Recently, I’ve been working on a new kiosk project which has been a “delight.” Part of that challenge has been the transition to Assigned Access for managing Windows 11 Kiosk use cases. In Part 1, we will cover Assigned Access. Next week, we will cover Shell Launcher and Restricted User Experience. Today, we will cover:
You can access part two of this article here, which covers the more advanced use cases.
The Flavors of Windows 11 Kiosks
Certain verticals rely on Windows Kiosks heavily, like Retail, Manufacturing, and more. We see them daily when we go to retail stores or gas stations, because the value is huge.
Some of the common use-cases include:
- PCs in public areas like hotels for printing flight info, etc.
- PCs being used to ordered food or display a menu
- POS (Point-of-Sale) systems
- ThinPC-like platforms to lock into apps like Windows 365
Historically speaking, people would typically just use the Kiosk policy in Intune, but those days are mostly gone in Windows 11 with the continued expansion of capabilities to deliver better Kiosk experiences. Two of the ways you can deliver Kiosk are:
- Assigned Access (lets you leverage a UWP app (WinGet apps) or Microsoft Edge in a full screen mode displaying an essential single-pane-of-glass.
- Shell Launcher (lets you execute an application that replaces the default Windows UI/shell aka explorer, but it doesn’t actually run above the lock screen.
- Multi-App Kiosk (also known as “restricted user experience”), which puts you into the desktop with a specified list of application. It’s based off the Assigned Access design.
When we start thinking about this stuff, we can look at a matrix to decide what product to choose:
| Use Case | Recommended Kiosk Flavor | Comments |
| Multiple Apps | Multi-App Kiosk | |
| We just need Edge and it to automatically log people off the session after certain amount of minutes | Assigned Access | Technically you can use multi-app kiosk or shell launcher based on your needs, but remember shell launcher doesn’t lock the device into full screen. |
| We want to lock the PC into our custom apps | Shell Launcher | |
| We need to leverage digital signage | Shell Launcher | |
| Thin PC use cases | Shell Launcher |
Now that we get the basics, we will talk about the different flavors more. For many people, the typical use case will fit into Assigned Access (the Kiosk most people are familiar with).
What is Assigned Access?
Assigned Access is a Windows feature many of us know as the “Kiosk” policy inside of Intune. You can leverage Assigned Access to be a full kiosk or a restricted user experience. Now, you have a few nice options here with the ability to lock the device into Microsoft Edge or a UWP app like the Windows App. Assigned Access makes it impossible to get out of the application you lock it into.
We’ll focus on Microsoft Edge for now. With Microsoft Edge, you can use one of two modes:
- Single Tab (Digital Signage Mode)
- Multi-Tab (Public Browsing Mode)
Typically, you will leverage Intune and push down an Assigned Access XML with a custom policy to configure the Kiosk experience you’re looking for, but you can also use Settings to try things out.
First, we discuss your requirements:
- Edge Stable Channel, version 87+
- Pro/Education+ License
- Windows 10 2004+
Kiosk mode has certain supported features:
| Feature | Digital\Interactive Signage | Public browsing | Available with Microsoft Edge version (and higher) |
|---|---|---|---|
| InPrivate Navigation | Y | Y | 89 |
| Reset on inactivity | Y | Y | 89 |
| Read only address bar (policy) | N | Y | 89 |
| Delete downloads on exit (policy) | Y | Y | 89 |
| F11 blocked (enter/exit full-screen) | Y | Y | 89 |
| F12 blocked (launch Developer Tools) | Y | Y | 89 |
| Multi tab support | N | Y | 89 |
| Allow URL support (policy) | Y | Y | 89 |
| Block URL support (policy) | Y | Y | 89 |
| Show home button (policy) | N | Y | 89 |
| Manage favorites (policy) | N | Y | 89 |
| Enable printer (policy) | Y | Y | 89 |
| Configure the new tab page URL (policy) | N | Y | 89 |
| End session button * | N | Y | 89 |
| All internal Microsoft Edge URLs are blocked, except for edge://downloads and edge://print | N | Y | 89 |
| CTRL+N blocked (open a new window) * | Y | Y | 89 |
| CTRL+T blocked (open new tab) | Y | N | 89 |
| Settings and more (…) will display only the required options | Y | Y | 89 |
| Restrict the launch of other applications from the browser | Y | Y | 90 |
| UI print settings lockdown | Y | Y | 90 |
| Set the new tab page as the home page (policy) | N | Y | 90 |
The interesting thing to me is that basically any homepage policies or timeout policies will be ignored as instead it focuses on the command line execution of edge like this:
msedge.exe" v4:ClassicAppArguments="--kiosk https://mobile-jon.com --no-first-run --edge-kiosk-type=public-browsing --kiosk-idle-timeout-minutes=5That code above sets the homepage, avoids the pesky first run nonsense, sets public browsing mode, and a 5-minute idle session timeout. The last fun table to share is a set of Edge policies that you can set via Intune based on the type:
| Group policy | Digital\Interactive signage | Public browsing single-app |
|---|---|---|
| Printing | Y | Y |
| HomePageLocation | N | Y |
| ShowHomeButton | N | Y |
| NewTabPageLocation | N | Y |
| FavoritesBarEnabled | N | Y |
| URLAllowlist | Y | Y |
| URLBlocklist | Y | Y |
| ManagedSearchEngines | N | Y |
| UserFeedbackAllowed | N | Y |
| VerticalTabsAllowed | N | Y |
| SmartScreen settings | Y | Y |
| EdgeCollectionsEnabled | Y | Y |
| ConfigureKeyboardShortcuts | Y | Y |
| DownloadDirectory | Y | Y |
| InPrivateModeAvailability | N | N |
| IsolateOrigins | N | N |
| ManagedFavorites | N | N |
| EdgeShoppingAssistantEnabled | N | N |
| EdgeCollectionsEnabled | N | N |
| UserFeedbackAllowed | N | N |
| DefaultPopupsSetting | N | N |
| StartupBoostEnabled | N | N |
| Extensions | N | N |
| BackgroundModeEnabled | N | N |
Overall, the key with Assigned Access is to remember it’s a KIOSK. YOU DO NOT NEED TO LOCK IT DOWN LIKE ITS NASA. The Kiosk is sort of the point and overdoing it will more likely break your Kiosk than solve a problem.
Building the XML for Assigned Access
Building the Assigned Access XML isn’t too difficult. The XMLs for Kiosk follow many similar concepts you might be familiar with.
We will start piece-by-piece to build it for Assigned Access.
First, we have our building blocks with the schema config:
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config">
We can do two different types of profile: “KioskModeApp” which is what tells it to lock into that UWP app or Edge OR you can use “AllAppList”, which we will cover later.
Within the KioskModeApp, we have a few properties we can use:
- AppUserModelId: where you would specify the App User Model ID (You can get a list of these with PowerShell and “Get-StartApps”)
- v4:ClassicAppPath: instead you can specify the path to the desktop app you will be using.
- v4:ClassicAppArguments: arguments you are passing with the app execution.
- BreakoutSequence Key: lets you specify a special sequence to exit kiosk mode
You can see my example below which shows how I set this up:
<Profiles>
<Profile Id="{64f010ec-c145-4a16-941c-3c245f435d6a}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" v4:ClassicAppArguments="--kiosk https://mobile-jon.com --no-first-run --edge-kiosk-type=public-browsing --kiosk-idle-timeout-minutes=5" />
<v4:BreakoutSequence Key="Ctrl+A" />
</Profile>
</Profiles>The 3rd and final piece of the XML is the “Configs” section, where you tell it what the allowlist/login experience will be. You can specify a user or even just auto login with a basic account.
A few limitations with this are: no admins or users that requires Entra Conditional Access policies requiring interaction like MFA. One last note is if you want to make someone login with a local account, make sure you deploy this policy via Intune:
For me, I recommend using the built-in Edge Kiosk Account:
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="Edge Kiosk" />
<DefaultProfile Id="{64f010ec-c145-4a16-941c-3c245f435d6a}" />
</Config>
</Configs>
</AssignedAccessConfiguration>Additionally, you could use a user account instead:
##For a Local User##
<Configs>
<Config>
<Account>MobileJon</Account>
<DefaultProfile Id="{64f010ec-c145-4a16-941c-3c245f435d6a}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
##For an Entra User##
<Configs>
<Config>
<Account>AzureAD\[email protected]</Account>
<DefaultProfile Id="{64f010ec-c145-4a16-941c-3c245f435d6a}" />
</Config>
</Configs>
</AssignedAccessConfiguration>Deploying the Assigned Access Policy in Microsoft Intune
We can very easily deploy the policy via an Intune Custom Policy:
The OMA-URI is: ./Vendor/MSFT/AssignedAccess/Configuration and we just upload the XML we built.
It will deploy down fairly quickly, but I will say that sometimes when you make changes it doesn’t come back gracefully and may requires a device reset to fully validate the changes.
Assigned Access User Experience
Now, we will take a look at what things look like in the Assigned Access user experience from ESP to being inside of the OS. Overall, it’s a nice user experience when it’s done correctly:
Final Thoughts
Overall, Assigned Access can be a bit trickier than it appears. We ran into a few hurdles early on, but overall, it works really well once built. We’ll cover next week the slightly trickier Multi-App and Shell Launcher versions that take more nuance than expected.
The different flavors of Kiosk are very interesting especially when you have customers who want something “like” Windows 365 Boot but are running AVD or just a retailer trying to simplify their design/deployment strategy. So, remember to use the dreaded custom policies with the OMA-URI and not the evil and out-of-date Kiosk policies in Microsoft Intune. See everyone next week!!
24 thoughts on “Deep Dive into Windows 11 Kiosks Part 1: Assigned Access”
Thanks Jon for this great insightful article and the guided video.
I have couple of questions pls:
1 – Is there an enrollment method recommended for Windows kiosk devices?
If Autopilot, what type please?
2 – What/when is the best time to assign the Kiosk policy within the Autopilot deployment or preferred to be assigned after the enrollment process?
I believe I responded to you on my YouTube channel.
The basic practice is to use Self Deploying Mode coupled with OTA licenses (because you will have to license it to Windows Enterprise separately), but I have had customers who insisted on using user-driven enrollment and have worked perfectly fine.
Great article, do you also have some advice (best practices) on power settings and device restrictions policies for Kiosk machines wether it is a single app or multi app device.
Coupled with having it auto-login with a basic account e.g. the Edge Kiosk account, I deploy Power Policy settings for “Never” to basically never power down when plugged in (I would expect basically all kiosks to be desktops).
With that, its really important to have a very light touch with Kiosks and rely on Kiosk capabilities vs. Security Baselines, because you will often end up breaking/losing functionality of the kiosk for going overboard.
If you need the settings from Intune for the Power Policy let me know and I can send them to you.
Hello Jon,
Great article and write-up! Have also subscribed to your YouTube channel.
I’ve successfully setup a Windows 11 Single-App Kiosk but want to find a way to enable/allow SSO for websites…
I can get the webpage to load and then manually sign-in without issue, however a refresh/reboot requires the web page to be signed into again.
This is obviously working by design as Edge is in In-Private mode so is likely disabling caching credentials. I get the same result when using Microsoft’s Kiosk Browser store App as well.
Do you know of, or can you think of a way to make SSO/cached credentials work?
If it’s always the same user, you can have auto login use an Entra account.
Another option is to disable private browsing mode which effectively breaks end session.
Most people would configure auto login with an Entra account to achieve SSO.
Is KioskModeApp depreciated? I have almost an identical config that keeps failing.
Nope it’s not deprecated.
Wanna email me the XML?
Any reason when using the XML it prompts for logon instead of auto logging on?
Where does it prompt for logon? As in showing a login window? If it was done correctly, it will auto login with the kiosk account
After ESP completes it boots to Windows Logon. If I enter in the Autologon account that is in the XML with no password it works however also prompts to set a new password.
Is this expected behaviour if you change the to something other such as “CompanyName Kiosk” as an example.
Yeah don’t change the name.
I renamed the Display Name back. From your video when I compare to my results when testing my ESP ends with a device restart then brings up the Windows Logon. On your video it goes directly from ESP into Windows and Auto login. I will work to remove all apps and policies assignments just leaving the XML policy to see if that does anything. Does it matter if I am using Win11 24h2?
Nope I’m using 24h2.
You can send me your xml if you want and I’ll review it
Thanks. Message sent!
I see that it says you can use Azure credentials as well. The example does not show a section for password but I would assume you still need to add the password to the config, correct? What would that look like?
You should really never use Azure credentials in a kiosk scenario. It creates a risk
It’s better to use a built-in kiosk account
Is there a way to disable InPrivate Browsing? We are wanting to cache credentials so we can set a PC in a room without a keyboard (just a touchscreen) and users can interact with gloves on. We have a site that we’d need to cache credentials to so it can auto-login instead of them having to type in a username and PW into the website every time it loads
Yeah just use an Edge policy to disable it
This will break auto log-off as a FYI
So new policy, set “Configure InPrivate Mode Availability” to “InPrivate Mode Disabled”? Not worried about Auto Log-off, we’re wanting these to stay signed in
Yeah when I first did this, I couldn’t figure out why auto logoff wasn’t working and they had disabled in private for edge lol
I assigned the policy but its still showing InPrivate, do you recommend I change something else or just reset the laptop to make sure it gets the right settings?
I would make sure you’re testing with a VM when trying to make this stuff work overall.
Sometime a reboot helps, it’s likely the setting hasn’t taken effect yet. Sometimes it may take up to an hour