Configure kiosks and digital signs on Windows desktop editions
Warning
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Applies to
- Windows 10
- Windows 11
Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use:
A single-app kiosk: Runs a single Universal Windows Platform (UWP) app in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.
A single-app kiosk is ideal for public use. Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk doesn't run above the lock screen.
A multi-app kiosk: Runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.
Note
Currently, multi-app kiosk is only supported on Windows 10. It's not supported on Windows 11.
A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, specific policies are enforced that will affect all non-administrator users on the device.
Kiosk configurations are based on Assigned Access, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.
There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
Which type of app will your kiosk run?
Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For digital signage, select a digital sign player as your kiosk app. Check out the guidelines for kiosk apps.
Which type of kiosk do you need?
If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a Universal Windows Platform (UWP) app or a Windows desktop application. For a kiosk that people can sign in to with their accounts or that runs more than one app, choose a multi-app kiosk.
Which edition of Windows client will the kiosk run?
All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode isn't available on Windows Home.
Which type of user account will be the kiosk account?
The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
Important
Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
Windows edition and licensing requirements
The following table lists the Windows editions that support Assigned Access (kiosk mode):
| Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
|---|---|---|---|
| Yes | Yes | Yes | Yes |
Assigned Access (kiosk mode) license entitlements are granted by the following licenses:
| Windows Pro/Pro Education/SE | Windows Enterprise E3 | Windows Enterprise E5 | Windows Education A3 | Windows Education A5 |
|---|---|---|---|---|
| Yes | Yes | Yes | Yes | Yes |
For more information about Windows licensing, see Windows licensing overview.
Methods for a single-app kiosk running a UWP app
| You can use this method | For this edition | For this kiosk account type |
|---|---|---|
| Assigned access in Settings | Pro, Ent, Edu | Local standard user |
| Assigned access cmdlets | Pro, Ent, Edu | Local standard user |
| The kiosk wizard in Windows Configuration Designer | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD |
| Microsoft Intune or other mobile device management (MDM) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD |
| Shell Launcher v2 | Ent, Edu | Local standard user, Active Directory, Azure AD |
Methods for a single-app kiosk running a Windows desktop application
| You can use this method | For this edition | For this kiosk account type |
|---|---|---|
| The kiosk wizard in Windows Configuration Designer | Ent, Edu | Local standard user, Active Directory, Azure AD |
| Microsoft Intune or other mobile device management (MDM) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD |
| Shell Launcher v1 and v2 | Ent, Edu | Local standard user, Active Directory, Azure AD |
Methods for a multi-app kiosk
| You can use this method | For this edition | For this kiosk account type |
|---|---|---|
| XML in a provisioning package | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD |
| Microsoft Intune or other MDM | Pro, Ent, Edu | Local standard user, Azure AD |
| MDM WMI Bridge Provider | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD |
Summary of kiosk configuration methods
| Method | App type | Account type | Single-app kiosk | Multi-app kiosk |
|---|---|---|---|---|
| Assigned access in Settings | UWP | Local account | ✔️ | |
| Assigned access cmdlets | UWP | Local account | ✔️ | |
| The kiosk wizard in Windows Configuration Designer | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ | |
| XML in a provisioning package | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ | ✔️ |
| Microsoft Intune or other MDM for full-screen single-app kiosk or for multi-app kiosk with desktop | UWP, Windows desktop app | Local standard user, Azure AD | ✔️ | ✔️ |
| Shell Launcher | Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ | |
| MDM Bridge WMI Provider | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ |
Note
For devices running Windows client Enterprise and Education, you can also use Windows Defender Application Control or AppLocker to lock down a device to specific apps.
Feedback
Submit and view feedback for