Alma
Evans

What is Windows kiosk mode?

Alma Evans

Apr 17, 2020

12 min read

Microsoft has been offering a range of admin tools and a suite of functionalities over the years making it easy to control and customize its Windows-based business focused devices. Windows kiosk mode is such a feature to narrow down the options for improper usage of business-critical Windows devices.

The Windows kiosk mode

Definition:

Windows kiosk mode is a lockdown mechanism to restrict Windows 10 devices to a single application that runs in full screen or multiple pre-selected applications that appears as start screen tiles on the desktop.

The kiosk mode dedicates Windows PC to a specific task limiting the user access and behavior that can potentially interfere with the normal functioning of the publicly accessed single-purpose device. Usually, this kind of configurations are set up on a point-of-sale terminal at retail stores, the interactive directory in a building lobby, stand-alone computer in the public domain, self-service kiosk at restaurants, self check-in at airports, or signage used to display testimonials and advertise campaigns. In all these points, admins want to hold back users from getting out of the designated app(s) and prying into the device’s internal stuff – the underlying settings and files on the computer.

Special purpose devices for engineers in workshops
Windows kiosk laptops used by engineers in workshops
 

Windows kiosk mode features:

  • Ensures system security and protects the terminal from malware, viruses and disruptive scripts.
  • Reduces the underlying attack surface by protecting system drives and fixed data drives.
  • Prevents unauthorized access to files, folders, and undesired functions.
  • Disables the host functionality, task manager.
  • Deactivates unwanted touch functions, some system critical keyboard shortcuts, and user rights.

In Windows 10, kiosk mode is based on a feature called assigned access. The feature helps protect corporate confidentiality allowing administrators to confine an application’s opening wedges revealed to the users.

What is assigned access?

Assigned access in Windows 10 Pro, Windows 10 Education, and Windows 10 Enterprise editions is a feature to allow admins to manage end user experience by denying some functionalities. It helps to eliminate the risk of compromising the system.
Assigned access is nothing but assigning a device for a specific function allowing only specific applications. This is accomplished by configuring a user account and adding up the apps the user is to be allowed access to within the account. So, the assigned access account will not be having access to any system features other than the designated applications. This ensures the security of the device as the entire system is essentially locked down. The feature is exclusively meant for corporate-owned purpose-specific devices and is inappropriate for any other cases as some system restrictions enforced with the feature targets all the non-admin users in addition to the intended account.

The simplest way to set up assigned access in Windows 10

  • Create a new user account or use an existing one.
  • Install the store app you want to allow in the assigned access account.
  • Sign in to the primary account.
  • Go to Settings > Accounts > Family and other users.
  • Click on “Set up assigned access”.
  • Choose the assigned access account and app.
  • Restart and sign into the assigned access account.

Points to consider while choosing the assigned access app

  • Don’t use an app generated by the Desktop app converter in assigned access.
  • Don’t use an app which launches another app while running (Certain apps run alongside the main application as a part of its functionality).
  • The app should be installed within the assigned access account prior to the configuration.
  • If an app is updated, assigned access settings have to be re-configured to the updated version of the app.

Use cases

Windows kiosk device for self-check at airport
Self check-in at airport
 

As Microsoft is pretty aggressive about their sales and marketing towards the corporates, its Windows OS devices are the now-undisputed leads in the business world. Most of the companies, whether they’re SMBs or big corporations, rely upon Windows devices particularly desktop PCs to get day-to-day business work done. Powered by a multitude of advantages, the Windows kiosk mode finds its application in most of these work scenarios.
Step into any retail store, warehouse or manufacturing unit, you will most probably come across a kiosk system running the most ubiquitous operating system – Windows 10. Windows 10 kiosk mode can offer two different kiosk experiences by locking the devices to either a single app or multiple apps based on whether the devices are used for public use or a fixed purpose in an organization.
For public access terminals where you want a high degree of control over the device, consider running Windows single app kiosk mode. The kiosk app runs in full screen above the lock screen in a restricted user account and the public can’t tab out of the application on such limited-security environments.

Windows multi app kiosk mode for employees working remotely
Special purpose laptop used by employees
 

In a corporate environment, if a Windows device is to be used for a specific business-related task only and the system must be shared between multiple users, a multi app mode will be more apt. With Windows multi app kiosk mode, you can enable only essential apps and features for the workers and limit all other extraneous functionalities so that bored employees cannot switch to any other activities. Users are forced to sign-in with the specified account credentials and access only the applications whitelisted for them by the admin.

Single app mode Multi app mode
Only a single app (in full screen) can run on the device.  Multiple apps can run on the device. 
Ideal for public use where auto sign-in is enabled and hence high security is needed.  Ideal for shared use of fixed-purpose devices in corporates and helps the dedicated device users to focus on their tasks. 
Kiosks seen in general public areas such as a kiosk for getting weather updates, devices running demo routine at stores, information kiosks at museums, devices running the search apps at libraries, guest registration desk etc., are examples. Devices used by corporate employees doing remote workfield workers, factory workers, workers in warehouses etc., are examples. 

Limitations to Windows kiosk mode

Single purpose laptops used by factory workers
Single purpose laptops used by factory workers
 

Windows kiosk mode is quite effective at slowing down data breaches/cyber-attacks and preventing meddling with the system hardware, but it falls short in many ways. The physical access to the device can provide sufficient ways to break out of the kiosk interface and cause some unknown exploits due to few limitations the feature has.

  • Operating system can get corrupted by downloading malicious files.
  • Some keyboard shortcuts like Ctrl+Alt+Del are not restricted. This enables hackers to use such key combinations to disrupt the kiosk and tamper with the system.
  • Some dialog windows may pop up within the allowed application giving hackers an option to gain access to the file system.
  • In multi-app kiosk mode, some restrictions will be applied system wide to all non-administrative users irrespective of whether it is the assigned access account or not. The device needs a factory reset to turn off these restrictions even after deactivating the assigned access mode.

In order to improve the kiosk security and provide a safer kiosk experience, it’s recommended to pre-configure some other settings before setting up the kiosk mode.

  • Disable the power button.
  • Disable camera.
  • Disallow removable media.
  • Hide the power button and ease of access features from the sign-in screen.
  • Use keyboard filters to block the key combinations that enable accessibility functions.
  • Use a virtual machine to test the kiosk configuration before applying it to the actual machine.

Kiosk configuration methods

Interactive kiosk
Interactive kiosk
 

Windows provides a couple of methods to accomplish kiosk lockdown on the devices. IT can choose the best option for their organizations.

Considerations for choosing the configuration methods

  • Account based
    Account type for the kiosk account – Most of the methods support only local standard user accounts while some can be used to set up a kiosk for Azure AD and AD domain accounts.
  • Use case based
    Type of kiosk – Methods are different for single app and multi app kiosk mode configurations.
  • Device based
    Windows 10 edition – Kiosk mode is supported on Windows 10 Pro, Enterprise and Education editions. However, some of the methods won’t be applied for Windows 10 Pro devices.

Here we will breakdown the differences between each of the configuration methods.

  1. Assigned access from local PC settings
    If there are only a few local kiosks to be configured, you can manually access the Settings app in each of these devices to configure assigned access.
  2. Assigned access using Windows PowerShell
    There is a set of PowerShell cmdlets any of which can be used to configure assigned access on multiple devices.
  3. Assigned access using MDM
    Admins can use an MDM solution to set up a kiosk mode on multiple managed devices remotely only that the devices should be online, and users must sign-in to the device for the configuration to get applied.
  4. Provisioning package
    You can create an XML file with the kiosk configuration, add this XML file to a provisioning package and apply it to the device during the initial set up.
  5. Windows Configuration Designer
    You can configure multiple devices to run a UWP app or desktop app using the Provision kiosk devices wizard in Windows Configuration Designer and build a provisioning package.
  6. Shell launcher
    Shell launcher can replace the default shell with a custom application that launches once an account is signed in. This doesn’t prevent the user from accessing other apps or settings. For a complete lockdown, additional tools like MDM, Group policy, AppLocker etc., are to be used.
  7. MDM Bridge WMI provider
    CSP (Configuration Service Provider) settings are mapped to WMI (Windows Management Instrumentation) using the MDM Bridge WMI provider. This method can be used to create a kiosk mode on a device by delivering CSP commands via scripts.
  8. Kiosk like functionality using AppLocker
    Though it is not a recommended method, AppLocker rules can be defined to set up a multi-app kiosk by allowing specific apps on the device. It’s not a strict lockdown mechanism.
Kiosk configuration method Supported kiosk modes 
Assigned access from local PC settings  Single app mode 
Assigned access using Windows PowerShell  Single app mode 
Assigned access using MDM  Single app mode, Multi-app mode 
Windows Configuration Designer  Single app mode 
Shell launcher  Single app mode 
MDM Bridge WMI provider  Multi-app mode 
Provisioning package  Single app mode, Multi-app mode 

Among all these methods both provisioning packages and MDM solutions support all the generic use cases but the issue with provisioning package is that it can be applied only during the Out-of-the-box experience (first-run experience). Though the same provisioning package can be applied to a bulk of devices, having to manually start over again to achieve the first set up screen is a serious drawback.

Setting up kiosks using an MDM

Windows powered laptop in kiosk mode
Windows powered laptop in kiosk mode
 

MDM solutions like Hexnode enables users to set up and remotely manage Windows kiosks with enhanced capabilities for complete lockdown so that the devices can’t be tampered with. Hexnode MDM is designed to address the shortcomings of Windows kiosk mode with its comprehensive security features. Hexnode endeavors to make the Windows kiosk set up as effortless as possible.
Hexnode Windows kiosk software is a tamper-proof solution which prioritizes a secured user experience by adding an extra layer of powerful features to make up for the built-in potentials the traditional Windows kiosk mode lacks. Along with that, Hexnode also provides some ease of use features which eliminates the learning curve in working the kiosk mode so that even a non-tech folk can set it up quickly.

Hexnode Windows kiosk mode
Hexnode Windows kiosk mode
 

The major benefits of using Hexnode Windows kiosk solution includes:

  • Seamless set up ensures streamlined business processes.
  • Reduced running costs and maintenance efforts.
  • Enhanced kiosk performance and amplified employee productivity.
  • Remote health monitoring to make sure that the kiosk systems are running properly.
  • Automatic device restart to update new settings.
  • Bulk device integration using ppkg enrollment.
  • Continuous device monitoring to protect the OS from manipulations and hacking.
  • Remote device scan and location tracking for added device security.
  • Remote lock and complete data wipe for troubleshooting compromised devices.
  • Complete visibility to the hardware, firmware, and applications running on the device.

Hexnode Windows kiosk solution

Hexnode Windows kiosk mode features

    1. Single app lockdown
      Windows single app kiosk mode
      Windows single app kiosk mode
       
      • Runs a single UWP app in full screen.
      • Pushes the kiosk mode to a local standard user account running on the device.
Note:

The app added in kiosk mode should be a Universal Windows Platform (UWP) app. These apps are designed to run across all Windows 10 devices from phones, tablets, and PCs to TVs. Only UWP apps can be distributed through the Windows Store. Hexnode doesn’t support other Windows desktop apps in kiosk mode.

  1. Multi app lockdown
    • Runs multiple UWP apps.
    • Approved apps appear as tiles in the start layout when the assigned local standard user account is logged in.

Upcoming plans for kiosk enhancements:

  1. Browser lockdown
    • Devices are locked down to the company website or a set of other websites according to the use case.
    • Additional settings to customize the browsing experience to meet unique needs.
  2. Remote control
    • Remotely monitor and control the kiosks in real-time.
    • Enables enhanced control and governance over the devices which helps in easy troubleshooting.
  3. Windows Autopilot
    • Quick device deployment using the out-of-the-box enrollment option Windows Autopilot.
    • Auto joining to Azure AD and MDM.
    • Set up wizard skipping and self-deployment mode to enable no-touch provisioning.
    • Remote reset using the Autopilot reset option.
    • Admin account restriction.

To summarize it all, the solution intends to lessen the efforts the IT puts in to bring off a definite kiosk system by offering inbuilt features and technologies to work on the hardest part of the setup. Meeting the most challenging client needs and guaranteeing high-end performance, Hexnode Windows kiosk solution is highly competent in getting the desired outcomes in a timely manner.

Alma Evans

Product Evangelist @ Hexnode. Already lost up in the whole crazy world of tech... Looking to codify my thoughts for now...

  •  
  •  
  •  
  •  
  •  

Leave a Comment

Your email address will not be published. Required fields are marked *