Microsoft has been offering a range of admin tools and a suite of functionalities over the years making it easy to control and customize its Windows-based business focused devices. Windows kiosk mode is such a feature to narrow down the options for improper usage of business-critical Windows devices.
The Windows kiosk mode
The kiosk mode dedicates Windows PC to a specific task limiting the user access and behavior that can potentially interfere with the normal functioning of the publicly accessed single-purpose device. Usually, this kind of configurations are set up on a point-of-sale terminal at retail stores, the interactive directory in a building lobby, stand-alone computer in the public domain, self-service kiosk at restaurants, self check-in at airports, or signage used to display testimonials and advertise campaigns. In all these points, admins want to hold back users from getting out of the designated app(s) and prying into the device’s internal stuff – the underlying settings and files on the computer.
Windows kiosk mode features:
- Ensures system security and protects the terminal from malware, viruses and disruptive scripts.
- Reduces the underlying attack surface by protecting system drives and fixed data drives.
- Prevents unauthorized access to files, folders, and undesired functions.
- Disables the host functionality, task manager.
- Deactivates unwanted touch functions, some system critical keyboard shortcuts, and user rights.
In Windows 10, kiosk mode is based on a feature called assigned access. The feature helps protect corporate confidentiality allowing administrators to confine an application’s opening wedges revealed to the users.
What is assigned access?
Assigned access in Windows 10 Pro, Windows 10 Education, and Windows 10 Enterprise editions is a feature to allow admins to manage end user experience by denying some functionalities. It helps to eliminate the risk of compromising the system.
Assigned access is nothing but assigning a device for a specific function allowing only specific applications. This is accomplished by configuring a user account and adding up the apps the user is to be allowed access to within the account. So, the assigned access account will not be having access to any system features other than the designated applications. This ensures the security of the device as the entire system is essentially locked down. The feature is exclusively meant for corporate-owned purpose-specific devices and is inappropriate for any other cases as some system restrictions enforced with the feature targets all the non-admin users in addition to the intended account.
Points to consider while choosing the assigned access app
- Don’t use an app generated by the Desktop app converter in assigned access.
- Don’t use an app which launches another app while running (Certain apps run alongside the main application as a part of its functionality).
- The app should be installed within the assigned access account prior to the configuration.
- If an app is updated, assigned access settings have to be re-configured to the updated version of the app.
As Microsoft is pretty aggressive about their sales and marketing towards the corporates, its Windows OS devices are the now-undisputed leads in the business world. Most of the companies, whether they’re SMBs or big corporations, rely upon Windows devices particularly desktop PCs to get day-to-day business work done. Powered by a multitude of advantages, the Windows kiosk mode finds its application in most of these work scenarios.
Step into any retail store, warehouse or manufacturing unit, you will most probably come across a kiosk system running the most ubiquitous operating system – Windows 10 from Microsoft. Windows 10 kiosk mode can offer two different kiosk experiences by locking the devices to either a single app or multiple apps based on whether the devices are used for public use or for a fixed purpose in an organization.
For public access terminals where you want a high degree of control over the device, consider running Windows single app kiosk mode. The kiosk app runs in full screen above the lock screen in a restricted user account and the public can’t tab out of the application on such limited-security environments.
In a corporate environment, if a Windows device is to be used for a specific business-related task only and the system must be shared between multiple users, a multi app mode will be more apt. With Windows multi app kiosk mode, you can enable only essential apps and features for the workers and limit all other extraneous functionalities so that bored employees cannot switch to any other activities. Users are forced to sign-in with the specified account credentials and access only the applications whitelisted for them by the admin.
|Single app mode||Multi app mode|
|Only a single app (in full screen) can run on the device.||Multiple apps can run on the device.|
|Ideal for public use where auto sign-in is enabled and hence high security is needed.||Ideal for shared use of fixed-purpose devices in corporates and helps the dedicated device users to focus on their tasks.|
|Kiosks seen in general public areas such as a kiosk for getting weather updates, devices running demo routine at stores, information kiosks at museums, devices running the search apps at libraries, guest registration desk etc., are examples.||Devices used by corporate employees doing remote work, field workers, factory workers, workers in warehouses etc., are examples.|
Limitations to Windows kiosk mode
Windows kiosk mode is quite effective at slowing down data breaches/cyber-attacks and preventing meddling with the system hardware, but it falls short in many ways. The physical access to the device can provide sufficient ways to break out of the kiosk interface and cause some unknown exploits due to few limitations the feature has.
- Operating system can get corrupted by downloading malicious files.
- Some keyboard shortcuts like Ctrl+Alt+Del are not restricted. This enables hackers to use such key combinations to disrupt the kiosk and tamper with the system.
- Some dialog windows may pop up within the allowed application giving hackers an option to gain access to the file system.
- In multi-app kiosk mode, some restrictions will be applied system wide to all non-administrative users irrespective of whether it is the assigned access account or not. The device needs a factory reset to turn off these restrictions even after deactivating the assigned access mode.
In order to improve the kiosk security and provide a safer kiosk experience, it’s recommended to pre-configure some other settings before setting up the kiosk mode.
- Disable the power button.
- Disable camera.
- Disallow removable media.
- Hide the power button and ease of access features from the sign-in screen.
- Use keyboard filters to block the key combinations that enable accessibility functions.
- Use a virtual machine to test the kiosk configuration before applying it to the actual machine.
Kiosk configuration methods
Microsoft provides a couple of methods to accomplish kiosk lockdown on their Windows 10 devices. IT can choose the best option for their organizations.
Considerations for choosing the configuration methods
- Account based
Account type for the kiosk account – Most of the methods support only local standard user accounts while some can be used to set up a kiosk for Azure AD and AD domain accounts.
- Use case based
Type of kiosk – Methods are different for single app and multi app kiosk mode configurations.
- Device based
Windows 10 edition – Kiosk mode is supported on Windows 10 Pro, Enterprise and Education editions. However, some of the methods won’t be applied for Windows 10 Pro devices.
Different configuration methods
Here we will breakdown the differences between each of the configuration methods.
- Assigned access from local PC settings
If there are only a few local kiosks to be configured, you can manually access the Settings app in each of these devices to configure assigned access.
- Assigned access using Windows PowerShell
There is a set of PowerShell cmdlets any of which can be used to configure assigned access on multiple devices.
- Assigned access using MDM
Admins can use an MDM solution to set up a kiosk mode on multiple managed devices remotely only that the devices should be online, and users must sign into the device for the configuration to get applied.
- Provisioning package
You can create an XML file with the kiosk configuration, add this XML file to a provisioning package and apply it to the device during the initial set up.
- Windows Configuration Designer
You can configure multiple devices to run a UWP app or desktop app using the Provision kiosk devices wizard in Microsoft’s Windows Configuration Designer and build a provisioning package.
- Shell launcher
Shell launcher can replace the default shell with a custom application that launches once an account is signed in. This doesn’t prevent the user from accessing other apps or settings from the desktop. For a complete lockdown, additional tools like a Windows MDM solution, Group policy, AppLocker etc., are to be used.
- MDM Bridge WMI provider
CSP (Configuration Service Provider) settings are mapped to WMI (Windows Management Instrumentation) using the MDM Bridge WMI provider. This method can be used to create a kiosk mode on a device by delivering CSP commands via scripts.
- Kiosk like functionality using AppLocker
Though it is not a recommended method, AppLocker rules can be defined to set up a multi-app kiosk by allowing specific apps on the device. It’s not a strict lockdown mechanism.
|Kiosk configuration method||Supported kiosk modes|
|Assigned access from local PC settings||Single app mode|
|Assigned access using Windows PowerShell||Single app mode|
|Assigned access using MDM||Single app mode, Multi-app mode|
|Windows Configuration Designer||Single app mode|
|Shell launcher||Single app mode|
|MDM Bridge WMI provider||Multi-app mode|
|Provisioning package||Single app mode, Multi-app mode|
Among all these methods both provisioning packages and MDM solutions support all the generic use cases but the issue with provisioning package is that it can be applied only during the Out-of-the-box experience (first-run experience). Though the same provisioning package can be applied to a bulk of devices, having to manually start over again to achieve the first set up screen is a serious drawback.
Setting up using an MDM
MDM solutions like Hexnode enables users to set up and remotely manage Windows kiosks with enhanced capabilities for complete lockdown so that the devices can’t be tampered with. Hexnode UEM is designed to address the shortcomings of Windows kiosk mode with its comprehensive security features. Hexnode endeavors to make the Windows kiosk set up as effortless as possible.
Hexnode Windows kiosk software is a tamper-proof solution which prioritizes a secured user experience by adding an extra layer of powerful features to make up for the built-in potentials the traditional Windows kiosk mode from Microsoft lacks. Along with that, Hexnode also provides some ease of use features which eliminates the learning curve in working the lockdown mode so that even a non-tech folk can set it up quickly.
The major benefits of using Hexnode Windows kiosk solution includes:
- Seamless set up ensures streamlined business processes.
- Reduced running costs and maintenance efforts.
- Enhanced kiosk performance and amplified employee productivity.
- Remote health monitoring to make sure that the kiosk systems are running properly.
- Automatic device restart to update new settings.
- Bulk device integration using ppkg enrollment.
- Continuous device monitoring to protect the OS from manipulations and hacking.
- Remote device scan and location tracking for added device security.
- Remote lock and complete data wipe for troubleshooting compromised devices.
- Complete visibility to the hardware, firmware, and applications running on the device.
Hexnode Windows kiosk mode features
1. Single app lockdown
- Runs a single UWP app in full screen.
- Pushes the kiosk mode to a local standard user account running on the device.
2. Multi app lockdown
- Runs multiple UWP apps.
- Approved apps appear as tiles in the start layout on the desktop when the assigned local standard user account is logged in.
Upcoming plans for kiosk enhancements:
- Browser lockdown
- Devices are locked down to the company website or a set of other websites according to the use case.
- Additional settings to customize the browsing experience to meet unique needs.
- Remote control
- Remotely monitor and control the kiosks in real-time.
- Enables enhanced control and governance over the devices which helps in easy troubleshooting.
- Windows Autopilot
- Quick device deployment using the out-of-the-box enrollment option Windows Autopilot.
- Auto joining to Azure AD and MDM.
- Set up wizard skipping and self-deployment mode to enable no-touch provisioning.
- Remote reset using the Autopilot reset option.
- Admin account restriction.
To summarize it all, the solution intends to lessen the efforts the IT puts in to bring off a definite kiosk system by offering inbuilt features and technologies to work on the hardest part of the setup. Meeting the most challenging client needs and guaranteeing high-end performance, Hexnode Windows kiosk solution is highly competent in getting the desired outcomes in a timely manner.