14 DAY FREE TRIAL

No Search Results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Kiosk Lockdown of Devices
  3. Windows

Category filter

How to lock down Windows devices to a single app kiosk mode?

Jump To

Kiosk mode is a lockdown mechanism that allows you to restrict your mobile devices to a single app or a handful of applications of your choice. Hexnode UEM helps you configure single app kiosk mode on your Windows 10/11 PCs and tablets to run a Universal Windows Platform (UWP) app in full screen inside a restricted local user account.

Notes:

  • This feature is available only on Ultimate and Ultra subscription plans.
  • Windows Single App Kiosk policy is supported only on:
    • Windows 10 Pro (running v1709 or later), Enterprise and Education editions.
    • Windows 11 Pro, Enterprise and Education editions.

Configure single app kiosk

Before associating the policy, you must create a local user account on your device and install the UWP app you want the user to be able to run.

Notes:

  • The kiosk account should necessarily be a local standard user account.
  • The single app kiosk policy can also be applied to an Active Directory user account, provided the user has logged in to the device at least once before applying the kiosk policy.
  • Once the user logs in to the kiosk user account, the kiosk mode status and the name of the kiosk account will be displayed under Enrollment details on the Device Summary page.

Step 1: Create a Local user account on your Windows device

To create a Local user account on Windows 10 Pro version:

  1. Select the Start button. Choose Settings > Accounts > Family & other people.
  2. Select the option Add someone else to this PC under Other people.
  3. Click on the link I don’t have this person’s sign-in information.
  4. Select the option Add a user without a Microsoft account.
  5. Fill in the kiosk user’s name, password, and other required fields.

To create a Local user account on Windows 10 Enterprise and Education versions:

  1. Select the Start button. Choose Settings > Accounts > Other people.
  2. Select the option Add someone else to this PC.
  3. In the inset box, select Users.
  4. Under Actions, select Users > More actions > New User.
  5. Fill in the kiosk user’s name, password, and other required fields.

To create a Local user account on Windows 11:

  1. Select the Start button. Choose Settings > Accounts > Family & other users.
  2. Select the option Add account next to Add other user.
  3. Click on the link I don’t have this person’s sign-in information.
  4. Select the option Add a user without a Microsoft account.
  5. Fill in the kiosk user’s name, password, and other required fields.

Now, the user account will be set up on the device.

Step 2: Install the kiosk app within the local account (kiosk account)

Log into the machine using the local user account that you have created and install the app from Microsoft Store if the app is not already present on the account.

Note:


Kiosk mode works only with Windows Store apps/UWP apps.

Step 3: Create a single app kiosk policy

  1. Log in to your Hexnode UEM portal.
  2. Navigate to the Policies tab.
  3. Click on New Policy to create a new one or click on any policy name to edit an existing one. Enter the Policy Name and Description in the provided fields.
  4. Go to Kiosk Lockdown > From Windows Kiosk Lockdown, select Single App > Configure.
  5. Enter the Kiosk Account Name. If you are using the Microsoft account to enable sign in to the kiosk, you can specify the account name in either of the following formats:
    • AD user – domain\sAMaccountname. (For example, hexnode\alexanderj)
    • Microsoft Entra ID user – email address.

    Then, the user can login to the kiosk account using their Active Directory credentials.

  6. Click on the + button to select the app to be added in kiosk mode.
  7. Associate the policy with the target device(s).
Note:


Ensure that the app to be added in the kiosk mode is present in the local user account.

How to apply the policy to devices/groups?

There are two ways by which you can associate restrictions to the devices in bulk.
If you haven’t saved the policy yet,

  1. Navigate to Policy Targets.
  2. Click on + Add Devices, search and select the required device(s) to which you need to apply the policy. Click OK
  3. Click on Save to apply the policies to the devices.

To associate the policies to a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy to Users, User Groups, or Domains from the same pane.

If you’ve already saved the policy and you’re taken to the page which displays the policy list,

  1. Select the required policy. Click on Manage. Select Associate Targets.
  2. Select Device/ User/ Device Group/ User Group/ Domain
  3. Search and select the device(s)/ user(s)/ device group(s)/ user group(s)/ domain(s) to which you need to apply the policy > Click Associate.

What happens at the device end?

When the kiosk user logs into his account, the machine launches into kiosk mode, and the assigned app opens directly in full screen. Therefore, the user will be unable to access the desktop, start menu, settings, or any other apps on the PC.

How to exit kiosk mode?

You can exit devices from kiosk mode either by disassociating or archiving the policy. Besides, you also need to restart the device to remove it from kiosk mode.

Method 1: Disassociate the policy

Disassociate the kiosk policy from the device or delete the policy.

  1. Log in to your Hexnode UEM portal.
  2. Navigate to the Policies tab.
  3. Click on the required Policy.
  4. Go to Policy Targets.
  5. Click on Remove on the right side of the device.

Or
  1. Log in to your Hexnode UEM portal.
  2. Navigate to the Manage tab.
  3. Click on the device from which the policy needs to be disassociated. This will take you to the Device summary page.
  4. Go to Policies. Identify the policy and click on the trash icon next to the policy.

Method 2: Archive the policy

  1. Log in to your Hexnode UEM portal.
  2. Navigate to the Policies tab.
  3. Select the required Policy.
  4. Click on Manage > Move to Archive.

Or
  1. Log in to your Hexnode UEM portal.
  2. Navigate to the Manage tab.
  3. Click on the device from which the policy needs to be disassociated. This will take you to the Device summary page.
  4. Go to Policies. Select the policy. Click on Manage > Move to Archive.
Notes


The archived policies can be viewed under Policies > Archived Policies.

  • To permanently delete an archived policy,
    1. Log in to your Hexnode UEM portal. Navigate to the Policies tab > Archived Policies.
    2. Select the required policy. Click on Manage > Delete > Confirm deletion.
  • To restore an archived policy,
    1. Log in to your Hexnode UEM portal. Navigate to the Policies tab > Archived Policies.
    2. Select the required policy. Click on Manage > Restore.

    • On restoring an archived policy, the policy targets won’t be restored (the policy stays disassociated from the target device).

Method 3

If the methods mentioned above fail to remove the kiosk policy from the device, press CTRL+ALT+DEL. This locks the screen and allows users to sign in with a different account from the login page. However, the previous user account remains in kiosk mode, and once the user logs in to the account, the kiosk mode gets relaunched.

Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Kiosk Lockdown of Devices