What is Windows kiosk mode?

The Windows kiosk mode

Windows kiosk laptops used by engineers in workshops
  • Ensures system security and protects the terminal from malware, viruses and disruptive scripts.
  • Reduces the underlying attack surface by protecting system drives and fixed data drives.
  • Prevents unauthorized access to files, folders, and undesired functions.
  • Disables the host functionality, task manager.
  • Deactivates unwanted touch functions, some system critical keyboard shortcuts, and user rights.

What is assigned access?

The simplest way to set up assigned access in Windows 10

  • Create a new standard local user account or use an existing one.
  • Install the store app you want to allow in the assigned access account.
  • Sign into the primary admin account.
  • Go to Settings > Accounts > Family and other users.
  • Click on “Set up assigned access“.
  • Choose the assigned access account and app.
  • Restart and sign into the assigned access account.

Points to consider while choosing the assigned access app

  • Don’t use an app generated by the Desktop app converter in assigned access.
  • Don’t use an app which launches another app while running (Certain apps run alongside the main application as a part of its functionality).
  • The app should be installed within the assigned access account prior to the configuration.
  • If an app is updated, assigned access settings have to be re-configured to the updated version of the app.

Use cases

Self check-in at airport
Special purpose laptop used by employees

Limitations to Windows kiosk mode

Single purpose laptops used by factory workers
  • Operating system can get corrupted by downloading malicious files.
  • Some keyboard shortcuts like Ctrl+Alt+Del are not restricted. This enables hackers to use such key combinations to disrupt the kiosk and tamper with the system.
  • Some dialog windows may pop up within the allowed application giving hackers an option to gain access to the file system.
  • In multi-app kiosk mode, some restrictions will be applied system wide to all non-administrative users irrespective of whether it is the assigned access account or not. The device needs a factory reset to turn off these restrictions even after deactivating the assigned access mode.
  • Disable the power button.
  • Disable camera.
  • Disallow removable media.
  • Hide the power button and ease of access features from the sign-in screen.
  • Use keyboard filters to block the key combinations that enable accessibility functions.
  • Use a virtual machine to test the kiosk configuration before applying it to the actual machine.

Kiosk configuration methods

Interactive kiosk

Considerations for choosing the configuration methods

  • Account based
    Account type for the kiosk account — Most of the methods support only local standard user accounts while some can be used to set up a kiosk for Azure AD and AD domain accounts.
  • Use case based
    Type of kiosk — Methods are different for single app and multi app kiosk mode configurations.
  • Device based
    Windows 10 edition — Kiosk mode is supported on Windows 10 Pro, Enterprise and Education editions. However, some of the methods won’t be applied for Windows 10 Pro devices.

Different configuration methods

  1. Assigned access from local PC settings
    If there are only a few local kiosks to be configured, you can manually access the Settings app in each of these devices to configure assigned access.
  2. Assigned access using Windows PowerShell
    There is a set of PowerShell cmdlets any of which can be used to configure assigned access on multiple devices.
  3. Assigned access using MDM
    Admins can use an MDM solution to set up a kiosk mode on multiple managed devices remotely only that the devices should be online, and users must sign into the device for the configuration to get applied.
  4. Provisioning package
    You can create an XML file with the kiosk configuration, add this XML file to a provisioning package and apply it to the device during the initial set up.
  5. Windows Configuration Designer
    You can configure multiple devices to run a UWP app or desktop app using the Provision kiosk devices wizard in Microsoft’s Windows Configuration Designer and build a provisioning package.
  6. Shell launcher
    Shell launcher can replace the default shell with a custom application that launches once an account is signed in. This doesn’t prevent the user from accessing other apps or settings from the desktop. For a complete lockdown, additional tools like a Windows MDM solution, Group policy, AppLocker etc., are to be used.
  7. MDM Bridge WMI provider
    CSP (Configuration Service Provider) settings are mapped to WMI (Windows Management Instrumentation) using the MDM Bridge WMI provider. This method can be used to create a kiosk mode on a device by delivering CSP commands via scripts.
  8. Kiosk like functionality using AppLocker
    Though it is not a recommended method, AppLocker rules can be defined to set up a multi-app kiosk by allowing specific apps on the device. It’s not a strict lockdown mechanism.

Setting up using an MDM

Windows powered laptop in kiosk mode
Hexnode Windows kiosk mode
  • Seamless set up ensures streamlined business processes.
  • Reduced running costs and maintenance efforts.
  • Enhanced kiosk performance and amplified employee productivity.
  • Remote health monitoring to make sure that the kiosk systems are running properly.
  • Automatic device restart to update new settings.
  • Bulk device integration using ppkg enrollment.
  • Continuous device monitoring to protect the OS from manipulations and hacking.
  • Remote device scan and location tracking for added device security.
  • Remote lock and complete data wipe for troubleshooting compromised devices.
  • Complete visibility to the hardware, firmware, and applications running on the device.

Hexnode Windows kiosk mode features

  1. Single app lockdown
Windows single app kiosk mode
  • Runs a single UWP app in full screen.
  • Pushes the kiosk mode to a local standard user account running on the device.
  • Runs multiple UWP apps.
  • Approved apps appear as tiles in the start layout on the desktop when the assigned local standard user account is logged in.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hexnode

Hexnode

Hexnode MDM is an award winning Enterprise Mobility Management vendor which helps businesses to secure and manage BYOD, COPE, apps and content.