windows-itpro-docs/windows/configuration/assigned-access/overview.md

title, description, ms.date, ms.topic

title	description	ms.date	ms.topic
What is Assigned Access?	Learn how to configure a Windows kiosk for single-app and multi-app scenarios with Assigned Access.	06/14/2024	overview

What is Assigned Access?

Assigned Access is a Windows feature that you can use to configure a device as a kiosk or with a restricted user experience.

When you configure a kiosk experience, a single Universal Windows Platform (UWP) application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it automatically restarts. Practical examples include:

• Public browsing
• Interactive digital signage

When you configure a restricted user experience, users can only execute a defined list of applications, with a tailored Start menu and Taskbar. Different policy settings and AppLocker rules are enforced, creating a locked down experience. The users can access a familiar Windows desktop, while limiting their access, reducing distractions, and potential for inadvertent uses. Ideal for shared devices, you can create different configurations for different users. Practical examples include:

• Frontline worker devices
• Student devices
• Lab devices

Note

When you configure a restricted user experience, different policy settings are applied to the device. Some policy settings apply to standard users only, and some to administrator accounts too. For more information, see Assigned Access policy settings.

Requirements

Here are the requirements for Assigned Access:

• To use a kiosk experience, User account control (UAC) must be enabled
• To use a kiosk experience, you must sign in from the console. The kiosk experience isn't supported over a remote desktop connection

[!INCLUDE assigned-access]

Configure a kiosk experience

There are several options to configure a kiosk experience. If you need to configure a single device with a local account, you can use:

• PowerShell: you can use the Set-AssignedAccess PowerShell cmdlet to configure a kiosk experience using a local standard account
• Settings: use this option when you need a simple method to configure a single device with a local standard user account

For advanced customizations, you can use the Assigned Access CSP to configure the kiosk experience. The CSP allows you to configure the kiosk app, the user account, and the kiosk app's behavior. When you use the CSP, you must create an XML configuration file that specifies the kiosk app and the user account. The XML file is applied to the device using one of the following options:

• A Mobile Device Management (MDM) solution, like Microsoft Intune
• Provisioning packages
• PowerShell, with the MDM Bridge WMI Provider

To learn how to configure the Shell Launcher XML file, see Create an Assigned Access configuration file.

[!INCLUDE tab-intro]

:::image type="icon" source="../images/icons/intune.svg"::: Intune/CSP

You can configure devices using a custom policy with the AssignedAccess CSP.

• Setting: ./Vendor/MSFT/AssignedAccess/Configuration
• Value: content of the XML configuration file

Assign the policy to a group that contains as members the devices that you want to configure.

:::image type="icon" source="../images/icons/provisioning-package.svg"::: PPKG

[!INCLUDE provisioning-package-1]

• Path: AssignedAccess/AssignedAccessSettings
• Value: Enter the account and the application you want to use for Assigned access, using the AUMID of the app. Example:
  • {"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}

[!INCLUDE provisioning-package-2]

:::image type="icon" source="../images/icons/powershell.svg"::: PowerShell

To configure a device using Windows PowerShell:

1. Sign in as administrator

2. Create the user account for Assigned Access

3. Sign in as the Assigned Access user account

4. Install the required UWP app

5. Sign out as the Assigned Access user account

6. Sign in as administrator and from an elevated PowerShell prompt use one of the following commands:

   #Configure Assigned Access by AppUserModelID and user name
   Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
   
   #Configure Assigned Access by AppUserModelID and user SID
   Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>
   
   #Configure Assigned Access by app name and user name
   Set-AssignedAccess -AppName <CustomApp> -UserName <username>
   
   #Configure Assigned Access by app name and user SID**:
   Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
   
   

Note

To set up Assigned Access using -AppName, the user account that you enter for Assigned Access must have signed in at least once.

For more information:

• Find the Application User Model ID of an installed app
• Set-AssignedAccess

To remove assigned access, using PowerShell, run the following cmdlet:

Clear-AssignedAccess

For advanced customizations that use the XML configuration file, you can use PowerShell scripts via the MDM Bridge WMI Provider.

Important

For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.

To test the PowerShell script, you can:

1. Download the psexec tool
2. Open an elevated command prompt and run: psexec.exe -i -s powershell.exe
3. Run the script in the PowerShell session

$shellLauncherConfiguration = @"

# content of the XML configuration file

"@

$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
    Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
    Write-Error -ErrorRecord $cimSetError[0]

    $timeout = New-TimeSpan -Seconds 30
    $stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
    do{
        $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
    } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available

    if($events.Count) {
        $events | ForEach-Object {
            Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
        }
    } else {
        Write-Warning "Timed-out attempting to retrieve event logs..."
    }

    Exit 1
}

Write-Output "Successfully applied Shell Launcher configuration"

[!INCLUDE powershell-wmi-bridge-2]

:::image type="icon" source="../images/icons/settings-app.svg"::: Settings

Here are the steps to configure a kiosk using the Settings app:

1. Open the Settings app to view and configure a device as a kiosk. Go to Settings > Accounts > Other Users, or use the following shortcut:

   [!div class="nextstepaction"]

   Other Users

2. Under Set up a kiosk, select Get Started

3. In the Create an account dialog, enter the account name, and select Next

   Note

   If there are any local standard user accounts already, the Create an account dialog offers the option to Choose an existing account

4. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen are available in the list of apps to choose from. If you select Microsoft Edge as the kiosk app, you configure the following options:

   • Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
   • Which URL should be open when the kiosk accounts signs in
   • When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser)

5. Select Close

When the device isn't joined to an Active Directory domain or Microsoft Entra ID, automatic sign-in of the kiosk account is configured automatically:

• If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything
• If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you want to use as the kiosk account. Open Settings > Accounts > Sign-in options. Set the Use my sign-in info to automatically finish setting up my device after an update or restart setting to Off. After you change the setting, you can apply the kiosk configuration to the device

---

Tip

For practical examples, see the Quickstart: Configure a kiosk with Assigned Access.

Configure a restricted user experience

To configure a restricted user experience with Assigned Access, you must create an XML configuration file with the settings for the desired experience. The XML file is applied to the device via the Assigned Access CSP, using one of the following options:

• A Mobile Device Management (MDM) solution, like Microsoft Intune
• Provisioning packages
• PowerShell, with the MDM Bridge WMI Provider

To learn how to configure the Assigned Access XML file, see Create an Assigned Access configuration file.

[!INCLUDE tab-intro]

:::image type="icon" source="../images/icons/intune.svg"::: Intune/CSP

You can configure devices using a custom policy with the AssignedAccess CSP.

• Setting: ./Vendor/MSFT/AssignedAccess/ShellLauncher
• Value: content of the XML configuration file

Assign the policy to a group that contains as members the devices that you want to configure.

:::image type="icon" source="../images/icons/provisioning-package.svg"::: PPKG

[!INCLUDE provisioning-package-1]

• Path: AssignedAccess/MultiAppAssignedAccessSettings
• Value: content of the XML configuration file

[!INCLUDE provisioning-package-2]

:::image type="icon" source="../images/icons/powershell.svg"::: PowerShell

[!INCLUDE powershell-wmi-bridge-1]

$assignedAccessConfiguration = @"

# content of the XML configuration file

"@

$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
    Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
    Write-Error -ErrorRecord $cimSetError[0]

    $timeout = New-TimeSpan -Seconds 30
    $stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
    do{
        $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
    } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available

    if($events.Count) {
        $events | ForEach-Object {
            Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
        }
    } else {
        Write-Warning "Timed-out attempting to retrieve event logs..."
    }

    Exit 1
}

Write-Output "Successfully applied Assigned Access configuration"

[!INCLUDE powershell-wmi-bridge-2]

:::image type="icon" source="../images/icons/settings-app.svg"::: Settings

This option isn't available using Settings.

---

Tip

For practical examples, see the Quickstart: Configure a restricted user experience with Assigned Access

User experience

To validate the kiosk or restricted user experience, sign in with the user account you specified in the configuration file.

The Assigned Access configuration takes effect the next time the targeted user signs in. If that user account is signed in when you apply the configuration, sign out and sign back in to validate the experience.

Note

Starting in Windows 11, a restricted user experience supports the use of multiple monitors.

Autotrigger touch keyboard

The touch keyboard is automatically triggered when there's an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.

Tip

The touch keyboard is triggered only when tapping a textbox. Mouse clicks don't trigger the touch keyboard. If you're testing this feature, use a physical device instead of a virtual machine (VM), as the touch keyboard is not triggered on VMs.

Sign out of assigned access

By default, to exit the kiosk experience, press Ctrl + Alt + Del. The kiosk app exits automatically. If you sign in again as the Assigned Access account, or wait for the sign in screen timeout, the kiosk app relaunches. The default timeout is 30 seconds, but you can change the timeout with the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

To change the default time for Assigned Access to resume, add IdleTimeOut (DWORD) and enter the value data as milliseconds in hexadecimal.

Note

IdleTimeOut doesn't apply to the Microsoft Edge kiosk mode.

The Breakout Sequence of Ctrl + Alt + Del is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format modifiers + keys. An example breakout sequence is CTRL + ALT + A, where CTRL + ALT are the modifiers, and A is the key value. To learn more, see Create an Assigned Access configuration XML file.

Remove Assigned Access

Deleting the restricted user experience removes the policy settings associated with the users, but it can't revert all the configurations. For example, the Start menu configuration is maintained.

Next steps

[!div class="nextstepaction"] Review the recommendations before you deploy Assigned Access:

Assigned Access recommendations