For earlier posts, please find them here:

Last year I wrote a post about Create Windows 10 Kiosk devices using Microsoft Intune – multiple apps, When I wrote that, it was mainly for Windows 10 1803, there are some improvement after that for Windows 1809, like exception for Downloads folder, auto start application, but also have few bugs with Windows 10 1809.

Bug 1: Assigned Access multi app doesn’t work if System language is non-English. It will log off the kiosk user once they log on. (This is also fixed in Windows 10 1903.)
Update: Based on comments, this bug is fixed in May update, or workaround create a local group named “Administrator” (without members).

Bug 2: If you use Internet Explorer as kiosk application, print doesn’t work. It was working in 1803. I don’t know if it is fixed in Widows 10 1903, haven’t got time to test that.

 

Other good solution

After I publish my post, Maurice wrote another great post Building a shared pc mode kiosk with Microsoft Intune. You should really take a look his post, specially the non-Admin GPO.  It works nicely and looks almost like the Assigned Access Kiosk PC. But just only one little thing that bothers me. This “search” button. I can remove this button in normal desktop mode, but it appear again when using tablet mode. I don’t like that kiosk user can use the search button search everything from the device. But this is a very good solutions as well, just depends what requirements we have.

 

So what else?

Assigned Access is basically using applocker, enforce tablet mode, full start menu. There are some important things that you should know.

  • Once when you configure Assigned Access with allow app list, applocker rules are also applied to all other non Kiosk standard users. If you plan to use this device as multi users device, like one is kiosk user with restrict settings, another is standard user, this is not going to work. Only different between standard user and kiosk user is just the enforced tablet mode with custom full screen start menu.
  • Would be also good to use Shared PC mode, so that kiosk user profile will be deleted in some point.
  • Because kiosk profile is using tablet mode, so all application windows size are maximized. It is OK to use with single application, but I found a bit difficult to use when is using multi apps with small display, specially when you are using many apps in the same time.

Most important

Testing testing and testing. Have a good plan how are you going to handle feature upgrade, you really don’t wake up in a beautiful morning and someone call you telling you this “All the machines are upgraded to newest Windows 10, and kiosk mode is not working, kiosk app won’t start, this doesn’t work, that doesn’t work”.

So please, test all your settings in each build of Windows, before you decide do an upgrade. That’s my own experience.

 

Final thoughts

Building a perfect Kiosk PC is never easy, I have heard enough people telling me “oh, you can use this solution, or my perfect solution”. There is no such thing that “One perfect working kiosk solution fits all customers requirement”. When start planning how to build our solution, we should at least consider these three matter:

  • What applications are going to be used
    Example if they use some old web base system that only works on Internet Explorer, it’s going to take lots of effort to locked down Internet Explorer. Or if need to Adobe Reader, there are lots of cloud settings in Adobe Reader that you might want to disable them in kiosk machine. UWP apps, sometimes they just got broken in kiosk mode, I don’t have answer for this issue, I have run into multiple times that UWP calculator got broken after profile is deleted.
  • Who are the users / Usage of the kiosk PC
    Like I mentioned earlier about Guest account in log on screen, some user might find it easy to use, and some might be impossible to use that. If you are build a Digital signage device, that will be way easier.
  • Security
    Ask your customer what is security requirement, but I doubt you will get clear answers for that. So ask them in details what is allowed and what is not, like “Is it allow use USB stick”? “Is it allow printing” ?

(4525)

comments
  • Thierry
    Posted at 09:50 August 9, 2019
    Thierry
    Reply
    Author

    For bug 1, for non-EN OS, just create a local group named “Administrator” (without members) it works well. Otherwise Microsoft corrected this bug with the May update for Win 10 1809.

    • Zeng Yinghua
      Posted at 16:09 August 9, 2019
      Zeng Yinghua
      Reply
      Author

      Thank you, I will update the post. Do you have any doc link that about they fixed this bug in May udpate?

  • Derrick
    Posted at 08:30 September 5, 2019
    Derrick
    Reply
    Author

    Do you know if bug 2 has been addressed in 1809? Or if there is a workaround? We’re deploying 2019 LTSC which is equivalent to Windows 10 version 1809. We have a requirement to be able to print from IE. Thank you!

    • Zeng Yinghua
      Posted at 17:36 October 14, 2019
      Zeng Yinghua
      Reply
      Author

      bug 2 is in 1809, not 1803. And I don’t know if it’s fixed or not, haven’t got time test it again lately.

  • TDA
    Posted at 07:45 October 1, 2019
    TDA
    Reply
    Author

    Hello,
    What is the best practice to update an installed app?
    I’ve installed an app and logically after updating it (.lnk) was also updated the StartMenu link wasn’t working anymore.
    The only solution I found was to delete the Kiosk Profile and to re-apply it.

    • Zeng Yinghua
      Posted at 17:45 October 14, 2019
      Zeng Yinghua
      Reply
      Author

      I haven’t run into issues updating installed app, usually I put shortcuts (.lnk) in %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs folder, then configure kiosk startmenu xml use those shortcuts.

      • TDA
        Posted at 08:55 October 15, 2019
        TDA
        Reply
        Author

        Hello,
        I’ve configured the profile to use the same paths as yours – but when I update an Application through SCCM it won’t work anymore.
        I though it could be because the .lnk is replaced from the installer (although is the same but it’s probably not for AppLocker).

        I’ve asked on TechNet, and apparently you can’t “just update” applications on a KioskPC.
        https://social.technet.microsoft.com/Forums/en-US/f1ad9a58-99ae-437a-8d54-31ba450e4620/w10-1809-multiapp-kiosk-and-app-updates?forum=win10itprosetup

        Maybe I’ve configured something the wrong way – would appreciate support from your side if possible.

        Cheers and great article btw 🙂

        • Zeng Yinghua
          Posted at 10:58 November 4, 2019
          Zeng Yinghua
          Reply
          Author

          Thanks. So how do you configure Kiosk Multi apps? Were you using provisioning package or Intune? I am only doing kiosk machines via Intune, haven’t try update application yet.

  • Leave a Reply to TDA
    Cancel Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.