1. Home
  2. Windows Kiosk
  3. How to lock down Windows devices in multi-app kiosk mode using Hexnode?

How to lock down Windows devices in multi-app kiosk mode using Hexnode?

Hexnode allows the users to lock down their Windows devices in multi-app kiosk mode thereby restricting the device to a handful of whitelisted apps. With the kiosk mode activated, the users can access only the apps they need to use. In short, it sets up a restrictive environment that allows the users to access only the approved apps.


Supported only on Windows 10 Pro, Enterprise and Education editions running 1709+.

Configuring multi-app kiosk using Hexnode MDM

Step 1: Set up a user account on Windows 10

  1. Click on Start and choose Settings > Accounts > Family and other people.
  2. Select the Add someone else to this PC option under Other people.
  3. Choose I don’t have this person’s sign-in information.
  4. Next, click on Add a user without a Microsoft account.
  5. Enter the user name, password, password hint and choose a security question. Click Next.

The user account will be set up on the device.


Account type should be a local standard user.

Step 2: Install the apps within the local account

After setting up the account, make sure the apps to be set in kiosk mode are installed in both admin and local user accounts.


Only Universal Windows Platform apps (apps that come pre-installed with Windows 10 or sourced from Microsoft store) and Windows desktop apps (MSI, Win32, Exe apps) can be added in kiosk mode.

Step 3: Customize and export Start layout

Customizing a start layout involves arranging the apps (to be set in kiosk mode) in a way the user wishes to view them on the start menu and on the device screen. Login to the admin account and follow the steps below to prepare and export the start layout:


Check the ‘Run as administrator’ option if you are prompted to enable the same (specific to certain folders).

  1. Follow the below methods to customize the Start layout as per requirement:
    • Pin apps to Start: Choose the desired app from Start, type the name of the app, right-click the app and then click Pin to Start.
    • Apps that are not to be displayed in the layout can be unpinned. Right-click the app and then click Unpin from Start.
    • Drag tiles to group apps.
  2. Next, right-click Start and select Windows PowerShell.
  3. Enter the below command in Windows PowerShell:
    Export-StartLayout –path <path><filename>.xml

    Here, –path is a required parameter that specifies the path and file name of the XML file to be exported. For example, Export-StartLayout -path C:/Users/Robert/Kiosk.xml.


    The file name must include the .xml extension. The policy settings require the extensions and the Export-StartLayout cmdlet does not append the file name extension.

Step 4: Create a multi-app kiosk policy

  1. Log in to your Hexnode MDM console.
  2. Navigate to Policies > New Policy and provide a name and description for the policy. You can also choose to continue with an existing policy.
  3. Click on Kiosk Settings and under Windows Kiosk Mode, choose Multi App Kiosk. Click Configure.
  4. Enter the name of the user account previously created.
  5. Choose the apps to be added in kiosk mode (these apps should be present in the local user account).
  6. Import the Start layout .xml file.
  7. Next, associate the policy with the target device.

Associate the policy with the target device.

After setting up the kiosk policy, associate it with the target device. Use any of the two methods to associate the policy:
Method 1: If the policy is not saved,

  1. Go to Policy Targets > + Add Devices.
  2. Choose the device you wish to associate the policy with and click OK.
  3. Click Save.

Method 2: If the policy is saved,

  1. Choose the policy from the Policies tab.
  2. Click on Manage and choose Associate Targets.
  3. Choose the device you wish to associate the policy with and click Associate.

Exiting from kiosk mode

To disable or exit from kiosk mode,

Method 1: Disassociate the policy

  1. Go to Policies. Choose the desired kiosk policy.
  2. Navigate to Policy Targets. Click on remove on the right side of the device. Click Save.


  1. Go to Manage. Choose the device from which the policy is to be disassociated.
  2. On the device summary page, go to Policies and click on the trash icon to the right of the policy.

Method 2: Archiving the policy

  1. Select the kiosk policy from the Policies tab.
  2. Click Manage and from the drop-down list, choose Move to Archive.


  1. Go to Policies.
  2. Choose the Move to Archive icon to the right of the selected policy.

Archiving the policies moves them to a separate space. Such policies can be viewed under Policies > Archived Policies. The archived policies can be later on restored or deleted. To delete an archived policy, head on to Policies > Archived Policies, choose the policy to be deleted and click on the trash icon to the right of the selected policy.


When restoring an archived policy, the policy targets won’t be restored (the policy will be disassociated from the target device).

If the above-mentioned methods fail to remove the kiosk policy from the device, press CTRL+ALT+DEL. This will lock the screen and the users can sign in with a different account from the login page. However, the previous user account remains in kiosk mode and once the user logs in to the account, the kiosk mode will relaunch.


Was this article helpful?

Related Articles

Leave a Comment