deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 15:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/configuration/assigned-access/index.md

8.2 KiB
Raw Blame History

title, description, ms.topic, ms.date
title description ms.topic ms.date
Configure kiosks and restricted user experiences Learn about the options available in Windows to configure kiosks and restricted user experiences. overview 02/26/2024

Configure kiosks and restricted user experiences

Organization may want to set up special purpose devices, such as a device in the lobby that customers can use to view product catalogs, or a device displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use:

:::row::: :::column span="1"::: :::image type="content" source="images/kiosk.png"" alt-text="Icon representing a kiosk." border="false"::: :::column-end::: :::column span="3"::: #### Kiosk :::column-end::: :::row-end:::

Runs a single Universal Windows Platform (UWP) application in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app launches automatically. If the kiosk app is closed, it will automatically restart

:::row::: :::column span="1"::: :::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false"::: :::column-end::: :::column span="3"::: #### Restrictedd user experience :::column-end::: :::row-end:::

Runs one or more applications from the desktop. People using the kiosk see a customized Start menu that shows only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types.

Kiosk

A single-app kiosk is ideal for public use. Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen.

A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, specific policies are enforced that affects all non-administrator users on the device.

Kiosk configurations are based on Assigned Access, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.

There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.

  • Which type of app will your kiosk run? Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For digital signage, select a digital sign player as your kiosk app. Check out the guidelines for kiosk apps.
  • Which type of kiosk do you need? If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a Universal Windows Platform (UWP) app or a Windows desktop application. For a kiosk that people can sign in to with their accounts or that runs more than one app, choose a multi-app kiosk
  • Which edition of Windows client will the kiosk run? All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode isn't available on Windows Home
  • Which type of user account will be the kiosk account? The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method

Important

Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.

[!INCLUDE assigned-access-kiosk-mode] [!INCLUDE assigned-access-kiosk-mode]

Summary of configuration methods

Method App type Account type Single-app kiosk Multi-app kiosk
Assigned access in Settings UWP Local account
Assigned access cmdlets UWP Local account
The kiosk wizard in Windows Configuration Designer UWP, Windows desktop app Local standard user, Active Directory, Microsoft Entra ID
XML in a provisioning package UWP, Windows desktop app Local standard user, Active Directory, Microsoft Entra ID
Microsoft Intune or other MDM for full-screen single-app kiosk or for multi-app kiosk with desktop UWP, Windows desktop app Local standard user, Microsoft Entra ID
Shell Launcher UWP, Windows desktop app Local standard user, Active Directory, Microsoft Entra ID
MDM Bridge WMI Provider UWP, Windows desktop app Local standard user, Active Directory, Microsoft Entra ID

Note

For devices running Windows client Enterprise and Education, you can also use Windows Defender Application Control or AppLocker to lock down a device to specific apps.

User experience

To test the kiosk, sign in with the Assigned Access user account you specified in the configuration to check out the multi-app experience.

Note

The kiosk configuration setting will take effect the next time the Assigned Access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience.

When Assigned Access is configured, different policy settings are applied to the device to provide a secured, locked-down experience. For more information, see assigned-access-policy-settings.

Optionally, run Event Viewer (eventvwr.exe) and look through logs under Applications and Services Logs > Microsoft > Windows > Provisioning-Diagnostics-Provider > Admin.

App launching and switching experience

In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window.

The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar.

Auto-trigger touch keyboard

The touch keyboard is automatically triggered when there's an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.