Configure a restricted user experience (multi-app kiosk) with Assigned Access

Artikkeli
03/10/2025
Koskee seuraavia::

✅ Windows 11, ✅ Windows 10

An Assigned Access restricted user experience runs one or more apps from the desktop. People using the kiosk have a customized Start menu that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for shared devices.

To configure a restricted user experience with Assigned Access, you must create an XML configuration file with the settings for the desired experience. The XML file is applied to the device via the Assigned Access CSP, using one of the following options:

A Mobile Device Management (MDM) solution, like Microsoft Intune
Provisioning packages
PowerShell, with the MDM Bridge WMI Provider

To learn how to configure the Assigned Access XML file, see Create an Assigned Access configuration file.

The following instructions provide details about how to configure your devices. Select the option that best suits your needs.

You can configure devices using a custom policy with the AssignedAccess CSP.

Setting: ./Vendor/MSFT/AssignedAccess/Configuration
Value: content of the XML configuration file

Assign the policy to a group that contains as members the devices that you want to configure.

Configure your devices using PowerShell scripts via the MDM Bridge WMI Provider.

Important

For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.

To test the PowerShell script, you can:

Download the psexec tool
Open an elevated command prompt and run: psexec.exe -i -s powershell.exe
Run the script in the PowerShell session

$assignedAccessConfiguration = @"

# content of the XML configuration file

"@

$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
    Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
    Write-Error -ErrorRecord $cimSetError[0]

    $timeout = New-TimeSpan -Seconds 30
    $stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
    do{
        $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
    } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available

    if($events.Count) {
        $events | ForEach-Object {
            Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
        }
    } else {
        Write-Warning "Timed-out attempting to retrieve event logs..."
    }

    Exit 1
}

Write-Output "Successfully applied Assigned Access configuration"

For more information, see Use PowerShell scripting with the WMI Bridge Provider.

Tip

For practical examples, see the Quickstart: Configure a restricted user experience with Assigned Access

User experience

To validate the kiosk configuration, sign in with the user account you specified in the configuration file.

The Assigned Access configuration takes effect the next time the targeted user signs in. If that user account is signed in when you apply the configuration, sign out and sign back in to validate the experience.

Autotrigger touch keyboard

The touch keyboard is automatically triggered when there's an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.

Tip

The touch keyboard is triggered only when tapping a textbox. Mouse clicks don't trigger the touch keyboard. If you're testing this feature, use a physical device instead of a virtual machine (VM), as the touch keyboard isn't triggered on VMs.

Sign out of assigned access

By default, to exit the kiosk experience, press Ctrl + Alt + Del. The kiosk app exits automatically. If you sign in again as the Assigned Access account, or wait for the sign in screen time-out, the kiosk app relaunches. The default time-out is 30 seconds, but you can change the time-out with the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

To change the default time for Assigned Access to resume, add IdleTimeOut (DWORD) and enter the value data as milliseconds in hexadecimal.

Note

IdleTimeOut doesn't apply to the Microsoft Edge kiosk mode.

The Breakout Sequence of Ctrl + Alt + Del is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format modifiers + keys. An example breakout sequence is CTRL + ALT + A, where CTRL + ALT are the modifiers, and A is the key value. To learn more, see Create an Assigned Access configuration XML file.

Remove Assigned Access

Deleting the Assigned Access configuration removes the policy settings associated with the users, but it can't revert all the changes. For example, in a multi-app kiosk scenario the Start menu configuration is maintained.

To remove the Assigned Access configuration, unassign or delete the policy that contains the configuration.

$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = $null
Set-CimInstance -CimInstance $obj

Next steps

Review the recommendations before you deploy Assigned Access:

Assigned Access recommendations

Jaa