Set up a single-app kiosk

Applies to

  • Windows 10 Pro, Enterprise, and Education
A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen.

When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.
Illustration of a single-app kiosk experience

You have several options for configuring your single-app kiosk.

Method Description
Assigned access in Settings The Assigned Access option in Settings is a quick and easy method to set up a single device as a kiosk for a local standard user account. First, you need to create the user account on the device and install the kiosk app for that account.

This method is supported on Windows 10 Pro, Enterprise, and Education.
PowerShell You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to create the user account on the device and install the kiosk app for that account.

This method is supported on Windows 10 Pro, Enterprise, and Education.
The kiosk wizard in Windows Configuration Designer Windows Configuration Designer is a tool that produces a provisioning package, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.

This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
Microsoft Intune or other mobile device management (MDM) provider For managed devices, you can use MDM to set up a kiosk configuration.

This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.

Tip

You can also configure a kiosk account and app for single-app kiosk within XML in a provisioning package by using a kiosk profile.

Set up a kiosk in local Settings

App type: UWP

OS edition: Windows 10 Pro, Ent, Edu

Account type: Local standard user

You can use Settings to quickly configure one or a few devices as a kiosk. When you set up a kiosk (also known as assigned access) in Settings, you must select a local standard user account. Learn how to create a local standard user account.

The Set up assigned access page in Settings

To set up assigned access in PC settings

  1. Go to Start > Settings > Accounts > Other people.

  2. Choose Set up assigned access.

  3. Choose an account.

  4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see Guidelines for choosing an app for assigned access.

  5. Close Settings – your choices are saved automatically, and will be applied the next time that user account logs on.

To remove assigned access, choose Turn off assigned access and sign out of the selected account.

When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.

  • If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.

  • If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to Settings > Accounts > Sign-in options, and toggle the Use my sign-in info to automatically finish setting up my device after an update or restart setting to Off. After you change the setting, you can apply the kiosk configuration to the device.

Screenshot of automatic sign-in setting

Set up a kiosk using Windows PowerShell

App type: UWP

OS edition: Windows 10 Pro, Ent, Edu

Account type: Local standard user

PowerShell windows displaying Set-AssignedAccess cmdlet

You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.

Before you run the cmdlet:

  1. Log in as administrator.
  2. Create the user account for Assigned Access.
  3. Log in as the Assigned Access user account.
  4. Install the Universal Windows app that follows the assigned access/above the lock guidelines.
  5. Log out as the Assigned Access user account.
  6. Log in as administrator.

To open PowerShell on Windows 10, search for PowerShell and find Windows PowerShell Desktop app in the results. Run PowerShell as administrator.

Configure assigned access by AppUserModelID and user name

Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>

Configure assigned access by AppUserModelID and user SID

Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>

Configure assigned access by app name and user name

Set-AssignedAccess -AppName <CustomApp> -UserName <username>

Configure assigned access by app name and user SID

Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>

Note

To set up assigned access using -AppName, the user account that you specify for assigned access must have logged on at least once.

Learn how to get the AUMID.

Learn how to get the AppName (see Parameters).

Learn how to get the SID.

To remove assigned access, using PowerShell, run the following cmdlet.

Clear-AssignedAccess

Set up a kiosk using the kiosk wizard in Windows Configuration Designer

App type: UWP or Windows desktop application

OS edition: Windows 10 Pro (version 1709 and later) for UWP only; Ent, Edu for both app types

Account type: Local standard user, Active Directory

Kiosk wizard option in Windows Configuration Designer

Important

When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).

When you use the Provision kiosk devices wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application.

Install Windows Configuration Designer, then open Windows Configuration Designer and select Provision kiosk devices. After you name your project, and click Next, configure the settings as shown in the following table.

step oneset up device
Enable device setup if you want to configure settings on this page.

If enabled:

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.

Toggle Configure devices for shared use off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

You can also select to remove pre-installed software from the device.
device name, upgrade to enterprise, shared use, remove pre-installed software
step two set up network
Enable network setup if you want to configure settings on this page.

If enabled:

Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
Enter network SSID and type
step three account management
Enable account management if you want to configure settings on this page.

If enabled:

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.
join Active Directory, Azure AD, or create a local admin account
step four add applications
You can provision the kiosk app in the Add applications step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps

Warning: If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in Installer Path, and then a Cancel button becomes available, allowing you to complete the provisioning package without an application.
add an application
step five add certificates
To provision the device with a certificate for the kiosk app, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.
add a certificate
step six Configure kiosk account and app
You can create a local standard user account that will be used to run the kiosk app. If you toggle No, make sure that you have an existing user account to run the kiosk app.

If you want to create an account, enter the user name and password, and then toggle Yes or No to automatically sign in the account when the device starts.

In Configure the kiosk mode app, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.
Configure kiosk account and app
step seven configure kiosk common settings
On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.
set tablet mode and configure welcome and shutdown and turn off timeout settings
finish
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
Protect your package

Note

If you want to use the advanced editor in Windows Configuration Designer, specify the user account and app (by AUMID) in Runtime settings > AssignedAccess > AssignedAccessSettings

Important

When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.

Learn how to apply a provisioning package.

Set up a kiosk or digital sign using Microsoft Intune or other MDM service

App type: UWP

OS edition: Windows 10 Pro (version 1709), Ent, Edu

Account type: Local standard user, Azure AD

The configuration settings for single-app kiosk in Microsoft Intune

Microsoft Intune and other MDM services enable kiosk configuration through the AssignedAccess configuration service provider (CSP). Assigned Access has a KioskModeApp setting. In the KioskModeApp setting, you enter the user account name and the AUMID for the app to run in kiosk mode.

Tip

Starting in Windows 10, version 1803, a ShellLauncher node has been added to the AssignedAccess CSP.

The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider.

To configure kiosk in Microsoft Intune

  1. In the Microsoft Azure portal, search for Intune or go to More services > Intune.
  2. Select Device configuration.
  3. Select Profiles.
  4. Select Create profile.
  5. Enter a friendly name for the profile.
  6. Select Windows 10 and later for the platform.
  7. Select Device restrictions for the profile type.
  8. Select Kiosk.
  9. In Kiosk Mode, select Single app kiosk.
  10. Enter the user account (Azure AD or a local standard user account).
  11. Enter the Application User Model ID for an installed app.
  12. Select OK, and then select Create.
  13. Assign the profile to a device group to configure the devices in that group as kiosks.

Sign out of assigned access

To exit the assigned access (kiosk) app, press Ctrl + Alt + Del, and then sign in using another account. When you press Ctrl + Alt + Del to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens Task Manager > Users and signs out the user account.

If you press Ctrl + Alt + Del and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

To change the default time for assigned access to resume, add IdleTimeOut (DWORD) and enter the value data as milliseconds in hexadecimal.