Selecting a Windows kiosk device for your enterprise
Select a Windows kiosk device for your organization by getting the answers to all your hows, whats and whys in this blog.
Microsoft has been offering a range of admin tools and a suite of functionalities over the years making it easy to configure and customize its Windows-based business focused devices. Windows kiosk mode is such a feature to narrow down the options for improper usage of business-critical Windows devices.
The Windows 10 kiosk mode
Definition:
Windows kiosk mode is a lockdown mechanism to restrict Windows 10 devices to a single application that runs in full screen or multiple pre-selected applications that appears as start screen tiles on the desktop.
The kiosk mode dedicates Windows PC to a specific task limiting the user access and behavior that can potentially interfere with the normal functioning of the publicly accessed single-purpose device. Usually, this kind of configurations are set up on a point-of-sale terminal at retail stores, the interactive directory in a building lobby, stand-alone computer in the public domain, self-service kiosk at restaurants, self check-in at airports, or signage used to display testimonials and advertise campaigns. In all these points, admins want to hold back users from getting out of the designated app(s) and prying into the device’s internal stuff – in this case, the underlying settings and files on the computer.
Windows kiosk mode features
- Ensures system security and also protects the terminal from malware, viruses and disruptive scripts.
- Reduces the underlying attack surface by protecting system drives and fixed data drives.
- Prevents unauthorized access to files, folders, and undesired functions.
- Disables the host functionality, task manager.
- Deactivates unwanted touch functions, some system critical keyboard shortcuts, and user rights.
In Windows 10, kiosk mode is based on a feature called assigned access. The feature helps protect corporate confidentiality allowing administrators to confine an application’s opening wedges revealed to the users.
What is assigned access?
Assigned access in Windows 10 Pro, Windows 10 Education, and Windows 10 Enterprise editions is a feature to allow admins to manage end user experience by denying some functionalities. Furthermore, it helps to eliminate the risk of compromising the system.
Assigned access is nothing but assigning a device for a specific function allowing only specific applications. This is accomplished by configuring a user account and adding up the apps the user is to be allowed access to within the account. So, the assigned access account will not be having access to any system features other than the designated applications. This ensures the security of the device as the entire system is essentially locked down.
The feature is exclusively meant for corporate-owned purpose-specific devices and is inappropriate for any other cases as some system restrictions enforced with the feature targets all the non-admin users in addition to the intended account.
The simplest way to set up assigned access in Windows 10
- Firstly, create a new standard local user account or select an existing one.
- Then, install the store app you want to allow in the assigned access account.
- Sign into the primary admin account.
- Then, go to Settings > Accounts > Family and other users.
- Select “Set up assigned access“.
- Then, choose the assigned access account and app.
- Restart and finally, sign into the assigned access account.
The simplest way to set up assigned access in Windows 11
- Firstly, go to Settings > Accounts. Select Other users or Family and other users.
- Then, go to Set up a kiosk > Assigned access.
- Create a new account or select an existing account.
- Choose the app that will run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For example, if you select Microsoft Edge as the kiosk app, you will be able to configure the following options:
- Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
- Which URL to display when the kiosk accounts signs in
- When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser)
- Select Close.
Furthermore, to remove assigned access, select the account tile on the Set up a kiosk page, and then select Remove kiosk.
Points to consider while choosing the assigned access app
- Don’t use an app generated by the Desktop app converter in assigned access.
- Don’t use an app which launches another app while running (Certain apps run alongside the main application as a part of its functionality).
- The app should be installed within the assigned access account prior to the configuration.
- If an app is updated, assigned access settings have to be re-configured to the updated version of the app.
Use cases
As Microsoft is pretty aggressive about their sales and marketing towards the corporates, its Windows OS devices are the now-undisputed leads in the business world. Most of the companies, whether they’re SMBs or big corporations, rely upon Windows devices particularly desktop PCs to get day-to-day business work done. Powered by a multitude of advantages, the Windows kiosk mode indeed finds its application in most of these work scenarios.
Step into any retail store, warehouse or manufacturing unit, you will most probably come across a kiosk system running the most ubiquitous operating system – Windows 10 from Microsoft. Windows 10 kiosk mode can offer two different kiosk experiences by locking the devices to either a single app or multiple apps based on whether the devices are for public use or for a fixed purpose in an organization.
For instance, for public access terminals where you want a high degree of control over the device, consider running Windows single app kiosk mode. Here, the kiosk app runs in full screen above the lock screen in a restricted user account and also the public can’t tab out of the application on such limited-security environments.
Secondly, in a corporate environment, if a Windows device is to be used for a specific business-related task only and the system must be shared between multiple users, a multi app mode will be more apt. With Windows multi app kiosk mode, you can enable only essential apps and features for the workers and limit all other extraneous functionalities so that bored employees cannot switch to any other activities. Consequently, users are forced to sign-in with the specified account credentials and access only the applications whitelisted for them by the admin.
Single app mode vs Multi app mode
| Single app mode | Multi app mode |
| Only a single app (in full screen) can run on the device. | Multiple apps can run on the device. |
| Ideal for public use where auto sign-in is enabled and hence high security is needed. | Ideal for shared use of fixed-purpose devices in corporates and helps the dedicated device users to focus on their tasks. |
| Kiosks seen in general public areas such as a kiosk for getting weather updates, devices running demo routine at stores, information kiosks at museums, devices running the search apps at libraries, guest registration desk etc., are examples. | Devices used by corporate employees doing remote work, field workers, factory workers, workers in warehouses etc., are examples. |
Limitations to Windows 10 kiosk mode
Windows kiosk mode is quite effective at slowing down data breaches/cyber-attacks and preventing meddling with the system hardware. However, it falls short in many ways. Unfortunately, physical access to the device can provide sufficient ways to break out of the kiosk interface and cause some unknown exploits due to few limitations the feature has.
- Downloading malicious files can corrupt the operating system.
- Some keyboard shortcuts like Ctrl+Alt+Del are still open. As a result, hackers can use such key combinations to disrupt the kiosk and tamper with the system.
- Some dialog windows may pop up within the allowed application giving hackers an option to gain access to the file system.
- In multi-app kiosk mode, some restrictions will be applied system wide to all non-administrative users irrespective of whether it is the assigned access account or not. Moreover, the device needs a factory reset to turn off these restrictions even after deactivating the assigned access mode.
In order to improve the kiosk security and provide a safer kiosk experience, you should pre-configure some other settings before setting up the kiosk mode.
- Disable the power button.
- Disable camera.
- Disallow removable media.
- Hide the power button and ease of access features from the sign-in screen.
- Use keyboard filters to block the key combinations that enable accessibility functions.
- Use a virtual machine to test the kiosk configuration before applying it to the actual machine.
Kiosk configuration methods
Microsoft provides a couple of methods to accomplish kiosk lockdown on their Windows 10 devices. IT can choose the best option for their organizations.
Considerations for choosing the configuration methods
- Account based
Account type for the kiosk account – Most of the methods support only local standard user accounts while you can use some methods to set up a kiosk for Azure AD and AD domain accounts. - Use case based
Type of kiosk – Methods are different for single app and multi app kiosk mode configurations. - Device based
Windows 10 edition – Windows 10 Pro, Enterprise and Education editions support kiosk mode. However, some of the methods won’t be applied for Windows 10 Pro devices.
Different configuration methods
- Assigned access from local PC settings
For a few local kiosks, you can manually access the Settings app on each device to configure assigned access.
- Assigned access using Windows PowerShell
There is a set of PowerShell cmdlets any of which can be used to configure assigned access on multiple devices.
- Assigned access using MDM
Admins can use an MDM solution to set up a kiosk mode on multiple managed devices remotely only that the devices should be online, and users must sign into the device for the configuration to get applied.
- Provisioning package
You can create an XML file with the kiosk configuration, add this XML file to a provisioning package and apply it to the device during the initial set up.
- Windows Configuration Designer
You can configure multiple devices to run a UWP app or desktop app using the Provision kiosk devices wizard in Microsoft’s Windows Configuration Designer and build a provisioning package.
- Shell launcher
Shell launcher can replace the default shell with a custom application that launches once a user sign-in to an account. However, this doesn’t prevent the user from accessing other apps. For a complete lockdown, additional tools like a Windows MDM solution, Group policy, AppLocker etc., are to be used.
- MDM Bridge WMI provider
CSP (Configuration Service Provider) settings are mapped to WMI (Windows Management Instrumentation) using the MDM Bridge WMI provider. This method can be used to create a kiosk mode on a device by delivering CSP commands via scripts.
- Kiosk-like functionality using AppLocker
You can define AppLocker rules to set up a multi-app kiosk by allowing specific apps on the device.
Supported kiosk modes in each configuration method
| Kiosk configuration method | Supported kiosk modes |
| Assigned access from local PC settings | Single app mode |
| Assigned access using Windows PowerShell | Single app mode |
| Assigned access using MDM | Single app mode, Multi-app mode |
| Windows Configuration Designer | Single app mode |
| Shell launcher | Single app mode |
| MDM Bridge WMI provider | Multi-app mode |
| Provisioning package | Single app mode, Multi-app mode |
Among all these methods both provisioning packages and MDM solutions support all the generic use cases but the issue with provisioning package is that it can be applied only during the Out-of-the-box experience (first-run experience). Though you can apply the same provisioning package to a bulk of devices, having to manually start over again to achieve the first set up screen is a serious drawback.
Setting up using an MDM
MDM solutions like Hexnode enables users to set up and remotely manage Windows kiosks with enhanced capabilities for complete lockdown so that the devices can’t be tampered with. Hexnode UEM is designed to address the shortcomings of Windows kiosk mode with its comprehensive security features. Hexnode endeavors to make the Windows kiosk set up as effortless as possible.
Security should be a top priority when it comes to kiosk devices. Speaking of which, Hexnode Windows kiosk software is a tamper-proof solution which prioritizes a secured user experience by adding an extra layer of powerful features to make up for the built-in potentials the traditional Windows kiosk mode from Microsoft lacks. Along with that, Hexnode also provides some ease of use features which eliminates the learning curve in working the lockdown mode so that even a non-tech folk can set it up quickly.
The major benefits of using Hexnode Windows kiosk solution includes:
- Seamless set up ensures streamlined business processes.
- Reduced running costs and maintenance efforts.
- Enhanced kiosk performance and amplified employee productivity.
- Remote health monitoring to make sure that the kiosk systems are running properly.
- Automatic device restart to update new settings.
- Bulk device integration using ppkg enrollment.
- Continuous device monitoring to protect the OS from manipulations and hacking.
- Remote device scan and location tracking for added device security.
- Remote lock and complete data wipe for troubleshooting compromised devices.
- Complete visibility to the hardware, firmware, and applications running on the device.
INFOGRAPHIC
Hexnode Windows kiosk mode features
1. Single app lockdown
- Runs a single UWP app in full screen.
- Pushes the kiosk mode to a local standard user account running on the device.
Note:
The app added in kiosk mode should be a Universal Windows Platform (UWP) app. These apps are designed to run across all Windows 10 devices from phones, tablets, and PCs to TVs. Furthermore, only UWP apps can be distributed through the Microsoft Store. Hexnode doesn’t support other Windows desktop apps in kiosk mode.
2. Multi app lockdown
- Runs multiple UWP apps.
- Apps that have approval appear as tiles in the start layout on the desktop when the assigned local standard user account is logged in.
Gain insights on leveraging Hexnode's Windows management capabilities to improve efficiency, increase productivity, and save overhead costs.
Featured resource
Hexnode Windows Management Solution
Upcoming plans for kiosk enhancements:
- Browser lockdown
- Devices are locked down to the company website or a set of other websites according to the use case.
- Additional settings to customize the browsing experience to meet unique needs.
- Remote control (available in beta)
- Remotely monitor and control the kiosks in real-time.
- Enables enhanced control and governance over the devices which helps in easy troubleshooting.
- Windows Autopilot
- Quick device deployment using the out-of-the-box enrollment option Windows Autopilot.
- Auto joining to Azure AD and MDM.
- Set up wizard skipping and self-deployment mode to enable no-touch provisioning.
- Remote reset using the Autopilot reset option.
- Admin account restriction.
To summarize it all, the solution intends to lessen the efforts the IT puts in to bring off a definite kiosk system by offering inbuilt features and technologies to work on the hardest part of the setup. To sum up, meeting the most challenging client needs and guaranteeing high-end performance, Hexnode Windows kiosk solution is highly competent in getting the desired outcomes in a timely manner.
Try Hexnode for free!
Start Hexnode's 14-day free trial today to take complete control of your Windows kiosk devices.
SIGN UP
Share your thoughts