Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Windows kiosk mode uses Assigned Access to lock devices into a single app or a controlled set of apps for secure, task-specific use. While Windows 10/11 provide native kiosk setup options, they come with security and scalability limitations. Hexnode enhances Windows kiosk mode with remote management, stronger security controls, and legacy app support for easier large-scale deployments.
Windows kiosk mode is a lockdown mechanism that restricts a Windows device to running only a single application or a defined set of approved apps.
It uses a feature called Assigned Access to transform standard PCs into dedicated-purpose terminals. This makes it ideal for digital signage, point-of-sale (POS) systems, self-service kiosks, educational labs, and secure public browsing environments.
In this guide, we break down everything IT administrators need to know about Windows kiosk mode. It includes setup methods, advanced troubleshooting, native limitations, and why enterprises choose Hexnode for scalable kiosk management.
Windows kiosk mode relies on Microsoft’s Assigned Access feature to limit user interactions and create a restricted operating environment. Users can access only approved applications and functions while everything else remains blocked.
Microsoft provides native tools to configure kiosk mode. However, enterprise environments often require more granular controls, stronger security, and centralized management capabilities than what the standard Windows Settings menu provides.
Understanding the difference between Windows Single App Kiosk and Windows Multi-App Kiosk mode is critical for selecting the right deployment strategy.
| Feature | Single App Kiosk Mode | Multi-App Kiosk Mode |
|---|---|---|
| Primary Function | Runs one application in full screen immediately upon login. | Presents a customized Start menu with approved apps. |
| User Experience | No taskbar or Start menu. Users cannot minimize or close the app. | Users can switch between approved apps without accessing the full desktop. |
| Best Use Case | Digital signage, self-service kiosks, ATM-style interfaces. | Shared frontline worker devices, libraries, and educational labs. |
| Security Level | High: Properly configured single-app kiosks offer strong restrictions, though physical access and misconfigurations can still create bypass risks. | Medium-High: Explorer shell is restricted, but multiple windows are permitted. |
The Definitive Guide to Kiosk Management and Strategy (2026 Edition)
Setting up kiosk mode requires administrator privileges. It can be configured using Windows Settings, PowerShell, provisioning packages, or a Unified Endpoint Management (UEM) solution like Hexnode.
Below are field-tested steps for manually configuring kiosk mode on a single device.
Note: If you’re deploying kiosk mode to more than 10 devices, consider using a UEM solution to avoid hours of repetitive manual configuration.
Win + I and navigate to Accounts > Other users.To disable kiosk mode, you must sign out of the kiosk account and remove the Assigned Access configuration using an administrator account.
Ctrl + Alt + Delete on the device and sign out.Fact: Windows powers a significant percentage of the world’s ATM infrastructure. The operating system is widely used in critical environments where additional access restrictions and security hardening are essential.
Beyond the Settings menu, Microsoft provides several advanced methods for configuring kiosk environments.
For IT teams managing complex deployments, these professional alternatives provide greater flexibility and scalability.
| Method | Best Used For | Supported Mode |
|---|---|---|
| Windows PowerShell | Scripting kiosk setups across multiple local devices. | Single App |
| Provisioning Packages (.ppkg) | Bulk configuring devices during Out-of-Box Experience (OOBE). | Single & Multi-App |
| Shell Launcher | Replacing the default Explorer shell with a custom application. | Single App |
| MDM Bridge WMI | Delivering CSP commands via management scripts. | Multi-App |
Pro Tip: Provisioning packages simplify initial bulk setup, but ongoing kiosk management is significantly easier through centralized UEM platforms.
Native Windows kiosk mode blocks basic user interference effectively. However, it can still leave security gaps that advanced users may exploit.
Before deploying native kiosk configurations in public-facing environments, IT teams should understand these common limitations.
Ctrl + Alt + Delete may still remain active.Hexnode transforms Windows kiosk mode from a basic operating system feature into a scalable enterprise-grade infrastructure for managing thousands of endpoints securely.
By addressing the shortcomings of native Assigned Access, Hexnode delivers enhanced security, remote troubleshooting, centralized policy management, and advanced kiosk controls.
Single-app kiosk configurations in Windows commonly rely on Universal Windows Platform (UWP) applications, although supported application types can vary based on the Windows version and deployment method.
UWP applications are built using Microsoft’s modern application framework, which includes built-in security and management controls ideal for kiosk deployments.
The Hexnode Advantage: Hexnode supports enterprise application deployments, including Win32 apps, within Multi-App Kiosk environments.
Native Windows kiosk deployments often encounter operational friction points such as app crashes, update interruptions, and user breakout attempts.
The Problem: The kiosk application crashes immediately after launch, causing the screen to flash or return to the login page.
Hexnode Fix: Hexnode’s Remote View feature allows administrators to remotely inspect devices and troubleshoot application failures in real time.
The Problem: Users attempt to access the underlying operating system using shortcuts such as Win + R or Alt + Tab.
Hexnode Fix: Hexnode supports peripheral and hardware restriction policies to prevent unauthorized interactions.
The Problem: Windows updates trigger notifications or restart prompts that interrupt kiosk sessions.
Hexnode Fix: Hexnode supports centralized patch management policies that help administrators schedule and control update deployment windows.
To put Windows in kiosk mode, you must configure “Assigned Access” in Settings. First, go to Settings > Accounts > Other users > Set up a kiosk. Create a dedicated user account. Then, select the single app you wish to run (e.g., Edge or a POS app). Finally, restart the device to auto-launch into that restricted environment.
Windows 11 kiosk mode locks a PC to a specific task. It prevents access to the desktop, files, or settings. It creates a controlled environment where users can interact only with the designated application. This ensures security and focus for public-facing or frontline devices.
Set up Windows 11 kiosk mode by navigating to Settings > Accounts > Other users > Kiosk. Click “Get Started” and name your kiosk account. Choose your target application. For web kiosks, select Microsoft Edge and define the start URL. Once saved, sign out of Admin and sign in to the Kiosk account.
Disable Windows 10 kiosk mode by pressing Ctrl+Alt+Del to sign out of the kiosk account. Log back in as an Administrator. Navigate to Settings > Accounts > Family & other users > Assigned access. Click “Remove kiosk” to delete the configuration and restore normal functionality.
Enable Windows 11 kiosk mode by creating a Kiosk Profile in Settings. Under Accounts > Other users, select “Set up a kiosk.” Follow the wizard to assign a local user account to a single Universal Windows Platform (UWP) app. The mode activates automatically whenever that specific user account is logged in.
Deploy, secure, and manage Windows kiosk devices at scale with Hexnode’s powerful kiosk management solution.
SIGN UPCopy the code to embed this infographic on your website -
