MSEndpointMgr

Building lock down device – Part 4 (Kiosk PC mode)

For earlier posts, please find them here:

Last year I wrote a post about Create Windows 10 Kiosk devices using Microsoft Intune – multiple apps, When I wrote that, it was mainly for Windows 10 1803, there are some improvement after that for Windows 1809, like exception for Downloads folder, auto start application, but also have few bugs with Windows 10 1809.

Bug 1: Assigned Access multi app doesn’t work if System language is non-English. It will log off the kiosk user once they log on. (This is also fixed in Windows 10 1903.)
Update: Based on comments, this bug is fixed in May update, or workaround create a local group named “Administrator” (without members).

Bug 2: If you use Internet Explorer as kiosk application, print doesn’t work. It was working in 1803. I don’t know if it is fixed in Widows 10 1903, haven’t got time to test that.

Other good solution

After I publish my post, Maurice wrote another great post Building a shared pc mode kiosk with Microsoft Intune. You should really take a look his post, specially the non-Admin GPO.  It works nicely and looks almost like the Assigned Access Kiosk PC. But just only one little thing that bothers me. This “search” button. I can remove this button in normal desktop mode, but it appear again when using tablet mode. I don’t like that kiosk user can use the search button search everything from the device. But this is a very good solutions as well, just depends what requirements we have.

So what else?

Assigned Access is basically using applocker, enforce tablet mode, full start menu. There are some important things that you should know.

  • Once when you configure Assigned Access with allow app list, applocker rules are also applied to all other non Kiosk standard users. If you plan to use this device as multi users device, like one is kiosk user with restrict settings, another is standard user, this is not going to work. Only different between standard user and kiosk user is just the enforced tablet mode with custom full screen start menu.
  • Would be also good to use Shared PC mode, so that kiosk user profile will be deleted in some point.
  • Because kiosk profile is using tablet mode, so all application windows size are maximized. It is OK to use with single application, but I found a bit difficult to use when is using multi apps with small display, specially when you are using many apps in the same time.

Most important

Testing testing and testing. Have a good plan how are you going to handle feature upgrade, you really don’t wake up in a beautiful morning and someone call you telling you this “All the machines are upgraded to newest Windows 10, and kiosk mode is not working, kiosk app won’t start, this doesn’t work, that doesn’t work”.

So please, test all your settings in each build of Windows, before you decide do an upgrade. That’s my own experience.

Final thoughts

Building a perfect Kiosk PC is never easy, I have heard enough people telling me “oh, you can use this solution, or my perfect solution”. There is no such thing that “One perfect working kiosk solution fits all customers requirement”. When start planning how to build our solution, we should at least consider these three matter:

  • What applications are going to be used
    Example if they use some old web base system that only works on Internet Explorer, it’s going to take lots of effort to locked down Internet Explorer. Or if need to Adobe Reader, there are lots of cloud settings in Adobe Reader that you might want to disable them in kiosk machine. UWP apps, sometimes they just got broken in kiosk mode, I don’t have answer for this issue, I have run into multiple times that UWP calculator got broken after profile is deleted.
  • Who are the users / Usage of the kiosk PC
    Like I mentioned earlier about Guest account in log on screen, some user might find it easy to use, and some might be impossible to use that. If you are build a Digital signage device, that will be way easier.
  • Security
    Ask your customer what is security requirement, but I doubt you will get clear answers for that. So ask them in details what is allowed and what is not, like “Is it allow use USB stick”? “Is it allow printing” ?

Sandy Zeng

Sandy is an Enterprise Mobility MVP since 2018. She is an experienced Information Technology Specialist for over 10 years. Skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. Sandy's interests are mostly related to Microsoft Technologies, she has passions learning new skill sets to improve her professional career and also as her hobbies. She uses her expertise to help customers achieve their goals and solve their issues.

Sandy founded the https://sandyzeng.com blog and is now a blogger on MSEndPointMgr.

9 comments

  • You right, Building a perfect Kiosk PC is never easy, Thank for the post on kiosk, Kiosk machines, on the positive side, it provides information, service & order commands that requires no time and any help from a human being.

  • Hello,
    What is the best practice to update an installed app?
    I’ve installed an app and logically after updating it (.lnk) was also updated the StartMenu link wasn’t working anymore.
    The only solution I found was to delete the Kiosk Profile and to re-apply it.

    • I haven’t run into issues updating installed app, usually I put shortcuts (.lnk) in %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs folder, then configure kiosk startmenu xml use those shortcuts.

  • Do you know if bug 2 has been addressed in 1809? Or if there is a workaround? We’re deploying 2019 LTSC which is equivalent to Windows 10 version 1809. We have a requirement to be able to print from IE. Thank you!

    • bug 2 is in 1809, not 1803. And I don’t know if it’s fixed or not, haven’t got time test it again lately.

  • For bug 1, for non-EN OS, just create a local group named “Administrator” (without members) it works well. Otherwise Microsoft corrected this bug with the May update for Win 10 1809.

    • Thank you, I will update the post. Do you have any doc link that about they fixed this bug in May udpate?

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.