Building lock down device – Part 4 (Kiosk PC mode)
For earlier posts, please find them here:
- Building lock down device – Part 1 – (Keyboard Filter)
- Building lock down device – Part 2 (Shell Launcher)
- Building lock down device – Part 3 (Shared PC mode)
Last year I wrote a post about Create Windows 10 Kiosk devices using Microsoft Intune – multiple apps, When I wrote that, it was mainly for Windows 10 1803, there are some improvement after that for Windows 1809, like exception for Downloads folder, auto start application, but also have few bugs with Windows 10 1809.
Bug 1: Assigned Access multi app doesn’t work if System language is non-English. It will log off the kiosk user once they log on. (This is also fixed in Windows 10 1903.)
Update: Based on comments, this bug is fixed in May update, or workaround create a local group named “Administrator” (without members).
Bug 2: If you use Internet Explorer as kiosk application, print doesn’t work. It was working in 1803. I don’t know if it is fixed in Widows 10 1903, haven’t got time to test that.
Other good solution
After I publish my post, Maurice wrote another great post Building a shared pc mode kiosk with Microsoft Intune. You should really take a look his post, specially the non-Admin GPO. It works nicely and looks almost like the Assigned Access Kiosk PC. But just only one little thing that bothers me. This “search” button. I can remove this button in normal desktop mode, but it appear again when using tablet mode. I don’t like that kiosk user can use the search button search everything from the device. But this is a very good solutions as well, just depends what requirements we have.
So what else?
Assigned Access is basically using applocker, enforce tablet mode, full start menu. There are some important things that you should know.
- Once when you configure Assigned Access with allow app list, applocker rules are also applied to all other non Kiosk standard users. If you plan to use this device as multi users device, like one is kiosk user with restrict settings, another is standard user, this is not going to work. Only different between standard user and kiosk user is just the enforced tablet mode with custom full screen start menu.
- Would be also good to use Shared PC mode, so that kiosk user profile will be deleted in some point.
- Because kiosk profile is using tablet mode, so all application windows size are maximized. It is OK to use with single application, but I found a bit difficult to use when is using multi apps with small display, specially when you are using many apps in the same time.
Testing testing and testing. Have a good plan how are you going to handle feature upgrade, you really don’t wake up in a beautiful morning and someone call you telling you this “All the machines are upgraded to newest Windows 10, and kiosk mode is not working, kiosk app won’t start, this doesn’t work, that doesn’t work”.
So please, test all your settings in each build of Windows, before you decide do an upgrade. That’s my own experience.
Building a perfect Kiosk PC is never easy, I have heard enough people telling me “oh, you can use this solution, or my perfect solution”. There is no such thing that “One perfect working kiosk solution fits all customers requirement”. When start planning how to build our solution, we should at least consider these three matter:
- What applications are going to be used
Example if they use some old web base system that only works on Internet Explorer, it’s going to take lots of effort to locked down Internet Explorer. Or if need to Adobe Reader, there are lots of cloud settings in Adobe Reader that you might want to disable them in kiosk machine. UWP apps, sometimes they just got broken in kiosk mode, I don’t have answer for this issue, I have run into multiple times that UWP calculator got broken after profile is deleted.
- Who are the users / Usage of the kiosk PC
Like I mentioned earlier about Guest account in log on screen, some user might find it easy to use, and some might be impossible to use that. If you are build a Digital signage device, that will be way easier.
Ask your customer what is security requirement, but I doubt you will get clear answers for that. So ask them in details what is allowed and what is not, like “Is it allow use USB stick”? “Is it allow printing” ?
Sandy is an Enterprise Mobility MVP since 2018. She has been working in the IT industry since 2009, primarily dealing with device management solution planning and implementation. Sandy has worked with SCCM, MDT, Group Policy, software packaging, problem solving. Sandy currently works for a large Finnish company with several thousand endpoints as system architect. In 2016, Sandy founded the https://thesccm.com blog and is now a guest blogger on SCConfigMgr.