Prepare a device for kiosk configuration

Applies to

  • Windows 10 Pro, Enterprise, and Education

Warning

For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.

Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.

For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:

Recommendation How to
Hide update notifications
(New in Windows 10, version 1809)
Go to Group Policy Editor > Computer Configuration > Administrative Templates\Windows Components\Windows Update\Display options for update notifications
-or-
Use the MDM setting Update/UpdateNotificationLevel from the Policy/Update configuration service provider
-or-
Add the following registry keys as DWORD (32-bit) type:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel with a value of 1, and HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel with a value of 1 to hide all notifications except restart warnings, or value of 2 to hide all notifications, including restart warnings.
Replace "blue screen" with blank screen for OS errors Add the following registry key as DWORD (32-bit) type with a value of 1:
HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled
Put device in Tablet mode. If you want users to be able to use the touch (on screen) keyboard, go to Settings > System > Tablet mode and choose On. Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
Hide Ease of access feature on the sign-in screen. Go to Control Panel > Ease of Access > Ease of Access Center, and turn off all accessibility tools.
Disable the hardware power button. Go to Power Options > Choose what the power button does, change the setting to Do nothing, and then Save changes.
Remove the power button from the sign-in screen. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies >Security Options > Shutdown: Allow system to be shut down without having to log on and select Disabled.
Disable the camera. Go to Settings > Privacy > Camera, and turn off Let apps use my camera.
Turn off app notifications on the lock screen. Go to Group Policy Editor > Computer Configuration > Administrative Templates\System\Logon\Turn off app notifications on the lock screen.
Disable removable media. Go to Group Policy Editor > Computer Configuration > Administrative Templates\System\Device Installation\Device Installation Restrictions. Review the policy settings available in Device Installation Restrictions for the settings applicable to your situation.
NOTE: To prevent this policy from affecting a member of the Administrators group, in Device Installation Restrictions, enable Allow administrators to override Device Installation Restriction policies.

Enable logging

Logs can help you troubleshoot issues kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational channel, which is disabled by default.

Event Viewer, right-click Operational, select enable log

Automatic logon

In addition to the settings in the table, you may want to set up automatic logon for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.

Tip

If you use the kiosk wizard in Windows Configuration Designer or XML in a provisioning package to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.

How to edit the registry to have an account sign in automatically

  1. Open Registry Editor (regedit.exe).

    Note

    If you are not familiar with Registry Editor, learn how to modify the Windows registry.

  2. Go to

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

  3. Set the values for the following keys.

    • AutoAdminLogon: set value as 1.

    • DefaultUserName: set value as the account that you want signed in.

    • DefaultPassword: set value as the password for the account.

      Note

      If DefaultUserName and DefaultPassword aren't there, add them as New > String Value.

    • DefaultDomainName: set value for domain, only for domain accounts. For local accounts, do not add this key.

  4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically.

Tip

You can also configure automatic sign-in using the Autologon tool from Sysinternals.

Interactions and interoperability

The following table describes some features that have interoperability issues we recommend that you consider when running assigned access.

Note

Where applicable, the table notes which features are optional that you can configure for assigned access.

Feature Description

Accessibility

Assigned access does not change Ease of Access settings.

We recommend that you use Keyboard Filter to block the following key combinations that bring up accessibility features:

Key combination Blocked behavior

Left Alt+Left Shift+Print Screen

Open High Contrast dialog box.

Left Alt+Left Shift+Num Lock

Open Mouse Keys dialog box.

Windows logo key+U

Open Ease of Access Center.

Assigned access Windows PowerShell cmdlets

In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see Assigned access Windows PowerShell reference.

Key sequences blocked by assigned access

When in assigned access, some key combinations are blocked for assigned access users.

Alt+F4, Alt+Shift+TaB, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations.

Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in WEKF_Settings.

Key combination Blocked behavior for assigned access users

Alt+Esc

Cycle through items in the reverse order from which they were opened.

Ctrl+Alt+Esc

Cycle through items in the reverse order from which they were opened.

Ctrl+Esc

Open the Start screen.

Ctrl+F4

Close the window.

Ctrl+Shift+Esc

Open Task Manager.

Ctrl+Tab

Switch windows within the application currently open.

LaunchApp1

Open the app that is assigned to this key.

LaunchApp2

Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator.

LaunchMail

Open the default mail client.

Windows logo key

Open the Start screen.

Keyboard Filter settings apply to other standard accounts.

Key sequences blocked by Keyboard Filter

If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the Keyboard Filter reference topic.

Keyboard Filter is only available on Windows 10 Enterprise or Windows 10 Education.

Power button

Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access.

For more information on removing the power button or disabling the physical power button, see Custom Logon.

Unified Write Filter (UWF)

UWFsettings apply to all users, including those with assigned access.

For more information, see Unified Write Filter.

WEDL_AssignedAccess class

Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.

If you need to use assigned access API, see WEDL_AssignedAccess.

Welcome Screen

Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.

For more information, see Custom Logon.