deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Add guidelines for deploying a kiosk or restricted user experience

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-03-05 15:31:58 -05:00
parent cff54f52e6
commit e784fc019a
2 changed files with 19 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
windows/configuration/assigned-access/index.md
View File

@ -11,7 +11,7 @@ Organizations are constantly seeking ways to streamline operations, improve cust
- Cost-effective customer service: kiosks allow organizations to provide essential services without the need for dedicated staff. Whether it's checking in at a hotel, ordering food at a restaurant, or printing boarding passes at an airport, kiosks reduce labor costs while maintaining service quality. Customers appreciate the convenience of self-service options, leading to higher satisfaction levels
- Reduced wait times: long queues and wait times frustrate customers and staff members. Kiosks expedite processes by allowing users to complete tasks independently. Whether it's paying bills, renewing memberships, or accessing information, kiosks empower users to get things done swiftly
- Consistent brand experience: kKiosks ensure a uniform brand experience across different locations. Whether in retail stores, schools, airports, or healthcare facilities, the interface remains consistent. Brand consistency builds trust and reinforces the organization's image
- Consistent brand experience: kiosks ensure a uniform brand experience across different locations. Whether in retail stores, schools, airports, or healthcare facilities, the interface remains consistent. Brand consistency builds trust and reinforces the organization's image
- Customization and flexibility: kiosks can be tailored to specific needs. From touchscreens to barcode scanners, organizations choose features that align with their goals. Whether it's self-checkout, wayfinding, or interactive product catalogs, kiosks adapt to diverse requirements
Windows offers two different experiences for public or specialized use:
@ -32,6 +32,9 @@ Windows offers two different features to configure a kiosk experience:
- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen above the lock screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it will automatically restart
- **Shell Launcher**: used to configure a device to execure a Windows desktop application as the user interface. The application that you specify replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen.
>[!IMPORTANT]
>Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
:::row:::
:::column span="1":::
:::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false":::
@ -41,48 +44,25 @@ Windows offers two different features to configure a kiosk experience:
:::column-end:::
:::row-end:::
This experience loads the Windows desktop, but it only allows to run a defined set of applications. When the designated user signs in, the user can only run the apps that are allowed. This experience is sometimes referred to as *multi-app kiosk*. The Start menu is customized to show only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types.
This experience loads the Windows desktop, but it only allows to run a defined set of applications. When the designated user signs in, the user can only run the apps that are allowed. The Start menu is customized to show only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types. This experience is sometimes referred to as *multi-app kiosk*.
To configure a restricted user experience you use the **Assgined Access** feature.
To configure a restricted user experience you use the **Assigned Access** feature.
## Choose the right experience
When planning to deploy a kiosk or a restricted user experience, consider the following:
- Evaluate all applications that users should use. If applications require user authentication, don't use a local or generic
user account. Rather, target the group of users within the Assigned Access configuration file
- A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, certain policy settings that affects all non-administrator users on the device. For a list of these policies, see [Assigned Access policy settings](policy-settings.md)
There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
A good approach is to ask yourself the following set of questions:
When you're considering a kiosk or restricted user experience, you need to choose the right experience for your needs. A good approach is to ask yourself the following set of questions:
| | Question |
|--|--|
| **🔲** | *Which type of app will your kiosk run?* <br>Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application.|
| **🔲** | *Which type of kiosk do you need?* <br>If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a Universal Windows Platform (UWP) app or a Windows desktop application. For a kiosk that people can sign in to with their accounts or that runs more than one app, choose a restricted user experience.|
| **🔲** | *Which edition of Windows client will the kiosk run?"* <br>All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro.|
| **🔲** | *Which type of user account will be the kiosk account?*<br>The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. |
>[!IMPORTANT]
>Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
## Summary of configuration methods
| Method | App type | Account type | Single-app kiosk | Multi-app kiosk |
|--|--|--|:-:|:-:|
| Assigned access in Settings | UWP | Local account | ✅ |
| Assigned access cmdlets | UWP | Local account | ✅ |
| The kiosk wizard in Windows Configuration Designer | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ |
| XML in a provisioning package | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ | ✅ |
| Microsoft Intune or other MDM | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | ✅ | ✅ |
| Shell Launcher| UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ |
| MDM Bridge WMI Provider | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | | ✅ |
| **🔲** | *How many apps?* <br>This will determine the experience to build: **kiosk** or **restricted user experience**.|
| **🔲** | *Desktop experience or custom?* <br>If your users require access to the desktop with a custom Start menu, then you can build a **restricted user experience** with **Assigned Access**. If your users require access to multiple applications but with a custom UI, then you can build a **restricted user experience** with **Shell Launcher**.|
| **🔲** | *In single-app scenario, which type of app will your kiosk run?* <br>If the kiosk requires a Universal Windows Platform (UWP) app or Microsoft Edge, you can build a **kiosk experience** with **Assigned Access**. If the kiosk requires a desktop app, you can build a **kiosk experience** with **Shell Launcher**.|
| **🔲** | *Which edition of Windows client will the kiosk run?"* <br>**Assigned Access** is supported on Windows Pro and Enterprise/Education. **Shell Launcher** is only supported on Windows Enterprise and Education editions.|
| **🔲** | *Which type of user account will be the kiosk account?*<br>The kiosk account can be a local standard user account, a domain account, or a Microsoft Entra account. Use a local account when the apps offered by the kiosk don't require the users to authenticate, and when you require the designated kiosk user to automatically sign in. |
## Next steps
To learn more, choose the kiosk implementation that best suits your needs:
In the next sections, you can learn more about the options available to configure kiosks and restricted user experiences:
- [Assigned Access](overview.md)
- [Shell Launcher](shell-launcher/index.md)

6
windows/configuration/assigned-access/overview.md
View File

@ -79,6 +79,12 @@ The following guidelines help you choose an appropriate Windows app for a kiosk
- Some apps might require more configurations before they can be used appropriately in Assigned Access. For example, Microsoft OneNote requires you to set up a Microsoft account for the Assigned Access user account before OneNote opens
- The kiosk profile is designed for public-facing kiosk devices. Use a local, non-administrator account. If the device is connected to your organization network, using a domain or Microsoft Entra account could compromise confidential information
When planning to deploy a kiosk or a restricted user experience, consider the following:
- Evaluate all applications that users should use. If applications require user authentication, don't use a local or generic
user account. Rather, target the group of users within the Assigned Access configuration file
- A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, certain policy settings that affects all non-administrator users on the device. For a list of these policies, see [Assigned Access policy settings](policy-settings.md)
## Develop your kiosk app
Assigned Access uses the *Lock framework*. When an Assigned Access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an *above lock* screen app. To learn more, see [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).