Single App Kiosk Mode is also referred to as “Assigned Access”. It is a feature in Windows that allows you to set up a specific application to run in a restricted kiosk-like mode on a device. In this mode, the user can only access and interact with a single designated application, and they are prevented from accessing the rest of the operating system or making any system changes. In this article, you will learn about Single App Kiosk Mode: Setup Assigned Access using Local Settings. Please see how to Disable or Remove Kiosk Mode Via the Local Settings, and how to delete an Instance (AssignedAccess) when applied via MDM WMI bridge Provider.
This Single App Kiosk Mode feature is often used in scenarios where a device needs to be dedicated to a specific task or purpose, such as information kiosks, digital signage, or point-of-sale systems.
Please see the following exciting articles: About – Windows 10 Single / Multi App Kiosk, and how to configure “Single App Kiosk Mode Configuration using MDM Bridge WMI Provider“.
What to note before provisioning your Kiosk Device
A single-app kiosk configuration runs an app above the lock screen. It doesn’t work when it’s accessed remotely via an RDP connection with the exception to VMware Horizon and Hyper-V because of how the VMs are accessed but not via RDP.
When you connect to a VM configured as a single-app kiosk, you need a basic session rather than an enhanced session. Please see the prerequisites for setting up Assigned Access Device, and how to Disable credential Prompts for Remote Desktop Connections.
Implementation of Single App Kiosk Mode Using Local Settings
Desired result: A single-app kiosk uses the Assigned Access feature to run a single app above the lock screen. When the kiosk account signs in, the application is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.
To see how this is done via the PowerShell scripts. It is advisable and recommended to use a local account with the least privilege when setting up a kiosk application because a domain or service account can be hacked and this introduces risks that might allow an attacker to subvert the assigned access application to gain access to sensitive domain resources. This technique can be implemented in Windows 10 Pro, Enterprise, and Education.
Note: “When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory. There is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically.
If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.”. Since our device is managed by Active Directory, there was a need to manually configure the registry setting to allow for the automatic login of the kiosk user.
Set up assigned access in PC settings
To set up Assigned Access using Local Settings in Windows, follow these steps:
Log in to the Windows device with an administrator account. Open the Start menu and go to Settings. In the Settings window, select “Accounts”, as shown below.
Under the “Family & other users” section, select Set up a kiosk Assigned access,
Select the Get Started button.
Create an Automatic Sign-in Account
Enter a name for the new account. Note: If there are local standard user accounts on the PC already. The Create an Account page will prompt the option to select an existing account.
Choose the app that will run when the kiosk account signs in (The apps that are capable of running only on the locked screen will be displayed).
Here you have the App and kiosk user setup. Click on Next and finish
Note: depending on the App you choose, you may have more configuration steps to follow.
Assigned Access (Kiosk Mode) Outcome
Below is the result when the kiosk user automatically signed in. Here is an article on how to Setup Kiosk Mode on Windows 10 with AD User Account.
To exit out of the kiosk mode on a VM on hyper V as well, simply type Ctrl+Alt+Delete under Actions. This is the only way to exit out of the kiosk mode at present. On a physical device, this is how to exit as well.
Note: Upon restart, the kiosk account automatically signs in due to auto-logon configured during the prerequisite stage. Since the kiosk device is managed by D, there was a need to configure auto-logon.
Devices that are not AD joined do not need to configure this step. While in this mode, you cannot use any other app other than the ones permitted App because the entire device is locked on to use a single app. This helps in securing the device meant to be deployed in a public area.
I hope you found this guide useful on “Single App Kiosk Mode: Setup Assigned Access using Local Settings”. Please let me know in the comment section if you have any questions.
