Having tested Windows 10 Kiosk device configuration for many weeks now, it is time to write down my findings and experiences.

Before I go to details how to configure multiple apps in Kiosk devices, I would like to write down some notes:
(Please remember, all my information are based on my testing in this moment when I am writing this post. July.5. 2018)

  • Supported logon user:
    • Auto logon account
    • Local user, it is required that the account exist before you configure the account for assigned access
    • Local user group, it is required that the user group exist before you configure the account for assigned access
    • Azure AD user
    • Azure AD user group
  • If you assign UWP apps that has print function, you will need extra configurations for make your device more secure. I will explain more details.
  • Auto logon give best logon experience for Kiosk device
  • For auto logon to work, do not enforce password settings.

  • Kiosk (Preview) multiple apps doesn’t work with any Windows 10 with any combination testing.
  • Virtual Machine, User Driven Deployment autopilot profile , Windows 10 Insider 17704 Enterprise + Enrollment Status page (Preview) + Kiosk (Preview) Single app, auto logon works
  • Virtual Machine, User Driven Deployment autopilot profile , Windows 10, version 1803 + Enrollment Status page (Preview) + Kiosk (Preview) Single app, auto logon doesn’t work
  • Virtual Machine, User Driven Deployment autopilot profile , Windows 10, version 1803 + Enrollment Status page (Preview) + Kiosk mode custom setting (xml) single and multiple apps, auto logon doesn’t work
  • Virtual Machine, User Driven Deployment autopilot profile , Windows 10, version 1803 + Kiosk (Preview) Single app, auto logon works
  • Virtual Machine, User Driven Deployment autopilot profile , Windows 10, version 1803 + Kiosk mode custom setting (xml) single and multiple apps, auto logon works

Make sure you read Microsoft documentation for more details, specially notes and warnings.
https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps

As I mentioned earlier, Kiosk (preview) setting doesn’t work with multi apps (based on my current testing), in this post I use only custom OMA-URI settings, and I will use auto logon.

  1. Create a new custom OMA-URI policy.OMA-URI: ./Device/Vendor/MSFT/AssignedAccess/Configuration
    Data Type: String
    Value:

    <?xml version="1.0" encoding="utf-8" ?>
    <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
        <Profiles>
            <Profile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}">
          <AllAppsList> 
          <AllowedApps> 
            <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
            <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
            <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
            <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
            <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
            <App AppUserModelId="Microsoft.KioskBrowser_8wekyb3d8bbwe!App" />
            <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!BCHost" />
            <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!ContentProcess" />
            <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!F12" />
            <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
            <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!PdfReader" />
            <App AppUserModelId="Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe!App" />
            <App AppUserModelId="Windows.PrintDialog_cw5n1h2txyewy!Microsoft.Windows.PrintDialog" />
            <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />			
            <App DesktopAppPath="%windir%\system32\mspaint.exe" /> 
            <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> 
          </AllowedApps> 
          </AllAppsList> 
          <StartLayout> 
          <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> 
                  <LayoutOptions StartTileGroupCellWidth="6" /> 
                  <DefaultLayoutOverride> 
                  <StartLayoutCollection> 
                    <defaultlayout:StartLayout GroupCellWidth="6"> 
                    <start:Group Name="Group1"> 
                      <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
                      <start:Tile Size="2x2" Column="0" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
                      <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
                      <start:Tile Size="2x2" Column="2" Row="2" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
                      <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
                      <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.KioskBrowser_8wekyb3d8bbwe!App" />
                    </start:Group> 
                    <start:Group Name="Group2"> 
                      <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> 
                      <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> 
                    </start:Group>
                    <start:Group Name="Group3"> 
                      <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" /> 
                    </start:Group> 							
                    </defaultlayout:StartLayout> 
                  </StartLayoutCollection> 
                  </DefaultLayoutOverride> 
                </LayoutModificationTemplate> 
              ]]> 
          </StartLayout> 
          <Taskbar ShowTaskbar="true"/> 
            </Profile>
        </Profiles>
        <Configs>
            <Config>
                <AutoLogonAccount/>
                <DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
            </Config>
        </Configs>
    </AssignedAccessConfiguration>

  2. Create another custom OMA-URI policy to control what windows settings are allow to use.When assign UWP apps that has print function, users are able to click on “Add a printer“, they will have access to all Windows Settings.

    I will configure this policy to allow users see only Printers & scanners:

    OMA-URI:  ./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList
    Data Type: String
    Value:  showonly:printers

  3. Assign both policy to your kiosk device group.

 

Here is the result how my Kiosk device looks like:


 

More information:

Customize and export Start layout: https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout
MDM policy: https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps#mdm-policy
Find AUMID: https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app
Kiosk XML sample: https://docs.microsoft.com/en-us/windows/configuration/kiosk-xml

 

(950)

Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the http://thesccm.com blog and is now a guest blogger on SCConfigMgr.

comments
  • Marctwain
    Posted at 05:23 July 13, 2018
    Marctwain
    Reply
    Author

    I have been trying to use this technology for a year now. none of it actually works consistently.

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.