--- title: "Quickstart: Configure a kiosk experience with Assigned Access" description: Learn how to configure a kiosk experience with Assigned Access, using Windows Configuration Designer, Microsoft Intune, PowerShell or GPO. ms.topic: quickstart ms.date: 02/05/2024 appliesto: - ✅ Windows 11 --- # Quickstart: Configure a kiosk experience with Assigned Access ## Prerequisites >[!div class="checklist"] >Here's a list of requirements to complete this quickstart: > >- A Windows 11 device >- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM >- Windows Configuration Designer, if you want to configure the settings using a provisioning package >- Access to the [psexec tool](/sysinternals/downloads/psexec), if you want to test the configuration using Windows PowerShell ## Configure a restricted user experience When using Settings: AppId: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Arguments: --no-first-run --kiosk https://maps.cltairport.com/ --kiosk-idle-timeout-minutes=5 --edge-kiosk-type=public-browsing [!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] #### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) > [!TIP] > Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags. > > When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions. ```msgraph-interactive POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations Content-Type: application/json { "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example", "description": "Collection of settings for Assigned Access", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n" } ] } ``` [!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)] Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3]. - **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration` - **Value:** [!INCLUDE [quickstart-restricted-experience-xml](includes/quickstart-restricted-experience-xml.md)] #### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) [!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)] - **Path:** `AssignedAccess/MultiAppAssignedAccessSettings` - **Value:** [!INCLUDE [quickstart-restricted-experience-xml](includes/quickstart-restricted-experience-xml.md)] [!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)] #### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps) [!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)] ```powershell $assignedAccessConfiguration = @" "@ $eventLogFilterHashTable = @{ ProviderName = "Microsoft-Windows-AssignedAccess"; StartTime = Get-Date -Millisecond 0 } $namespaceName="root\cimv2\mdm\dmmap" $className="MDM_AssignedAccess" $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className $obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration) $obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue if($cimSetError) { Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n" Write-Error -ErrorRecord $cimSetError[0] $timeout = New-TimeSpan -Seconds 30 $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() do{ $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available if($events.Count) { $events | ForEach-Object { Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")" } } else { Write-Warning "Timed-out attempting to retrieve event logs..." } Exit 1 } Write-Output "Successfully applied Assigned Access configuration" ``` [!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)] --- ## User experience After the settings are applied, reboot the device. A user account named `Library Kiosk` is automatically signed in, with access to a limited set of applications, which are pinned to the Start menu. :::image type="content" source="images/quickstart-restricted-experience.png" alt-text="Screenshot of the Windows desktop used for the quickstart." border="false"::: ## Next steps > [!div class="nextstepaction"] > Learn more how to configure Windows to execute as a restricted user experience: > > [Configure a restricted user experience](lock-down-windows-11-to-specific-apps.md) [WIN-3]: /windows/client-management/mdm/assignedaccess-csp [MEM-1]: /mem/intune/configuration/custom-settings-windows-10