Implementation of Single App Kiosk Mode (AssignedAccess) using Local Settings

What to note before provisioning your Kiosk Device (VM)
– A single-app kiosk configuration runs an app above the lock screen. It doesn’t work when it’s accessed remotely via RDP connection with exception to VMware Horizon and Hyper-V because of how the VMs are accessed but not via RDP.
– When you connect to a VM configured as a single-app kiosk, you need a basic session rather than an enhanced session.

Implementation of Kiosk Mode using Local Settings
– Desired result:  
A single-app kiosk uses the Assigned Access feature to run a single app above the lock screen. When the kiosk account signs in, the application is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.

To see how this is done via the PowerShell scripts. It is advisable and recommended to use a local account with the least privilege when setting up a kiosk application because a domain or service accounts can be hacked and this introduces risks that might allow an attacker to subvert the assigned access application to gain access to sensitive domain resources. This technique can be implemented in Windows 10 Pro, Enterprise, and Education.

Steps: Here are the steps to setup a kiosk application using a local Application.

1. Complete the prerequisites as discussed here

Note: “When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.”. Since our device is managed by Active Directory, there was a need to manually configure the registry setting to allow for the automatic login of the kiosk user.

2. To set up assigned access in PC settings
– Go to Start, Settings
– Accounts 
As shown below

– Other users.
– Select Set up a kiosk Assigned access,

– and then select Get started.

– Enter a name for the new account.

Note: If there are local standard user accounts on the PC already, the Create an account page will prompt the option to select an existing account.

– Choose the app that will run when the kiosk account signs in (The apps that are capable of running only on the locked screen will be displayed)

See this link for App selection choice

Here you have the App and kiosk user setup
– Click on next and finish

Note:  depending on the App you choose, you may have more configuration steps to follow.

Outcome (Result): Below is the result when the kiosk user automatically signed in.

To exit out of the kiosk mode on a VM on hyper V as well, simply type Ctrl+Alt+Delete under Actions. This is the only way to exit out of the kiosk mode at present. On a physical device, this is how to exit as well.

– Upon restart, the kiosk account automatically signs in due to auto-logon configured during the prerequisite stage. Since the kiosk device is managed by D, there was a need to configure auto-logon.
– Devices that are not AD joined do not need to configure this step.

While in this mode, you cannot use any other app other than the ones permitted App because the entire device is locked on to use a single app. This helps in securing the device meant to be deployed in a public area.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x