Last week I lost 24 hours of my work life to bad Microsoft documentation. It’s not the first time. It won’t be the last. I’m still furious. When I say “bad” I do not mean incorrect grammar or spelling errors, those I can tolerate. I mean bad in that the written instructions are incorrect and the code samples that accompany them are also non-functional.
To try and solve this I leave the bad documents from docs.microsoft.com and go talk to my buddy Google.com. Google.com links me to several blogs on the same subject where I do not find the answer I’m after, but I do find something that makes me both laugh out loud and immediately feel like punching someone at Microsoft:
Paul Winstanley over at sccmmentor.com writes:
“Note from the field – take a look at the code in the example from Microsoft and compare with what I have added. xmlns:rs5= or xmlns:r1809= ? Well MS has mixed messages since their documentation references each but xmlns:r1809= is the one to use. They need to update their documentation to reflect this.
2nd Note from the field – I’ve had zero success autolaunching when using Windows 10 1809, even though the code is written for it. Maybe I needed a hotfix but nothing is stated. In the end, I pushed 1903 out to the endpoint and the code works perfectly.“
For this to be even remotely funny to you perhaps I should start at the beginning so that I can try and find the value in this 24 hours of time I could have spent doing something far more productive.
What I need to accomplish is to use the Windows 10 AssignedAccess CSP to configure a Windows 10 Enterprise 20H2 computer for Multiple-App Kiosk Mode. My MDM of choice to achieve this is Workspace ONE UEM so going into this I expected that whatever samples Microsoft provided would likely need some tweaking to work. Tweaking turned out to be an understatement.
Oh and before you ask: Yes, Workspace ONE UEM includes a Windows 10 Profile for Kiosk Mode. It uses AssignedAccess, but it’s completely broken unless all you want is a single App and that single app has no dependencies on other .exe file. So for example Horizon and Intelligent Hub and many others can’t function using the UEM Profile. This profile has been broken for more UEM Console releases than I can count, which I think speaks more to how few people actually think Windows 10 Kiosk Mode is a good idea, but regardless my opinion is that if a vendor is going to keep a feature in their product they need to keep that feature functional or remove it. Broken code helps no one. So what should have been a few minutes in the console with a simple GUI turned into 24 hours of writing XML for a Custom Settings Payload.
I started my journey at https://docs.microsoft.com/en-us/windows/configuration/kiosk-methods
Let me call out 2 important things about this page:
- It was published on 5/6/2021, not even two full weeks ago so there’s a general assumption that the information found it the document is current based on the current shipping version of Windows 10.
- The giant orange warning box telling you Microsoft will have information about pre-released products somewhere in this document is a red flag that your journey will be full of peril if you continue.
After a brief introduction into the concepts behind Kiosk Mode, the final section of this page is the “Summary of kiosk configuration methods” where I choose the link to “Microsoft Intune or other MDM for multi-app kiosk with desktop” which leads to here:
https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps
Notice that this second page has not been updated in 2 years, last touched 01/09/2019. Houston I might have a problem since Windows 10 is updated every 6 months or so. But that might just be the original date published so I continue reading. The first paragraph shares that Windows 10 1709 made it easy for admins to create kiosks that run more than one app. I smile because to me easy = GUI, not XML and CSPs. Now a table with changes in Windows 10 version 1803 and 1809. What about every release after that? I guess nothing changed. But wait! In Windows 10 1809 there’s an important call out that the XML needs to reference https://schemas.microsoft.com/AssignedAccess/201810/config if these specific 1809 features are used. And this is where it all goes to hell.
At this point in my reading I don’t know what a schema is or which one to use for versions before or after 1809. The documentation makes no reference to this, so this important nugget about schemas turns out to be very important but it’s in the wrong spot in the documentation. I continue reading. Step 1 is to create the XML file. There is no mention of schemas or if schemas need HTTP or HTTPS (a critical distinction that will come later on to actually get this to function). So the instructions are to start from the XML referenced. Notice lines 3 and 4 of the code:<AssignedAccessConfiguration
xmlns="https://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="https://schemas.microsoft.com/AssignedAccess/201810/config"
It’s never documented on this page, but what is rs5? You might deduce that Windows 10 1809 was code named RedStone 5 and the developers might have gotten lazy and kept the schema named RS5 instead of 1809. But maybe it’s something else. I put that thought aside because I have to work through 3 more XML samples before I finally see a sample that shows how the rs5 is referenced in the XML. But the next paragraph below the sample muddies the waters further:
“FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerelease for finer granularity and easier use, see in the Assigned access XML reference. for full samples. The changes will allow IT Admin to configure if user can access Downloads folder, Removable drives, or no restriction at all by using certain new elements. Note that FileExplorerNamesapceRestrictions and AllowedNamespace:Downloads are available in namespace https://schemas.microsoft.com/AssignedAccess/201810/config, AllowRemovableDrives and NoRestriction are defined in a new namespace https://schemas.microsoft.com/AssignedAccess/2020/config.“
So the date on the page hasn’t been touched in 2 years, exactly which version of Windows 10 are they describing as the Prerelease version?
And why are you introducing a 3rd namespace that hasn’t been discussed or illustrated or sampled?
The https://schemas.microsoft.com/AssignedAccess/2020/config is now another unknown, but you likely would have missed that because you clicked on the link included in the paragraph to jump to the “Assigned access XML reference” page. Assuming you did not make the jump to the Assigned Access XML, keep reading the page and you’ll notice that the Start Menu Layouts have their own schema and they are different from the schemas used for this CSP. Does that matter? Should they be related? I don’t know and this document doesn’t explain it. But I press on.
Start menu grid layouts: Oh my gawd! Who dreamed up this mess? Thank gawd there’s a picture along with the sample because I never would have guessed that column 2 in the photo is actually column 4 in the code. Oh and what would have been SUPER helpful to add here when introducing this concept is that DESKTOP APPS CAN NOT SCALE PAST 2×2. And while I’m ranting…. did you know the X in 2×2 is case sensitive? Yup. The whole damn XML breaks if you use a capital letter.
So I finish reading the page and get my XML built and deploy it to Windows 10 20H2. Nothing works. I’ve learned nothing.
My first stop is to visit the “Assigned access XML reference” link from the initial KB which takes me to https://docs.microsoft.com/en-us/windows/configuration/kiosk-xml.
This page is 1 year OLDER than the page I just left, but it also has a note in purple that the sample was updated for 3 versions of Windows 10 that have not previously been described. So that original date is just the date the blog was posted??? And I shouldn’t complain too much about this problem as WordPress does this to my blog as well forcing me to add a “last updated” line to every blog I edit later. I digress…
So let’s look at some Full XML Sample code updated for Windows 10 2004. I note that it’s still not Windows 10 20H2.
The first sample on this page is helpful. It shows 2 XMLNS schemas and if you go line by line you’ll eventually figure out how the rs5 tags are referenced for the FileExplorerNameSpaceRestrictions and then later in the Config Section. But if I’m not going to use those two features in my kiosk do I need to reference the rs5 schema at all? Well the second sample would suggest the answer is yes. The Kiosk Only sample references both the 2017 schema and the 201810 rs5 but it doesn’t reference the specific features. So I guess I need it. But look at this 3rd sample: Auto Launch Sample XML:
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:r1809="http://schemas.microsoft.com/AssignedAccess/201810/config"
>Line 4: Um, what the hell is xmlns:r1809? That looks like the rs5 schema with a different name. Can the names be interchanged? Are they even real names? I’ll save you the suspense. They turn out to be XML alias. But you won’t know that from the documentation until way later.
Look at the 4th sample: Global Profile Sample XML:
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v2="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
>Notice that this is supported in Windows 10, version 2004. Is that the only version of Windows that supports it, or is that the first version? I tried it with 20H2 and it fails to apply the XML, so perhaps this is specific to a single build of Windows 10. But this is not documented and that, at least to me, doesn’t make much sense. So line four is now the third name used for the 201810 schema. First it was rs5, then it was r1809 now it’s v2. And look at line five: another schema to work with. This is the same 2020 schema described as the “pre-release version” in the first KB. Could someone please tell me what the hell this means!!!! To use v3 do you have to also reference v2 in the configuration??? They don’t use it in the sample XML.
The 5th sample is at least consistent with the 4th showing all 3 of the XMLNS lines
In the 6th sample it states Windows 10 1809 behaves one way, Windows 10 2009 and later behaves another, so is it safe to say I can deploy the Folder Access Sample XML to both Windows 10 1809 and Windows 10 2009 and it will function? I don’t know.
The madness continues. The XSD Sample has a purple Note box above it that makes zero sense:
“Updated for Windows 10, version 1903 and later. Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.“
I gave up trying to understand this sample and which versions of Windows it works with because I’m not using XSD.
It’s not until the last entry on this page that there is some level of clarity provided on namespaces. It reads:
“To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the autolaunch feature that was added in Windows 10, version 1809, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10, version 1809, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.”
So R1809, rs5, v2, v3 are aliases and can be anything I want them to be? Well that doesn’t seem to be true either because when I randomly change the name to rs34 or v8 the CSP won’t apply. So there is some level of specificity required. It makes zero sense to me and Microsoft really needs to document this better.
Once I hoped and prayed and sacrificed a few chickens, I thought I had a functional XML file. Next I needed to get Workspace ONE UEM to deliver the file.
So I headed over to https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp to see what a mess that was going to be. This is another Microsoft document published three years ago. This page is chocked so full of caveats it makes your head hurt. It does not help that you’re reading about If, This, Then That’s that apply to Windows 10 1709, then the document jumps to 1803 and jumps back to 1607…. it’s a chronological mess. Eventually I made it to the Configuration Examples section where I learned about Escaping XML and something called CDATA. It’s no wonder people think computers are overcomplicated: turning a single character of < into < is just silly. A friend of mine shared a reference page that make this a whole lot easier for me to understand:
https://www.liquid-technologies.com/XML/EscapingData.aspx
But once you accept that madness, when you read the paragraph on the Microsoft AssignedAccess-CSP page about how MDM handles escaping and not escaping, understand one thing: Workspace ONE UEM custom settings profiles only support a single CDATA instance. In the sample provided by Microsoft there are 2 CDATA references. If you try this with Custom Settings in Workspace ONE UEM it will fail. You can only use 1 CDATA Section. It’s also useful to know that for Custom Settings Payloads with Workspace ONE UEM you don’t need to define the SyncML and the SyncBody headers either.
For all the terribly unclear documentation about this topic from Microsoft, they did provide one very useful page that worked as documented. The Troubleshooting page:
https://docs.microsoft.com/en-us/windows/configuration/kiosk-troubleshoot
Step 4 of Enabling and using the AssignedAccess\Operational page is the key to translating what is happening when this stuff fails.
But there are few other golden nuggets to help with troubleshooting:
- The KB tells you to enable the Operational Log, but it’s the Admin log that will show you if the payload was successfully installed. The Admin log won’t get written to until you enable the Operational log. It’s another screwy Microsoft thing. Login to your test device as an account with local admin rights. Enable the Log, then push the MDM profile down. Within 30 seconds if something broke with the XML you’ll see errors in this log. If it worked properly the Admin log will remain blank.
- If the Start Menu that is applied to the device isn’t quite what you had hoped for, reference Applications Services Log > Microsoft > Windows > ShellCommon-StartlayoutPopulation > Operational
- If you don’t see the icons populating for Win32 apps on your Start Menu, it’s likely you don’t have a shortcut link created for the app in C:\ProgramData\Microsoft\Windows\Start Menu\Programs
By Work Day 3 of this nightmare, I was confident I had a working XML, but Windows continued to choke on applying the configuration. I sought out some help from some more experienced programmers to review my XML and we found the typo that did me in: a capital X instead of lowercase x in the StartMenu grid layout.
Thank you for reading this far. Below is the mostly working result of the effort tested on Windows 10 20H2. I write mostly working because the Intelligent Hub is not launching the way I need it to, so I will continue to experiment with that part of the equation. I suspect we are missing a .exe.
A few important points before you attempt to use the XML below:
- Google Chrome, VNC Viewer and Microsoft Teams should be installed on the device prior to applying the kiosk. The end result of the working configuration looks like this:
- Edit the end of the file with the account name you will use for the Kiosk. This can be a domain account, or it can be a local user account or a combination of accounts. The account should NOT be a local administrator on the Windows 10 device.
- Microsoft publishes additional guidance around securing these devices with a number of additional configuration tweaks that are recommended before sending these Kiosks out into the wild. You can learn more about the additional security settings at https://docs.microsoft.com/en-us/windows/configuration/kiosk-prepare.
Custom Settings > Target OMA DM Client
Make Commands Atomic: Checked
Install Settings:
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/Configuration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data><?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{ffb333a8-a6e5-4af4-9795-6b6a051f6494}">
<AllAppsList>
<AllowedApps>
<App DesktopAppPath="C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" />
<App DesktopAppPath="C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe" />
<App DesktopAppPath="C:\Program Files\VMware\VMware Tools\7za.exe" />
<App DesktopAppPath="C:\Program Files\VMware\VMware Tools\rpctool.exe" />
<App DesktopAppPath="C:\Program Files\VMware\VMware Tools\VMToolsHookProc.exe" />
<App DesktopAppPath="C:\Program Files\VMware\VMware Tools\VMwareHgfsClient.exe" />
<App DesktopAppPath="C:\Program Files\VMware\VMware Tools\VMwareNamespaceCmd.exe" />
<App DesktopAppPath="C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" />
<App DesktopAppPath="C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" />
<App DesktopAppPath="C:\Program Files\VMware\VMware Tools\VMwareXferlogs.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Teams Installer\Teams.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\AwWindowsIpc.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\AgentUI64\AW.ProtectionAgent.PowershellExecutor.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\ApplicationManagerWin32.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\AW.ProtectionAgent.PowershellExecutor.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\AW.Win32.ModernApp.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\AW.WinPC.Updater.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\AWACMClient.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\AWProcessCommands.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\AWWindowsIpc.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\CertificateWinForm.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\LockDevice.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\NativeEnrollment.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\TaskScheduler.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\VMware.Hub.Win32Agent.AppXInstaller.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\Win32AgentIPC.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\UEM\x64\UEMBaselines.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Airwatch\AgentUI\UEM\x32\UEMBaselines.exe" />
<App DesktopAppPath="C:\ProgramData\VMWOSQEXT\bin\osqueryd.exe" />
<App DesktopAppPath="C:\Program Files\VMware\SfdAgent\VMware.Hub.SfdAgent.DeployCmd.exe" />
<App DesktopAppPath="C:\Program Files\VMware\Workspace ONE Assist\winpty-agent.exe" />
<App DesktopAppPath="C:\Program Files\VMware\Workspace ONE Assist\winpty-debugserver.exe" />
<App DesktopAppPath="C:\Program Files\VMware\Workspace ONE Assist\WorkspaceONE.Assist.Agent.exe" />
<App DesktopAppPath="C:\Program Files\VMware\Workspace ONE Assist\WorkspaceONE.Assist.Cleanup.exe" />
<App DesktopAppPath="C:\Program Files\VMware\Workspace ONE Assist\WorkspaceONE.Assist.Client.exe" />
<App DesktopAppPath="C:\Program Files\VMware\Workspace ONE Assist\WorkspaceONE.Assist.Service.exe" />
<App DesktopAppPath="C:\Program Files\VMware\Workspace ONE Tunnel\TunnelUI.exe" />
<App DesktopAppPath="C:\Program Files\VMware\Workspace ONE Tunnel\VMwareTunnel.exe" />
<App DesktopAppPath="C:\Program Files\Google\Chrome\Application\chrome.exe" />
<App DesktopAppPath="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" />
<App DesktopAppPath="C:\Program Files\Confer\RepCLI.exe" />
<App DesktopAppPath="C:\Program Files\Confer\RepMgr.exe" />
<App DesktopAppPath="C:\Program Files\Confer\RepUtils.exe" />
<App DesktopAppPath="C:\Program Files\Confer\RepUx.exe" />
<App DesktopAppPath="C:\Program Files\Confer\RepWAV.exe" />
<App DesktopAppPath="C:\Program Files\Confer\RepWmiUtils.exe" />
<App DesktopAppPath="C:\Program Files\Confer\RepWSC.exe" />
<App DesktopAppPath="C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="My Work Apps">
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="com.squirrel.Teams.Teams" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="C:\Users\Public\Desktop\Google Chrome.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{6D809377-6AF0-444B-8957-A3773F02200E}\RealVNC\VNC Viewer\vncviewer.exe" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="4" DesktopApplicationLinkPath="C:\Users\Public\Desktop\Workspace ONE Intelligent Hub.lnk" />
</start:Group>
<start:Group Name="Experimenting">
<start:DesktopApplicationTile Size="2x2" Column="3" Row="0" DesktopApplicationID="com.airwatch.windowsprotectionagent" />
<start:DesktopApplicationTile Size="2x2" Column="3" Row="2" DesktopApplicationID="AirWatchLLC.WorkspaceONEIntelligentHub_htcwkw4rx2gx4!App" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<Taskbar ShowTaskbar="false"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>AddYourDomain\AddYourUsername</Account>
<DefaultProfile Id="{ffb333a8-a6e5-4af4-9795-6b6a051f6494}"/>
</Config>
</Configs>
</AssignedAccessConfiguration></Data>
</Item>
</Replace>Remove Settings:
<Replace>
<CmdID>13b11926-eb45-44eb-a34a-d8395d6730d2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>3</Data>
</Item>
</Replace>
<Replace>
<CmdID>6f6e1b99-0867-4f2f-a630-60ffe363cd2f</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallDay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Replace>
<CmdID>1364912c-cf5d-4e1e-a07e-bdc7cfe90d21</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallEveryWeek</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Replace>
<CmdID>4ee5569d-c2f7-464c-8cd7-94ea7ab01f76</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallFirstWeek</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Replace>
<CmdID>4bc85314-c5b6-426a-bd14-7d658d8c270a</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallFourthWeek</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Replace>
<CmdID>91acaab8-57e3-410d-bb25-eb0b4cc1dff6</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallSecondWeek</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Replace>
<CmdID>4ac3137d-d46a-4416-a4d8-3ae7caa98929</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallThirdWeek</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Replace>
<CmdID>2ce61d38-704c-416d-9d1f-e1fdb2436566</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallTime</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>3</Data>
</Item>
</Replace>
<Replace>
<CmdID>1cd97040-c647-4f32-943f-81ab70a8960a</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/Update/UpdateNotificationLevel</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
Thanks, This was my issue too. Unfortunately I found this after already struggling for 4 days with this. Updated the schemas and now all working.
Wow, can’t believe that in 2023 I am having similar issues. In my case, I am able to create a .ppkg file successfully with windows configuration designer, but when I apply it, it gives me these errors on the admin tab in event viewer:
ProvXML category ‘UxLockdown’ failed with ‘0x80070057’ at CSP node ‘AssignedAccess/Configuration’. Provisioning failed
&
AssignedAccess Configuration failed, ErrorCode(0x80070057)
&
Profile element validation failed, ErrorCode(0x80070057)
I have been through about 50 forums on other sites addressing this same problem, but no resolution. The tips in this post were very helpful, but I still haven’t gotten it working. Thanks for the assistance anyway
Thanks a lot for compiling this information here! I’m going through the same nightmare and got full of self-doubts while not being able to setup a multi-app kiosk according to MS documentation… This made page me feel a lot better 😉
Still haven’t found a solution for my endeavor, though. I’d be very happy to see at least one working example XML for a multi-app kiosk on the internet…
Hello folks,
It’s March 4th 2024, the µsoft doc is still a mess, I had something working on windows 10, but now, we need to implement it for Windows 11, and guess what, it’s still a mess.
We won’t be able to use the integrated Kiosk mode of W11, because as for security reasons, we’re using a PAM system with a rotating password change.
The only things we want to display on that screen, is a Google Chrome window, with 4 or 5 tabs rotating automatically using the REvolver add-on.
No way to make even the autolaunch of Chrome work on W11.