Set upward a multi-app kiosk on Windows ten devices

  • Commodity
  • 27 minutes to read

Applies to

  • Windows ten Pro, Enterprise, and Education

Note

Currently, multi-app kiosk is only supported on Windows 10. It'south non supported on Windows 11.

A kiosk device typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) was expanded to brand information technology easy for administrators to create kiosks that run more than i app. The benefit of a kiosk that runs but one or more than specified apps is to provide an easy-to-understand feel for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access.

The following table lists changes to multi-app kiosk in recent updates.

New features and improvements In update
- Configure a single-app kiosk profile in your XML file

- Assign grouping accounts to a config profile

- Configure an account to sign in automatically

 Windows 10, version 1803
- Explicitly allow some known folders when user opens file dialog box

- Automatically launch an app when the user signs in

- Configure a display proper noun for the autologon account

 Windows 10, version 1809

Important: To utilise features released in Windows 10, version 1809, make sure that your XML file references https://schemas.microsoft.com/AssignedAccess/201810/config.

Warning

The assigned access characteristic is intended for corporate-owned stock-still-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and volition impact other users on the device. Deleting the kiosk configuration volition remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Kickoff layout). A factory reset is needed to clear all the policies enforced via assigned admission.

You tin configure multi-app kiosks using Microsoft Intune or a provisioning package.

Configure a kiosk in Microsoft Intune

To configure a kiosk in Microsoft Intune, see:

  • Windows client and Windows Holographic for Business device settings to run as a defended kiosk using Intune
  • Windows client device settings to run as a kiosk in Intune

Configure a kiosk using a provisioning package

Process:

  1. Create XML file
  2. Add XML file to provisioning package
  3. Apply provisioning package to device

Watch how to use a provisioning packet to configure a multi-app kiosk.

If yous don't desire to employ a provisioning bundle, you lot tin can deploy the configuration XML file using mobile device management (MDM), or you can configure assigned admission using the MDM Bridge WMI Provider.

Prerequisites

  • Windows Configuration Designer (Windows 10, version 1709 or after)
  • The kiosk device must be running Windows 10 (Southward, Pro, Enterprise, or Teaching), version 1709 or after

Notation

For devices running versions of Windows 10 earlier than version 1709, you lot can create AppLocker rules to configure a multi-app kiosk.

Create XML file

Permit's start by looking at the basic structure of the XML file.

  • A configuration xml can ascertain multiple profiles. Each profile has a unique Id and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.

  • A configuration xml tin accept multiple config sections. Each config section assembly a not-admin user account to a default contour Id.

  • Multiple config sections tin be associated to the same contour.

  • A profile has no upshot if it's non associated to a config section.

    profile = app and config = account.

You can commencement your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as filename.xml. Each section of this XML is explained in this topic. You tin come across a full sample version in the Assigned access XML reference.

                  <?xml version="ane.0" encoding="utf-viii" ?> <AssignedAccessConfiguration     xmlns="https://schemas.microsoft.com/AssignedAccess/2017/config"     xmlns:rs5="https://schemas.microsoft.com/AssignedAccess/201810/config"     >     <Profiles>         <Contour Id="">             <AllAppsList>                 <AllowedApps/>             </AllAppsList>             <StartLayout/>             <Taskbar/>         </Profile>     </Profiles>     <Configs>         <Config>             <Business relationship/>             <DefaultProfile Id=""/>         </Config>     </Configs> </AssignedAccessConfiguration>

Profile

There are two types of profiles that you can specify in the XML:

  • Lockdown profile: Users assigned a lockdown contour will see the desktop in tablet fashion with the specific apps on the Start screen.
  • Kiosk profile: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the AssignedAccess CSP. Users assigned a kiosk profile volition not see the desktop, but only the kiosk app running in full-screen mode.

A lockdown profile section in the XML has the post-obit entries:

  • Id

  • AllowedApps

  • FileExplorerNamespaceRestrictions

  • StartLayout

  • Taskbar

A kiosk profile in the XML has the following entries:

  • Id

  • KioskModeApp

Id

The profile Id is a GUID attribute to uniquely identify the contour. Yous tin create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.

                  <Profiles>   <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">…</Contour> </Profiles>
AllowedApps

AllowedApps is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows ten version 1809, you can configure a unmarried app in the AllowedApps list to run automatically when the assigned admission user account signs in.

  • For UWP apps, you lot need to provide the App User Model ID (AUMID). Acquire how to get the AUMID, or get the AUMID from the Start Layout XML.
  • For desktop apps, you need to specify the full path of the executable, which can contain one or more system environs variables in the form of %variableName% (i.east. %systemroot%, %windir%).
  • If an app has a dependency on another app, both must be included in the immune apps list. For example, Internet Explorer 64-fleck has a dependency on Internet Explorer 32-flake, so you lot must permit both "C:\Program Files\cyberspace explorer\iexplore.exe" and "C:\Program Files (x86)\Cyberspace Explorer\iexplore.exe".
  • To configure a single app to launch automatically when the user signs in, include rs5:AutoLaunch="truthful" after the AUMID or path. You can too include arguments to exist passed to the app. For an example, meet the AllowedApps sample XML.

When the multi-app kiosk configuration is applied to a device, AppLocker rules will exist generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for UWP apps:

  1. Default rule is to allow all users to launch the signed package apps.

  2. The packet app deny listing is generated at runtime when the assigned admission user signs in. Based on the installed/provisioned package apps bachelor for the user account, assigned admission generates the deny listing. This list volition exclude the default allowed inbox package apps which are critical for the system to role, and and so exclude the allowed packages that enterprises defined in the assigned admission configuration. If in that location are multiple apps within the same package, all these apps will be excluded. This deny list will be used to preclude the user from accessing the apps which are currently available for the user but not in the allowed list.

    Note

    You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in MMC snap-ins. Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.

    Multi-app kiosk way doesn't cake the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not exist in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to permit it to run, update the assigned access configuration to include information technology in the immune app list.

Here are the predefined assigned access AppLocker rules for desktop apps:

  1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in guild for the arrangement to kicking and part. The rule too allows the admin user group to launch all desktop programs.
  2. There is a predefined inbox desktop app deny list for the assigned access user business relationship, and this deny list is adjusted based on the desktop app allow listing that you defined in the multi-app configuration.
  3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.

The following example allows Groove Music, Movies & TV, Photos, Weather, Reckoner, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file chosen 123.text when the user signs in.

                    <AllAppsList>         <AllowedApps>           <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />           <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />           <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />           <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />           <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />           <App DesktopAppPath="%windir%\system32\mspaint.exe" />           <App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt">         </AllowedApps> </AllAppsList>
FileExplorerNamespaceRestrictions

Starting in Windows x version 1809, you tin explicitly allow some known folders to be accessed when the user tries to open up the file dialog box in multi-app assigned admission by including FileExplorerNamespaceRestrictions in your XML file. Currently, Downloads is the but binder supported. This can also exist fix using Microsoft Intune.

The following example shows how to let user access to the Downloads folder in the mutual file dialog box.

Tip

To grant admission to the Downloads folder through File Explorer, add "Explorer.exe" to the listing of allowed apps, and pin a file explorer shortcut to the kiosk start menu.

                    <?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration     xmlns="https://schemas.microsoft.com/AssignedAccess/2017/config"     xmlns:rs5="https://schemas.microsoft.com/AssignedAccess/201810/config" >     <Profiles>         <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">             <AllAppsList>                 <AllowedApps>                     ...                 </AllowedApps>             </AllAppsList>             <rs5:FileExplorerNamespaceRestrictions>                 <rs5:AllowedNamespace Proper name="Downloads"/>             </rs5:FileExplorerNamespaceRestrictions>             <StartLayout>                 ...             </StartLayout>             <Taskbar ShowTaskbar="true"/>         </Profile>     </Profiles> </AssignedAccessConfiguration>

FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerelease for finer granularity and easier utilize, see in the Assigned access XML reference. for full samples. The changes will let IT Admin to configure if user can admission Downloads folder, Removable drives, or no restriction at all by using certain new elements. Note that FileExplorerNamesapceRestrictions and AllowedNamespace:Downloads are bachelor in namespace https://schemas.microsoft.com/AssignedAccess/201810/config, AllowRemovableDrives and NoRestriction are defined in a new namespace https://schemas.microsoft.com/AssignedAccess/2020/config.

  • When FileExplorerNamespaceRestrictions node is not used, or used just left empty, user volition not be able to access any folder in common dialog (eastward.g. Salvage As in Microsoft Edge browser).
  • When Downloads is mentioned in allowed namespace, user volition be able to access Downloads folder.
  • When AllowRemovableDrives is used, user will be to admission removable drives.
  • When NoRestriction is used, no restriction will be applied to the dialog.
  • AllowRemovableDrives and AllowedNamespace:Downloads tin be used at the same time.
StartLayout

After you define the list of allowed applications, you lot tin can customize the Start layout for your kiosk feel. You tin choose to pin all the allowed apps on the First screen or just a subset, depending on whether you want the end user to directly access them on the Commencement screen.

The easiest way to create a customized Start layout to apply to other Windows client devices is to ready up the Beginning screen on a test device so export the layout. For detailed steps, encounter Customize and export Outset layout.

A few things to notation here:

  • The test device on which you customize the Commencement layout should have the same Os version that is installed on the device where yous plan to deploy the multi-app assigned access configuration.
  • Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the total Kickoff layout option instead of the partial Starting time layout.
  • In that location are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the <CustomTaskbarLayoutCollection> tag in a layout modification XML as role of the assigned access configuration.
  • The post-obit example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesn't have a shortcut link on the target device, learn how to provision .lnk files using Windows Configuration Designer.

This example pins Groove Music, Movies & TV, Photos, Conditions, Computer, Paint, and Notepad apps on Starting time.

                    <StartLayout>         <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="https://schemas.microsoft.com/Offset/2014/FullDefaultLayout" xmlns:start="https://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="httsp://schemas.microsoft.com/Beginning/2014/LayoutModification">                       <LayoutOptions StartTileGroupCellWidth="vi" />                       <DefaultLayoutOverride>                         <StartLayoutCollection>                           <defaultlayout:StartLayout GroupCellWidth="6">                             <beginning:Group Name="Group1">                               <first:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />                               <kickoff:Tile Size="2x2" Cavalcade="four" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />                               <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />                               <commencement:Tile Size="2x2" Column="4" Row="four" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />                               <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />                             </start:Group>                             <get-go:Group Name="Group2">                               <start:DesktopApplicationTile Size="2x2" Column="two" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Commencement Menu\Programs\Accessories\Paint.lnk" />                               <kickoff:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Showtime Carte du jour\Programs\Accessories\Notepad.lnk" />                             </get-go:Group>                           </defaultlayout:StartLayout>                         </StartLayoutCollection>                       </DefaultLayoutOverride>                     </LayoutModificationTemplate>                 ]]> </StartLayout>

Note

If an app isn't installed for the user, only is included in the Start layout XML, the app isn't shown on the First screen.

What the Start screen looks like when the XML sample is applied.

Taskbar

Define whether you want to have the taskbar nowadays in the kiosk device. For tablet-based or affect-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, y'all can hibernate the taskbar every bit function of the multi-app experience if you want.

The following example exposes the taskbar to the end user:

                    <Taskbar ShowTaskbar="true"/>

The following example hides the taskbar:

                    <Taskbar ShowTaskbar="false"/>

Note

This is different from the Automatically hide the taskbar option in tablet style, which shows the taskbar when swiping up from or moving the mouse arrow down to the bottom of the screen. Setting ShowTaskbar as false volition always keep the taskbar hidden.

KioskModeApp

KioskModeApp is used for a kiosk profile only. Enter the AUMID for a single app. You tin only specify i kiosk profile in the XML.

                    <KioskModeApp AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>

Of import

The kiosk profile is designed for public-facing kiosk devices. We recommend that you apply a local, non-ambassador account. If the device is connected to your visitor network, using a domain or Azure Active Directory account could potentially compromise confidential information.

Configs

Under Configs, define which user account will exist associated with the profile. When this user account signs in on the device, the associated assigned access profile volition exist enforced, including the allowed apps, Start layout, and taskbar configuration, besides every bit other local group policies or mobile device management (MDM) policies set as office of the multi-app experience.

The full multi-app assigned access feel can but work for non-admin users. It's not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.

You tin can assign:

  • A local standard user account that signs in automatically (Applies to Windows x, version 1803 only)
  • An individual account, which can be local, domain, or Azure Active Directory (Azure AD)
  • A grouping account, which can exist local, Active Directory (domain), or Azure Ad (Applies to Windows 10, version 1803 merely).

Annotation

Configs that specify group accounts cannot utilise a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP volition reject the request.

Config for AutoLogon Account

When you use <AutoLogonAccount> and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically later restart.

The post-obit example shows how to specify an account to sign in automatically.

                    <Configs>   <Config>     <AutoLogonAccount/>     <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>   </Config> </Configs>

Starting with Windows 10 version 1809, you can configure the brandish proper name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "How-do-you-do World".

                    <Configs>   <Config>     <AutoLogonAccount rs5:DisplayName="Hullo World"/>     <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>   </Config> </Configs>

On domain-joined devices, local user accounts aren't shown on the sign-in screen past default. To show the AutoLogonAccount on the sign-in screen, enable the post-obit Grouping Policy setting: Estimator Configuration > Authoritative Templates > Arrangement > Logon > Enumerate local users on domain-joined computers. (The corresponding MDM policy setting is WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP.)

Important

When Exchange Active Sync (EAS) countersign restrictions are active on the device, the autologon characteristic does not work. This behavior is by blueprint. For more informations, come across How to turn on automatic logon in Windows.

Config for individual accounts

Private accounts are specified using <Account>.

  • Local business relationship can be entered equally machinename\account or .\account or merely account.
  • Domain account should be entered equally domain\business relationship.
  • Azure AD business relationship must be specified in this format: AzureAD\{electronic mail address}. AzureAD must exist provided As IS (consider information technology's a stock-still domain name), then follow with the Azure Advertising electronic mail address, eastward.g. AzureAD\someone@contoso.onmicrosoft.com.

Alarm

Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local business relationship. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resource that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do and so.

Earlier applying the multi-app configuration, brand sure the specified user business relationship is available on the device, otherwise it will fail.

Note

For both domain and Azure AD accounts, it's non required that target account is explicitly added to the device. As long as the device is Advertizement-joined or Azure Advertisement-joined, the business relationship can be discovered in the domain woods or tenant that the device is joined to. For local accounts, it is required that the account exist before y'all configure the account for assigned access.

                    <Configs>   <Config>     <Account>MultiAppKioskUser</Account>     <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>   </Config> </Configs>
Config for group accounts

Group accounts are specified using <UserGroup>. Nested groups are non supported. For example, if user A is fellow member of Group ane, Grouping i is member of Group 2, and Group 2 is used in <Config/>, user A volition not have the kiosk feel.

  • Local group: Specify the grouping type equally LocalGroup and put the group name in Name attribute. Any Azure Advertising accounts that are added to the local group will not have the kiosk settings applied.

                            <Config>   <UserGroup Type="LocalGroup" Proper name="mygroup" />   <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> </Config>

  • Domain group: Both security and distribution groups are supported. Specify the group type as ActiveDirectoryGroup. Apply the domain name equally the prefix in the name aspect.

                            <Config>   <UserGroup Type="ActiveDirectoryGroup" Name="mydomain\mygroup" />   <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> </Config>

  • Azure Advertisement grouping: Employ the group object ID from the Azure portal to uniquely identify the group in the Name attribute. Yous can observe the object ID on the overview folio for the group in Users and groups > All groups. Specify the group type every bit AzureActiveDirectoryGroup. The kiosk device must have internet connectivity when users that vest to the grouping sign in.

                            <Config>   <UserGroup Type="AzureActiveDirectoryGroup" Proper name="a8d36e43-4180-4ac5-a627-fb8149bba1ac" />   <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> </Config>

    Note

    If an Azure Advertizement group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (afterward the business relationship has been created with default countersign on the portal) before they can sign in to this device. If the user uses the default countersign to sign in to the device, the user will be immediately signed out.

[Preview] Global Profile

Global profile is added in Windows 10. There are times when It Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a contour for the user and a fallback profile is wished to use. Global Contour is designed for these scenarios.

Usage is demonstrated below, by using the new xml namespace and specify GlobalProfile from that namespace. When GlobalProfile is configured, a non-admin account logs in, if this user does not have designated contour in Assigned Access, or Assigned Access fails to determine a profile for electric current user, global contour volition be applied for the user.

Note:

  1. GlobalProfile can but be multi-app profile
  2. Just ane GlobalProfile tin be used in ane AssignedAccess Configuration Xml
  3. GlobalProfile tin exist used as the only config, or information technology can be used among with regular user or grouping Config.
                      <?xml version="1.0" encoding="utf-viii" ?> <AssignedAccessConfiguration     xmlns="https://schemas.microsoft.com/AssignedAccess/2017/config"     xmlns:v2="https://schemas.microsoft.com/AssignedAccess/201810/config"     xmlns:v3="https://schemas.microsoft.com/AssignedAccess/2020/config" >     <Profiles>         <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">             <AllAppsList>                 <AllowedApps>                     <App AppUserModelId="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe!Microsoft.Microsoft3DViewer" v2:AutoLaunch="true" v2:AutoLaunchArguments="123"/>                     <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />                     <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />                     <App DesktopAppPath="%SystemRoot%\system32\notepad.exe" />                 </AllowedApps>             </AllAppsList>             <StartLayout>                 <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="https://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:starting time="https://schemas.microsoft.com/Kickoff/2014/StartLayout" Version="1" xmlns="https://schemas.microsoft.com/Start/2014/LayoutModification">                       <LayoutOptions StartTileGroupCellWidth="6" />                       <DefaultLayoutOverride>                         <StartLayoutCollection>                           <defaultlayout:StartLayout GroupCellWidth="six">                             <start:Group Name="Life at a glance">                               <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsLive.calendar" />                               <commencement:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />                               <!-- A link file is required for desktop applications to show on start layout, the link file can be placed nether                                    "%AllUsersProfile%\Microsoft\Windows\Starting time Menu\Programs" if the link file is shared for all users or                                    "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only                                     encounter certificate https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop                               -->                               <!-- for inbox desktop applications, a link file might already exist and tin be used straight -->                               <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\pigment.lnk" />                               <!-- for 3rd party desktop application, place the link file under appropriate folder -->                               <commencement:DesktopApplicationTile Size="2x2" Column="iv" Row="0" DesktopApplicationLinkPath="%AppData%\Microsoft\Windows\Showtime Card\Programs\MyLOB.lnk" />                             </start:Group>                           </defaultlayout:StartLayout>                         </StartLayoutCollection>                       </DefaultLayoutOverride>                     </LayoutModificationTemplate>                 ]]>             </StartLayout>             <Taskbar ShowTaskbar="true"/>         </Profile>     </Profiles>     <Configs>         <v3:GlobalProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>     </Configs> </AssignedAccessConfiguration>

Add together XML file to provisioning package

Before you add the XML file to a provisioning package, you tin can validate your configuration XML against the XSD.

Use the Windows Configuration Designer tool to create a provisioning package. Larn how to install Windows Configuration Designer.

Of import

When you lot build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you take the option to encrypt the .ppkg file, projection files are not encrypted. Yous should shop the projection files in a secure location and delete the project files when they are no longer needed.

  1. Open Windows Configuration Designer (by default, %systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).

  2. Choose Advanced provisioning.

  3. Name your project, and click Side by side.

  4. Cull All Windows desktop editions and click Next.

  5. On New project, click Finish. The workspace for your packet opens.

  6. Expand Runtime settings > AssignedAccess > MultiAppAssignedAccessSettings.

  7. In the center pane, click Browse to locate and select the assigned admission configuration XML file that you created.

    Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.

  8. (Optional: If yous desire to employ the provisioning bundle afterwards device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in Runtime settings > Accounts > Users. Provide a UserName and Password, and select UserGroup as Administrators. With this account, you can view the provisioning status and logs if needed.

  9. (Optional: If you already have a non-admin account on the kiosk device, skip this footstep.) Create a local standard user account in Runtime settings > Accounts > Users. Make sure the UserName is the same as the business relationship that you specify in the configuration XML. Select UserGroup as Standard Users.

  10. On the File menu, select Salve.

  11. On the Export bill of fare, select Provisioning bundle.

  12. Change Owner to IT Admin, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select Adjacent.

  13. Optional. In the Provisioning parcel security window, you tin choose to encrypt the package and enable package signing.

    • Enable bundle encryption - If you select this selection, an motorcar-generated countersign volition be shown on the screen.

    • Enable package signing - If you select this option, you must select a valid certificate to employ for signing the package. You can specify the certificate by clicking Browse and choosing the document you want to utilise to sign the package.

  14. Click Side by side to specify the output location where yous want the provisioning bundle to become when it's congenital. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.

    Optionally, you lot can click Browse to alter the default output location.

  15. Click Next.

  16. Click Build to start edifice the package. The provisioning package doesn't have long to build. The project information is displayed in the build page and the progress bar indicates the build status.

    If you need to cancel the build, click Abolish. This cancels the current build process, closes the wizard, and takes you dorsum to the Customizations Folio.

  17. If your build fails, an error message volition show up that includes a link to the project folder. Y'all can browse the logs to determine what caused the error. One time you lot fix the outcome, endeavor building the bundle once again.

    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.

    • If y'all choose, you can build the provisioning bundle again and pick a different path for the output package. To practice this, click Back to change the output package name and path, and and so click Next to start another build.
    • If y'all are done, click Terminate to shut the sorcerer and go dorsum to the Customizations Page.

  18. Re-create the provisioning package to the root directory of a USB drive.

Employ provisioning bundle to device

Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").

Tip

In addition to the methods beneath, you lot can utilize the PowerShell comdlet install-provisioningpackage with -LogsDirectoryPath to get logs for the operation.

During initial setup, from a USB drive

  1. Start with a computer on the showtime-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to Settings > Update & security > Recovery > Reset this PC.

    The first screen to set up a new PC.

  2. Insert the USB bulldoze. Windows Setup volition recognize the drive and inquire if you desire to ready the device. Select Fix.

    Set up device?

  3. The next screen asks you to select a provisioning source. Select Removable Media and tap Next.

    Provision this device.

  4. Select the provisioning package (*.ppkg) that yous desire to utilize, and tap Next.

    Choose a package.

  5. Select Yes, add it.

    Do you trust this package?

After setup, from a USB drive, network folder, or SharePoint site

  1. Sign in with an admin account.
  2. Insert the USB drive to a desktop reckoner, navigate to Settings > Accounts > Admission piece of work or school > Add or remove a provisioning package > Add a package, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning packet and double-click it to begin installation.

Note

if your provisioning package doesn't include the assigned admission user business relationship creation, make certain the account you lot specified in the multi-app configuration XML exists on the device.

add a package option.

Use MDM to deploy the multi-app configuration

Multi-app kiosk mode is enabled past the AssignedAccess configuration service provider (CSP). Your MDM policy can contain the assigned access configuration XML.

If your device is enrolled with a MDM server which supports applying the assigned admission configuration, you can use it to apply the setting remotely.

The OMA-URI for multi-app policy is ./Device/Vendor/MSFT/AssignedAccess/Configuration.

Considerations for Windows Mixed Reality immersive headsets

With the appearance of mixed reality devices (video link), yous might want to create a kiosk that tin run mixed reality apps.

To create a multi-app kiosk that can run mixed reality apps, yous must include the following apps in the AllowedApps listing:

                        <App AppUserModelId="MixedRealityLearning_cw5n1h2txyewy!MixedRealityLearning" /> <App AppUserModelId="HoloShell_cw5n1h2txyewy!HoloShell" /> <App AppUserModelId="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy!App" /> <App AppUserModelId="Microsoft.MixedReality.Portal_8wekyb3d8bbwe!App" />

These are in addition to any mixed reality apps that you allow.

Before your kiosk user signs in: An admin user must sign in to the PC, connect a mixed reality device, and consummate the guided setup for the Mixed Reality Portal. The starting time time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user would non have permissions to download and so their setup of the Mixed Reality Portal would fail.

Afterwards the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to consummate the kiosk user setup earlier providing the PC to employees or customers.

There is a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the Mixed Reality abode. The Mixed Reality home is a beat that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they will run across only a blank brandish in the device, and volition not take access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Outset screen.

Policies set by multi-app kiosk configuration

Information technology is not recommended to set policies enforced in assigned admission multi-app mode to different values using other channels, as the multi-app way has been optimized to provide a locked-downwardly experience.

When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and volition bear upon other users on the device.

Group Policy

The following local policies affect all non-administrator users on the system, regardless whether the user is configured equally an assigned access user or not. This includes local users, domain users, and Azure Active Directory users.

Setting Value
Remove access to the context menus for the chore bar Enabled
Clear history of recently opened documents on exit Enabled
Foreclose users from customizing their Start Screen Enabled
Prevent users from uninstalling applications from Commencement Enabled
Remove All Programs list from the Get-go menu Enabled
Remove Run bill of fare from Start Bill of fare Enabled
Disable showing balloon notifications as toast Enabled
Do non let pinning items in Bound Lists Enabled
Practise non let pinning programs to the Taskbar Enabled
Do non brandish or track items in Jump Lists from remote locations Enabled
Remove Notifications and Activeness Centre Enabled
Lock all taskbar settings Enabled
Lock the Taskbar Enabled
Foreclose users from adding or removing toolbars Enabled
Prevent users from resizing the taskbar Enabled
Remove frequent programs listing from the Outset Menu Enabled
Remove 'Map Network Drive' and 'Disconnect Network Bulldoze' Enabled
Remove the Security and Maintenance icon Enabled
Turn off all balloon notifications Enabled
Plough off feature advertizing airship notifications Enabled
Turn off toast notifications Enabled
Remove Job Manager Enabled
Remove Alter Password choice in Security Options UI Enabled
Remove Sign Out option in Security Options UI Enabled
Remove All Programs listing from the Start Carte Enabled – Remove and disable setting
Forestall admission to drives from My Computer Enabled - Restrict all drivers

Note

When Prevent access to drives from My Calculator is enabled, users can scan the directory structure in File Explorer, simply they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. The icons representing the specified drives however appear in File Explorer, but if users double-click the icons, a bulletin appears explaining that a setting prevents the action. This setting does not forbid users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and alter bulldoze characteristics.

MDM policy

Some of the MDM policies based on the Policy configuration service provider (CSP) bear upon all users on the system (i.due east. system-wide).

Setting Value Organization-wide
Experience/AllowCortana 0 - Not allowed Yes
Start/AllowPinnedFolderDocuments 0 - Shortcut is hidden and disables the setting in the Settings app Yes
Start/AllowPinnedFolderDownloads 0 - Shortcut is hidden and disables the setting in the Settings app Yes
First/AllowPinnedFolderFileExplorer 0 - Shortcut is hidden and disables the setting in the Settings app Yes
Beginning/AllowPinnedFolderHomeGroup 0 - Shortcut is hidden and disables the setting in the Settings app Yes
Showtime/AllowPinnedFolderMusic 0 - Shortcut is hidden and disables the setting in the Settings app Yes
Start/AllowPinnedFolderNetwork 0 - Shortcut is hidden and disables the setting in the Settings app Yes
Commencement/AllowPinnedFolderPersonalFolder 0 - Shortcut is hidden and disables the setting in the Settings app Yes
Start/AllowPinnedFolderPictures 0 - Shortcut is hidden and disables the setting in the Settings app Yep
Start/AllowPinnedFolderSettings 0 - Shortcut is hidden and disables the setting in the Settings app Yes
Start/AllowPinnedFolderVideos 0 - Shortcut is hidden and disables the setting in the Settings app Yes
Showtime/DisableContextMenus one - Context menus are hidden for Start apps No
Outset/HidePeopleBar 1 - Truthful (hide) No
Beginning/HideChangeAccountSettings 1 - True (hide) Yes
WindowsInkWorkspace/AllowWindowsInkWorkspace 0 - Admission to ink workspace is disabled and the characteristic is turned off Yes
Offset/StartLayout Configuration dependent No
WindowsLogon/DontDisplayNetworkSelectionUI <Enabled/> Yeah

Provision .lnk files using Windows Configuration Designer

First, create your desktop app's shortcut file past installing the app on a test device, using the default installation location. Right-click the installed awarding, and choose Send to > Desktop (create shortcut). Rename the shortcut to <appName>.lnk

Next, create a batch file with ii commands. If the desktop app is already installed on the target device, skip the first command for MSI install.

                          msiexec /I "<appName>.msi" /qn /norestart re-create <appName>.lnk "%AllUsersProfile%\Microsoft\Windows\Start Card\Programs\<appName>.lnk"

In Windows Configuration Designer, nether ProvisioningCommands > DeviceContext:

  • Nether CommandFiles, upload your batch file, your .lnk file, and your desktop app installation file.

    Important

    Paste the full file path to the .lnk file in the CommandFiles field. If you lot browse to and select the .lnk file, the file path will be inverse to the path of the target of the .lnk.

  • Under CommandLine, enter cmd /c *FileName*.bat.

Other methods

Environments that use WMI can apply the MDM Bridge WMI Provider to configure a kiosk.