14 DAY FREE TRIAL

No Search Results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Kiosk Lockdown of Devices
  3. Windows

Category filter

A complete guide for Windows kiosk mode

Jump To

Getting started

Windows Kiosk Lockdown mode aims at creating a confined environment in which Windows devices can be configured for specific objectives. Implementing Kiosk Lockdown in Windows devices is very easy, and it provides additional features such as kiosk-specific restrictions, resulting in increased security when compared to the normal mode.

System requirements

To activate Windows kiosk mode, the system requires

  • A Windows 10 device with Pro, Enterprise, or Education editions running on v1709 or later, or Windows 11.
  • An active internet connection.
  • Both Single App and Multi App kiosks are supported on Ultimate and Ultra subscription plans.

Enrolling Windows devices with Hexnode UEM

Enrolling your Windows device with Hexnode UEM is the first step in setting up kiosk mode on the device. This establishes a connection between the device and Hexnode UEM. At the end of the enrollment procedure, the Hexnode UEM app will get automatically installed on the Windows device.

Note:

  • To enroll the device in Hexnode UEM, log in as administrator on the Windows device.
  • The device can be enrolled via the Hexnode Installer app. It is supported on the following versions:
    • Windows 10 v1709 or below, if Visual C++ Redistributable and .NET framework version 4.7.2 or higher are installed on the Windows device.
    • Windows 10 v1803 or higher.
    • Windows 11.
  • If the Visual C++ Redistributable or .NET framework is not installed in the Windows device that is to be enrolled via the Hexnode Installer app, an error message will be shown asking the user to install the missing dependencies. When OK is clicked, the user will be redirected to a Microsoft developer website from where the package can be downloaded and installed. Ensure that the package chosen matches the system architecture and OS compatibility of the Windows device.

There are different types of enrollments, each of which is explained below:

  1. Open Enrollment
  2. Authenticated Enrollment
    1. Self-Enrollment
    2. Email or SMS Enrollment
  3. PPKG enrollment
  4. Google Workspace (G Suite) Enrollment for Windows

Open Enrollment

Configuring Open Enrollment on the Hexnode portal

  1. Under the Enroll tab, choose Platform Specific > Windows > Windows PCs & Tablets.
  2. Ensure that the Open Enrollment page has opened, if not, select Open Enrollment.
  3. Pick a Default User and enter a Default Password.
  4. Choose the Ownership mode required for the device: either Corporate or Personal and click Next. These settings define if the devices enrolled in Hexnode are corporate-owned or personal.
Note:


For enabling users to enroll devices on their own, the best method is to send them the enrollment request containing the enrollment URL and instructions for device enrollment. This request can be sent by navigating to Enroll > Settings > Request Modes and selecting Email or SMS. Then, under the Manage tab, select the users from the Users subtab and click Actions > New Enrollment.

Enrolling the device via Open Enrollment

To enroll a Windows device via open enrollment, either of the following methods can be used:

Method I: Using the Hexnode Installer app
  1. Open the web browser on the Windows device to be enrolled.
  2. Type in the Hexnode enrollment URL which will be in the format https://yourportal.hexnodemdm.com/enroll/.
  3. Click Download, thus initiating the Hexnode Installer app download on the Windows device.
  4. Open the app on the device and select Yes on the Hexnode Installer Setup wizard to allow the app to make changes to the device. Now, click Install.
  5. After reading the EULA agreement on the Hexnode Installer app, click on Agree and Enroll.
  6. The Hexnode Installer checks for the enrollment authentication settings with the portal and then processes the enrollment request. If the process succeeds, go to step 8.
  7. If the enrollment request process fails,
    1. Click on Enroll. The user will now be redirected to Settings > Accounts > Access Work or School > Enroll in Device Management.
    2. In Set up a work or school account, the admin’s username and the enrollment server address will be auto-filled. Now click on Next.
    3. After reading the instructions concerning the device setup, click Got it. A connection will now be established between Hexnode and Workplace or School. All the apps and configurations that the organization has set up for the user will soon be pushed to the device. If the user doesn’t get access to these after waiting for a few minutes, navigate to Settings > Accounts > Access Work or school > Info and click Sync.
  8. Now, the Hexnode UEM app will get installed on the device, thereby applying all configurations to the device. Click Done to exit the Hexnode Installer. Also, click on Finish to exit the Setup Wizard.

Tips:

  • Enrollment via Hexnode Installer app is favored if the device is Windows 10 v1803 or a higher version.
  • If the user is unable to install dependency packages on the devices running on Windows 10 v1709 or lower versions, the Native device enrollment method is recommended.

Method II: Native Enrollment
  1. On the Windows device, navigate to Settings > Accounts > Access work or school.
  2. Choose Enroll only in device management and enter the work mail ID. Click Next.
  3. Close the tab that now appears asking for the Microsoft password.
  4. Now type in the server URL which will be in the format https://yourportal.hexnodemdm.com/enroll/ and click Next.
  5. After reading the instructions concerning the device setup, click Got it. The device has now been successfully enrolled in the Hexnode UEM portal.

A connection will now be established between Hexnode and Workplace or School. All the apps and configurations that the organization has set up for the user will soon be pushed to the device. If the user doesn’t get access to these after waiting for a few minutes, navigate to Settings > Accounts > Access Work or school > Info and click Sync.

Authenticated Enrollment

Configuring Authenticated Enrollment on the portal

There are two methods by which authenticated enrollment can be configured on the Hexnode portal. The steps are as follows.

Method I: Enrollment via Email or SMS

In this method, an enrollment request consisting of the enrollment instructions and the server URL for enrolling the devices is sent to users via Email or SMS.

  1. Under the Enroll tab, choose Platform Specific > Windows > Windows PCs & Tablets.
  2. Click on Switch to Authenticated Enrollment > Authenticated Enrollment.
  3. Choose the type of users (AD/ Microsoft Entra ID/ Local/ Google/ Okta) to be enrolled via the Enrollment Request.
  4. Pick the Ownership type: Personal, Corporate, Let the user choose, or Choose it later. Let the user choose enables the user to choose the ownership type during the enrollment and Choose it later lets the admin choose the ownership type at a later step. Now, click Next.
  5. Choose either Email, or SMS or both, depending on how the enrollment request has to be sent.
  6. Change the Domain and select the respective User. Click Send.

Method II: Self Enrollment
  1. Under the Enroll tab, choose Platform Specific > Windows > Windows PCs & Tablets.
  2. Click on Switch to Authenticated Enrollment > Authenticated Enrollment.
  3. Choose the type of users (AD/ Microsoft Entra ID/ Local/ Google/ Okta) to be enrolled via the Enrollment Request.
  4. Pick the Ownership type: Personal, Corporate, Let the user choose, or Choose it Later. Click Next.


Note:


To enroll the device via directory authentication, configure AD, Microsoft Entra ID, Google, or Okta directory in the Hexnode portal.

Enrolling the device via Authenticated Enrollment

To enroll a Windows device via open enrollment, either of the following methods can be used:

Method I: Using the Hexnode Installer app
  1. Open the web browser on the Windows device to be enrolled.
  2. Type in the Hexnode enrollment URL which will be in the format https://yourportal.hexnodemdm.com/enroll/.
  3. Click Download, thus initiating the Hexnode Installer app download on the Windows device.
  4. Open the app on the device and select Yes on the Hexnode Installer Setup wizard to allow the app to make changes to the device. Now, click Install.
  5. After reading the EULA agreement on the Hexnode Installer app, click on Agree and Enroll.
  6. The Hexnode Installer checks for the enrollment authentication settings with the portal.
  7. For local or AD users, email ID/SAMAccount Name must be entered for authentication. Microsoft/Googe/Okta users can sign in with the corresponding directory credentials. Then click Authenticate.
  8. Click Enroll to re-authenticate in case the error message “Authentication failed! Try Again!” is displayed.
  9. Now, the device will process the enrollment request. If the process fails,
    1. Click on Enroll to enroll the device. The user will now be redirected to Settings > Accounts > Access Work or School > Enroll in Device Management.
    2. In Set up a work or school account, the admin’s username and the enrollment server address will be auto-filled. Now click on Next.
    3. After reading the instructions regarding the device setup, click Got it. A connection will now be established between Hexnode and Workplace or School. All the apps and configurations that the organization has set up for the user will soon be pushed to the device. If the user doesn’t get access to these after waiting for a few minutes, navigate to Settings > Accounts > Access Work or school > Info and click Sync.

    10. Now, the Hexnode UEM app will get installed on the device, thereby applying all configurations to the device. Click Done to exit the Hexnode Installer. Also, click on Finish to exit the Setup Wizard.


Method II: Native Enrollment
  1. On the Windows device, navigate to Settings > Accounts > Access work or school.
  2. Choose Enroll only in device management and enter the work mail ID. Click Next.
  3. Close the tab that now appears asking for the Microsoft password.
  4. Now type in the server URL which will be in the format https://yourportal.hexnodemdm.com/enroll/ and click Next.
  5. For local or AD users, after selecting the domain from the dropdown, the corresponding email ID/SAMAccount Name must be entered for authentication. Microsoft/Googe/Okta users can sign in with the corresponding directory credentials. Then click Authenticate.
  6. After reading the instructions regarding the device setup, click Got it. The Windows PC has now been successfully enrolled in the Hexnode portal.

A connection will now be established between Hexnode and Workplace or School. All the apps and configurations that the organization has set up for the user will soon be pushed to the device. If the user doesn’t get access to these after waiting for a few minutes, navigate to Settings > Accounts > Access Work or school > Info and click Sync.


Note:

  • If a password has been set for the local user in the portal and the enrollment request is sent to the same user, the credentials in the enrollment request must be used to authenticate.

PPKG enrollment

PPKG enrollment is a swift and smooth method by which administrators can set up the settings and configurations for enrollment. This method has various advantages it being a one-time setup and also facilitating efficient bulk enrollment of devices.

Google Workspace (G Suite) enrollment for Windows

The integration of Hexnode with Google Workspace(G Suite) helps organizations to enroll their Windows devices with the configured Google Workspace(G Suite) account. For Google Workspace(G Suite) enrollment of Windows devices, the company must first configure its Google Workspace(G Suite) account in the Hexnode UEM portal. By syncing the users with the portal, enrollment requests can be sent to the users or self-enrollment can be done. Hexnode authenticates the users by their corresponding Google Workspace(G Suite) usernames and passwords.

App installation

Kiosk mode can be put to use not just for the applications currently present in the device, but also for new apps pushed and installed via Hexnode. This section deals with installing applications on the Windows device via Hexnode.
Hexnode supports an assortment of app types. Apps can be added to the Hexnode app inventory and later deployed to devices, or they can even be pushed directly from Microsoft Store.

Adding Microsoft Store apps to Hexnode app inventory

  1. In the Hexnode UEM portal, navigate to the Apps tab.
  2. From the +Apps dropdown, select Store App.
  3. Uncheck the iOS, Android, and macOS checkboxes.
  4. Type the name of the required app in the search box and click Search.
  5. To narrow down the apps for a specific country, click on Select Country.
  6. Click on Add to select the appropriate app.

The selected apps will be successfully added to the Hexnode app inventory.

Deploying Microsoft Store apps to Windows devices

Microsoft Store apps can be distributed to Windows devices from the Hexnode portal in two ways:

  • Install via Policy
  • Install via Actions
Note:


Kiosk mode is only applicable to Universal Windows Platform apps, i.e., apps pre-installed on the Windows device or sourced from Microsoft Store, and to Windows desktop apps like MSI, and Exe apps.

Install Store apps via Policy

Microsoft Store apps can be deployed and installed on Windows devices using the Mandatory Apps policy in the Hexnode portal.

  1. Login to the Hexnode UEM portal and navigate to the Policies tab.
  2. Click New Policy or edit an existing policy. In case of a new policy, enter the policy name and description in the respective field.
  3. Select Windows > App Management > Mandatory Apps > Configure.
  4. Click +Add and choose Add App or Add Group.
  5. The required application can be searched either from Local Apps or directly from the Public Store. Once the app is selected, click Done.
  6. On selecting Add Group, search and select the required apps similarly and click Done.
  7. Navigate to the Policy Targets subtab and associate the policy to the required Devices/Device Groups/Users/User Groups/Domains and Save the policy.


Install Store apps via Actions

Method I

  1. In the Hexnode UEM portal, navigate to the Manage tab and select the required devices.
  2. From Actions, select Install Application.
  3. Uncheck iOS, Android, macOS, and tvOS checkboxes in Local Apps, and search and select the required app. Apps can be directly installed from Public Store also. Once the required app is selected, click Done.

Method II

  1. In the Hexnode UEM portal, navigate to the Manage tab and select the required device, thereby moving to the device summary page of the corresponding device.
  2. From Actions, select Install Application.
  3. Uncheck iOS, Android, macOS, and tvOS checkboxes in Local Apps, and search and select the required app. Apps can be directly installed from Public Store also. Once the required app is selected, click Done.


Learn more about app installation on Windows devices

Configuring Kiosk Lockdown on Windows devices

Once the required apps are installed on the device, the users can follow further steps to implement Windows kiosk mode by creating a local user account on the device and pushing the Single App/Multi App kiosk policy to the device.

Note:

  • Both the Single App kiosk and Multi App kiosk in Windows are only supported on Windows 10 Pro, Enterprise, and Education editions running on versions 1709 or higher, while on Windows 11 only the Single App kiosk is supported.
  • Windows Kiosk Lockdown mode is available only on Ultra and Ultimate subscription plans.
  • Kiosk can be enforced only on a local user account.

Creating a Local user account on a Windows device

On Windows Pro
  1. Click on the Start button > Settings > Accounts > Family and other people.
  2. Under Other people, select Add someone else to this PC.
  3. Click on I don’t have this person’s sign-in information and select Add a user without a Microsoft account.
  4. Fill in the username, password, and other necessary fields of the kiosk account.


On Windows Enterprise or Education
  1. Click on the Start button > Settings > Accounts > Other people.
  2. Select Add someone else to this PC.
  3. Choose Users from the inset box.
  4. Under Actions, click on Users > More actions > New User.
  5. Fill in the username, password, and other necessary fields of the kiosk account.

Now, the standard local user account will be set up on the Windows device.

How to create a Single App kiosk policy

This feature locks down the Windows device to a single chosen application. All other apps are restricted from functioning on the device. With Hexnode, a single app kiosk can be configured to run an application in full screen inside a restricted local user account.

To enforce Windows Kiosk Lockdown mode on the device, the kiosk policy must be pushed to the device. The following steps describe how to push a single app kiosk policy to Windows devices:

  1. In the Hexnode UEM portal, navigate to the Policies tab.
  2. Select New Policy and provide it with a suitable Policy name and description.
  3. Under the Kiosk Lockdown subtab, select Windows Kiosk Lockdown.
  4. Choose Single App and click Configure.
  5. Add the required app in kiosk mode by clicking on the + button.
  6. Navigate to the Policy Targets subtab and associate the policy to the required Devices/Device Groups/Users/User Groups/Domains and Save the policy.

The policy will be automatically associated with the selected devices.

What happens at the device end?

When the user logs in to the kiosk account (local user account), the device automatically launches into kiosk mode and the designated app opens in full screen. The users will be restricted from accessing the desktop, start menu, settings, or any other apps on the device.

Learn more about the single app kiosk mode

Configuring a Multi App kiosk policy

In Multi App kiosk mode, the device is locked down with access only given to a limited number of whitelisted applications. The users will be restricted from accessing other features or apps on the device thus reducing distractions and providing users with exclusively what they need to access.

Once the local user account has been created on the Windows device and the required apps have been installed, a start layout consisting of the apps to be included in the kiosk needs to be created.

How to customize and export the Start layout?

As mentioned earlier, customizing the start layout implies the process of arranging the apps involved in kiosk mode as per how the user wishes to view the apps on the start menu and the device screen.

Note:
  • The Windows device in which the Start menu layout (XML) is set up should have the same OS version as that of the devices to which the kiosk policy is deployed.
  • Check the Run as administrator option if a prompt appears asking to enable it (specific to certain folders).



To customize and export the Start layout as per user requirement, follow the steps given below:

  1. Login to the admin account and Pin apps to Start. From the Start menu, right-click on the required app and select Pin to Start. For the apps that are not to be displayed in the layout, right-click on the app and select Unpin from Start. Drag tiles to group the apps.
  2. Now, right-click on Start and select Windows PowerShell.
  3. Enter the command Export-StartLayout –path .xml in Windows PowerShell, where -path signifies the path and file name of the XML file to be exported.
    For example, Export-StartLayout -path C:/Users/David/KioskLayout.xml.
Note:
  • The file name should include the .xml extension. The policy settings require the extensions and the Export-StartLayout cmdlet does not append the file name extension.
  • Ensure that the apps to be added to the kiosk are already present on the local user account.
  • If an app is present in the Start menu layout but isn’t added to the kiosk policy, it cannot be accessed when kiosk mode is launched on the device.


What happens at the device end?

For the policy to take effect, the device has to be restarted. When the user logs in to the kiosk account (local user account), the apps added in the kiosk mode will be shown on the start menu. The users will be restricted from accessing settings or other apps on the device.

Learn more about the multi app kiosk mode

Disabling kiosk mode

Archiving the policy
  1. In the Hexnode UEM portal, navigate to the Policies tab.
  2. Click on the kiosk policy and under the Manage dropdown, select Move to Archive.

When a policy is archived, it will be moved to Archived Policies, and the policy targets will be removed automatically.


Disassociating the policy
  1. In the Hexnode UEM portal, navigate to the Policies tab.
  2. Click on the kiosk policy and under Policy Targets, select the remove option corresponding to the device.

OR
  1. In the Hexnode UEM portal, navigate to the Manage tab.
  2. Select the required device and navigate to Policies. Click on the trash can icon corresponding to the kiosk policy.

Reports

Hexnode UEM allows you to generate various reports that help in analyzing information associated with different devices and users. You can access a host of reports, covering a wide range of fields including Device Reports, User Reports, Compliance Reports, Location Reports, Application Reports,
Audit Reports, etc. These can be accessed from the Reports tab in the Hexnode portal. This data can be exported and saved in PDF or CSV format. The following kiosk reports can be generated:

  • Kiosk active devices: It is a list of all devices that are currently locked down in kiosk mode.
  • Kiosk enabled devices: It is a list of all devices to which the kiosk policy has been pushed, but are not currently in kiosk mode.
  • Kiosk exited devices: It is a list of all devices that have exited the kiosk mode.

Kiosk device reports

Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Kiosk Lockdown of Devices