4.0 KiB
title, description, ms.date, ms.topic
| title | description | ms.date | ms.topic |
|---|---|---|---|
| Configure a Multi-App Kiosk With Assigned Access | Learn how to configure a multi-app kiosk with Assigned Access. | 3/7/2025 | overview |
Configure a restricted user experience (multi-app kiosk) with Assigned Access
An Assigned Access restricted user experience runs one or more apps from the desktop. People using the kiosk have a customized Start menu that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for shared devices.
To configure a restricted user experience with Assigned Access, you must create an XML configuration file with the settings for the desired experience. The XML file is applied to the device via the Assigned Access CSP, using one of the following options:
- A Mobile Device Management (MDM) solution, like Microsoft Intune
- Provisioning packages
- PowerShell, with the MDM Bridge WMI Provider
To learn how to configure the Assigned Access XML file, see Create an Assigned Access configuration file.
[!INCLUDE tab-intro]
:::image type="icon" source="../images/icons/intune.svg"::: Intune/CSP
You can configure devices using a custom policy with the AssignedAccess CSP.
- Setting:
./Vendor/MSFT/AssignedAccess/Configuration - Value: content of the XML configuration file
Assign the policy to a group that contains as members the devices that you want to configure.
:::image type="icon" source="../images/icons/provisioning-package.svg"::: PPKG
[!INCLUDE provisioning-package-1]
- Path:
AssignedAccess/MultiAppAssignedAccessSettings - Value: content of the XML configuration file
[!INCLUDE provisioning-package-2]
:::image type="icon" source="../images/icons/powershell.svg"::: PowerShell
[!INCLUDE powershell-wmi-bridge-1]
$assignedAccessConfiguration = @"
# content of the XML configuration file
"@
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
Exit 1
}
Write-Output "Successfully applied Assigned Access configuration"
[!INCLUDE powershell-wmi-bridge-2]
:::image type="icon" source="../images/icons/settings-app.svg"::: Settings
This option isn't available using Settings.
Tip
For practical examples, see the Quickstart: Configure a restricted user experience with Assigned Access
[!INCLUDE user-experience]