAD 必须按原样提供(考虑它是固定的域名),然后使用 Azure AD 电子邮件地址,例如 AzureAD\ someone@contoso.onmicrosoft.comAzureAD must be provided AS IS (consider it’s a fixed domain name), then follow with the Azure AD email address, e.g. AzureAD\someone@contoso.onmicrosoft.com.

警告

可通过 WMI 或 CSP 将分配的访问权限配置为根据域用户或服务帐户而非本地帐户运行其应用程序。Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. 但是,使用域用户或服务帐户时,会招致破坏分配的访问权限应用程序的攻击者可能会访问无意中留下可访问任何域帐户的敏感域资源的风险。However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. 我们建议客户在将域帐户与分配的访问权限结合使用时应谨慎行事,并且考虑因决定执行此操作可能公开的域资源。We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.

在应用多应用配置之前,请确保指定的用户帐户将在设备上可用,否则该帐户将不可用。Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.

备注

对于域帐户和 Azure AD 帐户,目标帐户不需要显式添加到设备中。For both domain and Azure AD accounts, it’s not required that target account is explicitly added to the device. 只要设备加入 AD 或 Azure AD,就可以在该设备加入到的域林或租户中发现帐户。As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. 对于本地帐户,帐户必须在针对分配的访问权限配置该帐户前存在。For local accounts, it is required that the account exist before you configure the account for assigned access.

<Configs>
  <Config>
    <Account>MultiAppKioskUser</Account>
    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
  </Config>
</Configs>
组帐户的配置Config for group accounts

使用<UserGroup>指定的组帐户。Group accounts are specified using <UserGroup>. 不支持嵌套组。Nested groups are not supported. 例如,如果用户 A 是组1的成员,则组1是组2的成员,而在中<Config/>使用的是组2,则用户 A 将没有展台体验。For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in <Config/>, user A will not have the kiosk experience.

  • 本地组:将组类型指定为LocalGroup ,并将组名放入 "名称" 属性中。Local group: Specify the group type as LocalGroup and put the group name in Name attribute. 添加到本地组的任何 Azure AD 帐户都将不会应用展台设置。Any Azure AD accounts that are added to the local group will not have the kiosk settings applied.

    <Config>
      <UserGroup Type="LocalGroup" Name="mygroup" />
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
    </Config>
    
  • 域组:安全组和通讯组均受支持。Domain group: Both security and distribution groups are supported. 将组类型指定为ActiveDirectoryGroupSpecify the group type as ActiveDirectoryGroup. 在 "名称" 属性中使用域名作为前缀。Use the domain name as the prefix in the name attribute.

    <Config>
      <UserGroup Type="ActiveDirectoryGroup" Name="mydomain\mygroup" />
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
    </Config>
    
  • Azure AD 组:使用 Azure 门户中的组对象 ID 在 Name 属性中唯一标识该组。Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. 你可以在 "用户" 和 "组 > 中的所有组" 的 "概述" 页上找到对象 ID。You can find the object ID on the overview page for the group in Users and groups > All groups. 将组类型指定为AzureActiveDirectoryGroupSpecify the group type as AzureActiveDirectoryGroup. 当属于该组的用户登录时,展台设备必须具有 internet 连接。The kiosk device must have internet connectivity when users that belong to the group sign in.

    <Config>
      <UserGroup Type="AzureActiveDirectoryGroup" Name="a8d36e43-4180-4ac5-a627-fb8149bba1ac" />
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
    </Config>
    

    备注

    如果 Azure AD 组在设备上配置了锁定配置文件,则 Azure AD 组中的用户必须更改其密码(在使用门户的默认密码创建帐户之后)才能登录此设备。If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. 如果用户使用默认密码登录到设备,用户将立即注销。If the user uses the default password to sign in to the device, the user will be immediately signed out.

预览全局配置文件[Preview] Global Profile

全局配置文件将添加到当前的 Windows 10 预发布版。Global profile is added in current Windows 10 Prerelease. 在某些情况下,IT 管理员希望向登录到特定设备的每个人分配 access 用户,即使该用户没有专用配置文件,或者分配访问权限的用户不能识别用户的配置文件,而是备用配置文件希望使用。There are times when IT Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback profile is wished to use. 全局配置文件适用于这些方案。Global Profile is designed for these scenarios.

使用新的 xml 命名空间并从该命名空间指定 GlobalProfile,如下所示。Usage is demonstrated below, by using the new xml namespace and specify GlobalProfile from that namespace. 当 GlobalProfile 已配置时,非管理员帐户将登录,如果此用户在分配的 Access 中没有指定的配置文件,或者分配的 Access 无法确定当前用户的配置文件,则将为用户应用全局配置文件。When GlobalProfile is configured, a non-admin account logs in, if this user does not have designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, global profile will be applied for the user.

注意:Note:

  1. GlobalProfile 只能是多应用配置文件GlobalProfile can only be multi-app profile
  2. 一个 AssignedAccess 配置 Xml 中只能使用一个 GlobalProfileOnly one GlobalProfile can be used in one AssignedAccess Configuration Xml
  3. GlobalProfile 可以用作唯一配置,也可以在常规用户或组配置中使用。GlobalProfile can be used as the only config, or it can be used among with regular user or group Config.
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
    xmlns="https://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:v2="https://schemas.microsoft.com/AssignedAccess/201810/config"
    xmlns:v3="https://schemas.microsoft.com/AssignedAccess/2020/config"
>
    <Profiles>
        <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
            <AllAppsList>
                <AllowedApps>
                    <App AppUserModelId="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe!Microsoft.Microsoft3DViewer" v2:AutoLaunch="true" v2:AutoLaunchArguments="123"/>
                    <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
                    <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
                    <App DesktopAppPath="%SystemRoot%\system32\notepad.exe" />
                </AllowedApps>
            </AllAppsList>
            <StartLayout>
                <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="https://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="https://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="https://schemas.microsoft.com/Start/2014/LayoutModification">
                      <LayoutOptions StartTileGroupCellWidth="6" />
                      <DefaultLayoutOverride>
                        <StartLayoutCollection>
                          <defaultlayout:StartLayout GroupCellWidth="6">
                            <start:Group Name="Life at a glance">
                              <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsLive.calendar" />
                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
                              <!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
                                   "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
                                   "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only 
                                   see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop
                              -->
                              <!-- for inbox desktop applications, a link file might already exist and can be used directly -->
                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
                              <!-- for 3rd party desktop application, place the link file under appropriate folder -->
                              <start:DesktopApplicationTile Size="2x2" Column="4" Row="0" DesktopApplicationLinkPath="%AppData%\Microsoft\Windows\Start Menu\Programs\MyLOB.lnk" />
                            </start:Group>
                          </defaultlayout:StartLayout>
                        </StartLayoutCollection>
                      </DefaultLayoutOverride>
                    </LayoutModificationTemplate>
                ]]>
            </StartLayout>
            <Taskbar ShowTaskbar="true"/>
        </Profile>
    </Profiles>
    <Configs>
        <v3:GlobalProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
    </Configs>
</AssignedAccessConfiguration>

将 XML 文件添加到预配包中Add XML file to provisioning package

在向预配包中添加 XML 文件之前,你可以针对 XSD 验证配置 XMLBefore you add the XML file to a provisioning package, you can validate your configuration XML against the XSD.

使用 Windows 配置设计器工具创建预配包。Use the Windows Configuration Designer tool to create a provisioning package. 了解如何安装 Windows 配置设计器。Learn how to install Windows Configuration Designer.

重要

生成预配包时,可能会在项目文件和预配包 (.ppkg) 文件中包含敏感信息。When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. 尽管你可以选择加密 .ppkg 文件,但项目文件不会加密。Although you have the option to encrypt the .ppkg file, project files are not encrypted. 应将项目文件存储在安全位置,并在不再需要它们时删除项目文件。You should store the project files in a secure location and delete the project files when they are no longer needed.

  1. 打开 Windows 配置设计器(默认情况下为 %systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe)。Open Windows Configuration Designer (by default, %systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).

  2. 选择高级预配Choose Advanced provisioning.

  3. 为项目命名,然后单击下一步Name your project, and click Next.

  4. 选择所有 Windows 桌面版,然后单击下一步Choose All Windows desktop editions and click Next.

  5. 新建项目上,单击完成On New project, click Finish. 此时将打开你的程序包的工作区。The workspace for your package opens.

  6. 依次展开运行时设置 > AssignedAccess > MultiAppAssignedAccessSettingsExpand Runtime settings > AssignedAccess > MultiAppAssignedAccessSettings.

  7. 在中心窗格中,单击浏览找到并选择所创建的分配的访问权限配置 XML 文件。In the center pane, click Browse to locate and select the assigned access configuration XML file that you created.

    Windows 配置设计器中的 MultiAppAssignedAccessSettings 字段的屏幕截图

  8. 可选:如果你希望在设备初始设置后应用预配包,并且展台设备上已存在管理员用户,请跳过此步骤。)在运行时设置 > 帐户 > 用户中创建管理员用户帐户。(Optional: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in Runtime settings > Accounts > Users. 提供用户名密码,然后选择用户组作为管理员Provide a UserName and Password, and select UserGroup as Administrators. 使用此帐户,你可以根据需要查看预配状态和日志。With this account, you can view the provisioning status and logs if needed.

  9. 可选:如果你已在展台设备上拥有非管理员帐户,请跳过此步骤。)在运行时设置 > 帐户 > 用户中创建本地标准用户帐户。(Optional: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in Runtime settings > Accounts > Users. 确保用户名与你在配置 XML 中指定的帐户相同。Make sure the UserName is the same as the account that you specify in the configuration XML. 选择用户组作为标准用户Select UserGroup as Standard Users.

  10. 文件菜单上,选择保存On the File menu, select Save.

  11. 在“导出”**** 菜单上,选择“设置包”****。On the Export menu, select Provisioning package.

  12. 所有者更改为 IT 管理员,这会将此预配包的优先级设置为高于应用于来自其他源的设备的预配包,然后选择下一步Change Owner to IT Admin, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select Next.

  13. 可选。Optional. 设置程序包安全性窗口中,你可以选择对程序包进行加密并启用程序包签名。In the Provisioning package security window, you can choose to encrypt the package and enable package signing.

    • 启用程序包加密 - 如果你选择此选项,将在屏幕上显示自动生成的密码。Enable package encryption - If you select this option, an auto-generated password will be shown on the screen.

    • 启用程序包签名 - 如果你选择此选项,则必须选择一个有效的证书,用于对程序包进行签名。Enable package signing - If you select this option, you must select a valid certificate to use for signing the package. 你可以通过单击 浏览 并选择要用于对程序包进行签名的证书指定相关证书。You can specify the certificate by clicking Browse and choosing the certificate you want to use to sign the package.

  14. 单击下一步指定你希望预配包在生成后所处的输出位置。Click Next to specify the output location where you want the provisioning package to go when it's built. 默认情况下,Windows 映像和配置设计器 (ICD) 使用项目文件夹作为输出位置。By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.

    或者,你还可以单击浏览更改默认输出位置。Optionally, you can click Browse to change the default output location.

  15. 单击下一步Click Next.

  16. 单击构建开始构建程序包。Click Build to start building the package. 无需花费太长时间即可构建设置包。The provisioning package doesn't take long to build. 项目信息会显示在构建页面中,并且进度栏会指示构建状态。The project information is displayed in the build page and the progress bar indicates the build status.

    如果你需要取消构建,请单击“取消” ****。If you need to cancel the build, click Cancel. 这将取消当前的构建过程、关闭向导,并使你返回到“自定义页面” ****。This cancels the current build process, closes the wizard, and takes you back to the Customizations Page.

  17. 如果构建失败,则显示一条包含项目文件夹链接的错误消息。If your build fails, an error message will show up that includes a link to the project folder. 你可以扫描日志以确定导致错误的原因。You can scan the logs to determine what caused the error. 解决问题后,请尝试重新构建程序包。Once you fix the issue, try building the package again.

    如果构建成功,将显示设置包的名称、输出目录和项目目录。If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.

    • 如果要进行选择,你可以重新构建设置包并选择不同的输出程序包路径。If you choose, you can build the provisioning package again and pick a different path for the output package. 若要执行此操作,请单击“返回”**** 更改输出程序包名称和路径,然后单击“下一步”**** 启动另一次构建。To do this, click Back to change the output package name and path, and then click Next to start another build.
    • 如果你已完成,请单击完成以关闭向导,并返回到自定义设置页面If you are done, click Finish to close the wizard and go back to the Customizations Page.
  18. 将预配包复制到 U 盘的根目录。Copy the provisioning package to the root directory of a USB drive.

将预配包应用于设备Apply provisioning package to device

可以在首次运行体验过程中(全新体验或“OOBE”)或之后(“运行时”),将预配包应用于设备。Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").

提示

除了下面的方法,你还可以使用 PowerShell comdlet install provisioningpackage -LogsDirectoryPath获取操作的日志。In addition to the methods below, you can use the PowerShell comdlet install-provisioningpackage with -LogsDirectoryPath to get logs for the operation.

在初始设置期间,从 U 盘During initial setup, from a USB drive

  1. 在计算机上从首次运行设置屏幕开始。Start with a computer on the first-run setup screen. 如果电脑已经过此屏幕,则重置电脑以重新开始。If the PC has gone past this screen, reset the PC to start over. 若要重置电脑,请依次转到“设置”**** > “更新和安全”**** > “恢复”**** > “重置这台电脑”****。To reset the PC, go to Settings > Update & security > Recovery > Reset this PC.

    设置新电脑的第一个屏幕

  2. 插入 USB 驱动器。Insert the USB drive. Windows 安装程序将识别驱动器,并询问是否要设置设备。Windows Setup will recognize the drive and ask if you want to set up the device. 选择设置Select Set up.

    设置设备?

  3. 下一个屏幕会要求你选择预配源。The next screen asks you to select a provisioning source. 选择“可移动媒体”****,然后点击“下一步”****。Select Removable Media and tap Next.

    预配此设备

  4. 选择要应用的设置包 (*.ppkg),然后点击“下一步”****。Select the provisioning package (*.ppkg) that you want to apply, and tap Next.

    选择程序包

  5. 选择是的,添加它Select Yes, add it.

    是否信任此程序包?

设置后,从 U 盘、网络文件夹或 SharePoint 网站After setup, from a USB drive, network folder, or SharePoint site

  1. 使用管理员帐户登录。Sign in with an admin account.
  2. 将 USB 驱动器插入台式计算机中,导航到设置 > 帐户 > 访问工作单位或学校 > 添加或删除预配包 > 添加程序包,然后选择要安装的程序包。Insert the USB drive to a desktop computer, navigate to Settings > Accounts > Access work or school > Add or remove a provisioning package > Add a package, and select the package to install. 对于存储在网络文件夹或 SharePoint 网站上的预配包,请导航到预配包并双击它以开始安装。For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.

备注

如果你的预配包中不包含分配的访问权限用户帐户创建,请确保你在多应用配置 XML 中指定的帐户存在于设备上。if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.

添加程序包选项

### 使用 MDM 部署多应用配置Use MDM to deploy the multi-app configuration

多应用展台模式由 AssignedAccess 配置服务提供程序 (CSP) 启用。Multi-app kiosk mode is enabled by the AssignedAccess configuration service provider (CSP). 你的 MDM 策略中可能包含分配的访问权限配置 XML。Your MDM policy can contain the assigned access configuration XML.

如果你的设备注册到支持应用分配的访问权限配置的 MDM 服务器,你可以使用它远程应用设置。If your device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely.

多应用策略的 OMA-URI 是 ./Device/Vendor/MSFT/AssignedAccess/ConfigurationThe OMA-URI for multi-app policy is ./Device/Vendor/MSFT/AssignedAccess/Configuration.

Windows Mixed Reality 沉浸式头戴显示设备的注意事项Considerations for Windows Mixed Reality immersive headsets

随着混合现实设备(视频链接)的出现,你可能希望创建可以运行混合现实应用的展台。With the advent of mixed reality devices (video link), you might want to create a kiosk that can run mixed reality apps.

若要创建可以运行混合现实应用的多应用展台,你必须将以下应用包括在 AllowedApps 列表中:To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the AllowedApps list:

<App AppUserModelId="MixedRealityLearning_cw5n1h2txyewy!MixedRealityLearning" />
<App AppUserModelId="HoloShell_cw5n1h2txyewy!HoloShell" />
<App AppUserModelId="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy!App" />
<App AppUserModelId="Microsoft.MixedReality.Portal_8wekyb3d8bbwe!App" />

除了允许的任何混合现实应用外,还有以下应用。These are in addition to any mixed reality apps that you allow.

在你的展台用户登录前: 管理员用户必须登录到电脑,连接混合现实设备,并完成混合现实门户的引导式设置。Before your kiosk user signs in: An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. 首次设置混合现实门户时,将下载一些文件和内容。The first time that the Mixed Reality Portal is set up, some files and content are downloaded. 展台用户没有下载权限,因此,他们无法设置混合现实门户。A kiosk user would not have permissions to download and so their setup of the Mixed Reality Portal would fail.

在管理员完成了设置后,展台帐户可以登录并重复执行设置。After the admin has completed setup, the kiosk account can sign in and repeat the setup. 管理员用户可能需要先完成展台用户设置,然后再为员工或客户提供电脑。The admin user may want to complete the kiosk user setup before providing the PC to employees or customers.

展台用户和其他用户的混合现实体验有所不同。There is a difference between the mixed reality experiences for a kiosk user and other users. 通常,当用户连接混合现实设备时,他们开始在混合现实家庭版中操作。Typically, when a user connects a mixed reality device, they begin in the Mixed Reality home. 混合现实家庭版是将电脑配置为展台时在“无提示”模式下运行的 shell。The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. 当展台用户连接混合现实设备时,他们将在该设备上仅看到空设备,并且无法访问家庭版中的特性和功能。When a kiosk user connects a mixed reality device, they will see only a blank display in the device, and will not have access to the features and functionality available in the home. 若要运行混合现实应用,展台用户必须从电脑的“开始”屏幕启动应用。To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.

根据多应用展台配置设置的策略Policies set by multi-app kiosk configuration

建议不要使用其他频道将在分配的访问权限多应用模式下强制执行的策略设置为不同值,因为多应用模式经过优化,可以提供锁定的体验。It is not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.

如果对设备应用多应用分配的访问权限配置,则会在系统范围内强制执行某些策略,这将影响该设备上的其他用户。When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.

组策略Group Policy

以下本地策略会影响系统上的所有非管理员用户,无论用户是否配置为分配的访问权限用户。The following local policies affect all non-administrator users on the system, regardless whether the user is configured as an assigned access user or not. 其中包括本地用户、域用户和 Azure Active Directory 用户。This includes local users, domain users, and Azure Active Directory users.

设置Setting Value
删除任务栏的上下文菜单的访问权限Remove access to the context menus for the task bar 启用Enabled
退出系统时清除最近打开的文档的历史记录Clear history of recently opened documents on exit 启用Enabled
阻止用户自定义“开始”屏幕Prevent users from customizing their Start Screen 启用Enabled
阻止用户从“开始”屏幕中卸载应用程序Prevent users from uninstalling applications from Start 启用Enabled
从“开始”菜单中删除“所有程序”列表Remove All Programs list from the Start menu 启用Enabled
从“开始”菜单中删除“运行”菜单Remove Run menu from Start Menu 启用Enabled
禁止将气球通知显示为 toastDisable showing balloon notifications as toast 启用Enabled
不允许在跳转列表中固定项目Do not allow pinning items in Jump Lists 启用Enabled
不允许将程序固定到任务栏Do not allow pinning programs to the Taskbar 启用Enabled
不在跳转列表中显示或跟踪来自远程位置的项目Do not display or track items in Jump Lists from remote locations 启用Enabled
删除通知和操作中心Remove Notifications and Action Center 启用Enabled
锁定所有任务栏设置Lock all taskbar settings 启用Enabled
锁定任务栏Lock the Taskbar 启用Enabled
阻止用户添加或删除工具栏Prevent users from adding or removing toolbars 启用Enabled
防止用户调整任务栏大小Prevent users from resizing the taskbar 启用Enabled
从“开始”菜单中删除常用程序列表Remove frequent programs list from the Start Menu 启用Enabled
删除 "映射网络驱动器" 和 "断开网络驱动器"Remove ‘Map Network Drive’ and ‘Disconnect Network Drive’ 启用Enabled
删除“安全和维护”图标Remove the Security and Maintenance icon 启用Enabled
关闭所有气球通知Turn off all balloon notifications 启用Enabled
关闭功能广告气球通知Turn off feature advertisement balloon notifications 启用Enabled
关闭 toast 通知Turn off toast notifications 启用Enabled
删除任务管理器Remove Task Manager 启用Enabled
删除安全选项 UI 中的“更改密码”选项Remove Change Password option in Security Options UI 启用Enabled
删除安全选项 UI 中的“注销”选项Remove Sign Out option in Security Options UI 已启用Enabled
从“开始”菜单中删除“所有程序”列表Remove All Programs list from the Start Menu 已启用 – 删除和禁用设置Enabled – Remove and disable setting
阻止从“我的电脑”访问驱动器Prevent access to drives from My Computer 已启用 - 限制所有驱动程序Enabled - Restrict all drivers

备注

启用防止从“我的电脑”访问驱动器后,用户可以在文件资源管理器中浏览目录结构,但他们无法打开文件夹并访问内容。When Prevent access to drives from My Computer is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. 此外,他们不能使用运行对话框或映射网络驱动器对话框,以查看这些驱动器上的目录。Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. 表示指定驱动器的图标仍显示在文件资源管理器中,但如果用户双击图标,则会显示一条消息,说明设置阻止操作。The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. 此设置不会阻止用户使用程序访问本地驱动器和网络驱动器。This setting does not prevent users from using programs to access local and network drives. 它不会阻止用户使用“磁盘管理”管理单元查看和更改驱动器特性。It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.

MDM 策略MDM policy

一些基于策略配置服务提供程序 (CSP) 的 MDM 策略会影响系统上的所有用户(即系统范围)。Some of the MDM policies based on the Policy configuration service provider (CSP) affect all users on the system (i.e. system-wide).

设置Setting Value 系统范围System-wide
Experience/AllowCortanaExperience/AllowCortana 0 - 不允许0 - Not allowed Yes
开始/AllowPinnedFolderDocumentsStart/AllowPinnedFolderDocuments 0 - 快捷方式处于隐藏状态,并禁用“设置”应用中的设置0 - Shortcut is hidden and disables the setting in the Settings app Yes
开始/AllowPinnedFolderDownloadsStart/AllowPinnedFolderDownloads 0 - 快捷方式处于隐藏状态,并禁用“设置”应用中的设置0 - Shortcut is hidden and disables the setting in the Settings app Yes
开始/AllowPinnedFolderFileExplorerStart/AllowPinnedFolderFileExplorer 0 - 快捷方式处于隐藏状态,并禁用“设置”应用中的设置0 - Shortcut is hidden and disables the setting in the Settings app Yes
开始/AllowPinnedFolderHomeGroupStart/AllowPinnedFolderHomeGroup 0 - 快捷方式处于隐藏状态,并禁用“设置”应用中的设置0 - Shortcut is hidden and disables the setting in the Settings app Yes
开始/AllowPinnedFolderMusicStart/AllowPinnedFolderMusic 0 - 快捷方式处于隐藏状态,并禁用“设置”应用中的设置0 - Shortcut is hidden and disables the setting in the Settings app Yes
开始/AllowPinnedFolderNetworkStart/AllowPinnedFolderNetwork 0 - 快捷方式处于隐藏状态,并禁用“设置”应用中的设置0 - Shortcut is hidden and disables the setting in the Settings app Yes
开始/AllowPinnedFolderPersonalFolderStart/AllowPinnedFolderPersonalFolder 0 - 快捷方式处于隐藏状态,并禁用“设置”应用中的设置0 - Shortcut is hidden and disables the setting in the Settings app Yes
开始/AllowPinnedFolderPicturesStart/AllowPinnedFolderPictures 0 - 快捷方式处于隐藏状态,并禁用“设置”应用中的设置0 - Shortcut is hidden and disables the setting in the Settings app Yes
Start/AllowPinnedFolderSettingsStart/AllowPinnedFolderSettings 0 - 快捷方式处于隐藏状态,并禁用“设置”应用中的设置0 - Shortcut is hidden and disables the setting in the Settings app Yes
开始/AllowPinnedFolderVideosStart/AllowPinnedFolderVideos 0 - 快捷方式处于隐藏状态,并禁用“设置”应用中的设置0 - Shortcut is hidden and disables the setting in the Settings app Yes
开始/DisableContextMenusStart/DisableContextMenus 1-已隐藏开始应用的上下文菜单1 - Context menus are hidden for Start apps No
Start/HidePeopleBarStart/HidePeopleBar 1 - True(隐藏)1 - True (hide) No
Start/HideChangeAccountSettingsStart/HideChangeAccountSettings 1 - True(隐藏)1 - True (hide) Yes
WindowsInkWorkspace/AllowWindowsInkWorkspaceWindowsInkWorkspace/AllowWindowsInkWorkspace 0 - 禁止访问 Ink 工作区并关闭此功能0 - Access to ink workspace is disabled and the feature is turned off Yes
Start/StartLayoutStart/StartLayout 依赖于配置Configuration dependent No
WindowsLogon/DontDisplayNetworkSelectionUIWindowsLogon/DontDisplayNetworkSelectionUI <已启用/><Enabled/> Yes

使用 Windows 配置设计器预配 .lnk 文件Provision .lnk files using Windows Configuration Designer

首先,通过在测试设备上使用默认安装位置安装应用来创建桌面应用的快捷方式文件。First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. 右键单击安装的应用程序,然后依次选择发送到 > 桌面(创建快捷方式)Right-click the installed application, and choose Send to > Desktop (create shortcut). 重命名快捷方式Rename the shortcut to <appName>.lnk

其次,使用两个命令创建批处理文件。Next, create a batch file with two commands. 如果桌面应用已安装在目标设备上,对于 MSI 安装,请跳过第一个命令。If the desktop app is already installed on the target device, skip the first command for MSI install.

msiexec /I "<appName>.msi" /qn /norestart
copy <appName>.lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\<appName>.lnk"

在 Windows 配置设计器中的 ProvisioningCommands > DeviceContext 下:In Windows Configuration Designer, under ProvisioningCommands > DeviceContext:

  • 在 " CommandFiles" 下,上载批处理文件、.lnk 文件和桌面应用安装文件。Under CommandFiles, upload your batch file, your .lnk file, and your desktop app installation file.

    重要

    将完整文件路径粘贴到CommandFiles字段中的 .lnk 文件。Paste the full file path to the .lnk file in the CommandFiles field. 如果浏览并选择 .lnk 文件,则文件路径将更改为 .lnk 目标的路径。If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk.

  • 在 "命令行" 下,输入cmd /c *FileName*.batUnder CommandLine, enter cmd /c *FileName*.bat.

其他方法Other methods

使用 WMI 的环境可以使用MDM 网桥 WMI 提供程序配置展台Environments that use WMI can use the MDM Bridge WMI Provider to configure a kiosk.