Set up HoloLens as a kiosk

• Applies to:

  HoloLens (1st gen), HoloLens 2

What is Kiosk mode?

Kiosk mode is a feature where you can control which applications are shown in start menu when a user signs-in to HoloLens. There are 2 supported scenarios:

1. Single app kiosk mode – No start menu is displayed, and a single app is launched automatically, when user signs in.

   Example uses: A device that runs only Dynamics 365 Guides app.

2. Multiple app kiosk mode – Start menu shows only those applications, which were specified in kiosk configuration when a user signs in. An app can be chosen to automatically launch if desired.

   Example uses: A device that shows only the Store app, Feedback Hub and Settings app in start menu.

   
   

Description of kiosk mode experience when a user signs-in

The following table lists the feature capabilities in the different kiosk modes.

	Start menu	Quick Actions menu	Camera and video	Miracast	Cortana	Built-in voice commands
Single-app kiosk	Disabled	Disabled	Disabled	Disabled	Disabled	Enabled*
Multi-app kiosk	Enabled	Enabled*	Available*	Available*	Available*	Enabled*

* For more information about how to enable disabled features, or how voice commands interact with disabled features and Cortana see HoloLens AUMIDs for apps.

Key general considerations before configuring kiosk mode

1. Determine the kind of user account signing into HoloLens in your environment - HoloLens supports Azure Active Directory (Azure AD) accounts, Microsoft Accounts (MSA) and Local accounts. Additionally, temporarily created accounts called guests / visitors are also supported (only for Azure AD join devices). Learn more at Manage user identity and sign-in for HoloLens.

2. Determine the targets of kiosk mode experience – Whether it is everyone, a single user, certain users, or users who are member of Azure AD group(s), etc.

3. For multiple app kiosk mode, determine application(s) to show on start menu. For each application, its Application User Model ID (AUMID) will be needed.

4. Determine if kiosk mode will be applied to HoloLens via either runtime provisioning packages or Mobile Device Management (MDM) server.

Security considerations

Kiosk mode should not be considered as a security method but as a means to control the start-up experience on user sign-in. You may combine kiosk mode experience with options mentioned below if there are specific security related needs:

• When Settings app is configured to show in kiosk mode and you want to control which pages are shown in Settings app, refer to Page Settings Visibility.

• When you want to control access to certain hardware capabilities, for example, camera, Bluetooth, etc. for certain apps, etc. refer to Policies in Policy CSP supported by HoloLens 2 - Windows Client Management. You can review our Common device restrictions for ideas.

• Kiosk mode doesn't block an app (configured as part of kiosk experience) from launching other apps. When you want to completely block launching of certain apps / processes on HoloLens, refer to Use Windows Defender Application Control on HoloLens 2 devices in Microsoft Intune - Azure.

Key technical considerations for Kiosk mode for HoloLens

Applies only if you're planning to use runtime provisioning packages or creating kiosk configurations manually yourself. Kiosk mode configuration uses a hierarchical structure based on XML:

• An assigned access profile defines which applications are displayed in start menu in kiosk mode. You can define multiple profiles in same XML structure, which can be referenced later.

• An assigned access configuration references a profile and target user(s) of that profile, for example, a specific user, or Azure AD group or visitor, etc. You can define multiple configurations in same XML structure depending on complexity of your usage scenarios (see supported scenarios section below).

• To learn more, refer to AssignedAccess CSP.

Supported scenarios for kiosk mode based on identity type

See reference links for examples based on your scenario and update as needed before copy-pasting.

Note

Use XML only if not using Intune's UI to create kiosk configuration.

For users who sign-in as either Local account or MSA

Desired kiosk experience	Recommended kiosk configuration	Ways to configure	Remarks
Every user who signs in gets kiosk experience.	Configure multiple app Global Assigned Access profile	• Microsoft Intune custom template • Runtime provisioning - Multi app	Global assigned access requires 20H2 and newer builds
Specific user who signs in gets kiosk experience.	Configure single or multiple app assigned access profile (as required) specifying name of specific user.	See supported options below.	For single app kiosk mode, only local user account or MSA account is supported on HoloLens. For multiple app kiosk mode, only MSA account or Azure AD account is supported on HoloLens.

For users who sign-in as Azure AD account

Desired kiosk experience	Recommended kiosk configuration	Ways to configure	Remarks
Every user who signs in gets kiosk experience.	Configure multiple app Global Assigned Access profile	• Microsoft Intune custom template • Runtime provisioning - Multi app	Global assigned access requires 20H2 and newer builds
Every user who signs in gets kiosk experience except certain users.	Configure multiple app Global Assigned Access profile by excluding certain users (who must be device owners).	• Microsoft Intune custom template • Runtime provisioning - Multi app	Global assigned access requires 20H2 and newer builds
Every Azure AD user gets separate kiosk experience specific for that user.	Configure assigned access configuration for each user specifying their Azure AD account name.	• Microsoft Intune custom template • Runtime provisioning - Multi app	• For optimal experience with Azure AD during sign-in, the recommendation is to use AADGroupMembershipCacheValidityInDayspolicy.
Only specific Azure AD user is used to automatically sign into HoloLens and experience kiosk targeted for that Azure AD user.	Specify kiosk for Azure AD user using either Multiple app assigned access profile for one Azure AD account for one app or [HoloLens kiosk reference information] per your requirements. Specify that user's email address in MixedReality/AutoLogonUser policy.	• Microsoft Intune custom template • Runtime provisioning - Multi app	You may choose to have only one AAD user sign-in. Once the user has signed in once the device will continue to sign them in automatically and never sign-out.
Users in different Azure AD groups experience kiosk mode that is for their group only.	Configure assigned access configuration for each desired Azure AD group.	• Microsoft Intune custom template • Runtime provisioning - Multi app	• When a user signs-in and HoloLens is connected with Internet, if that user is found to be a member of Azure AD group for which kiosk configuration exists, user gets to experience kiosk for that Azure AD group. • If there is no internet available when user sign-in, then user will experience HoloLens failure mode behavior. • If internet availability is not guaranteed when user signs-in and Azure AD group based kiosk needs to be used, consider using AADGroupMembershipCacheValidityInDayspolicy. • For optimal experience with Azure AD groups during sign-in, recommendation is to use AADGroupMembershipCacheValidityInDayspolicy
Users who need to use HoloLens for temporary purposes get kiosk experience.	Configure assigned access configuration for visitors	• Microsoft Intune custom template • Runtime provisioning - Single app	• Temporary user account is automatically created by HoloLens on sign-in and is removed when temporary user signs out. • Consider enabling visitor auto-login policy.

Steps in configuring kiosk mode for HoloLens

Kiosk configurations can be created and applied in following ways:

1. With MDM server's UI, e.g., Intune's kiosk templates or it custom OMA-URI configurations, which are then remotely applied to HoloLens.
2. With runtime provisioning packages, which are then directly applied to HoloLens.

Here are the following ways to configure, select the tab matching the process you'd like to use.

1. Microsoft Intune single app kiosk template
2. Microsoft Intune multi app kiosk template
3. Microsoft Intune custom template
4. Runtime provisioning - Multi app
5. Runtime provisioning - Single app

Microsoft Intune single app kiosk template

Microsoft Intune single app kiosk template

1. Create a configuration profile.

   

2. Choose kiosk template.

   

3. Choose whether single app or multiple app kiosk and also choose kind of user targeting for kiosk mode.

   

4. Choose the app to run in kiosk mode.

   

5. Leave rest of the options as is.

   

6. Choose which groups / devices or users this configuration profile should get assigned to.

   

7. Review and create to save configuration profile.

8. Perform MDM sync starting from either device or Intune to apply configuration to device. Sync devices from Intune or on device via Settings > Accounts > Work or school > select the connected account > Info > Sync.

9. Sign in as the target user to experience kiosk.

Microsoft Intune multi app kiosk template

Microsoft Intune multi app kiosk template

1. Create a configuration profile.

   

2. Choose kiosk template.

   

3. Choose whether single app or multiple app kiosk and also choose kind of user targeting for kiosk mode.

   

4. Choose the app(s) to run in kiosk mode.

   

5. Leave rest of the options as is.

   

6. Choose which groups / devices or users this configuration profile should get assigned to.

   

7. Review and create to save configuration profile.

8. Perform MDM sync starting from either device or Intune to apply configuration to device. Sync devices from Intune or on device via Settings > Accounts > Work or school > select the connected account > Info > Sync.

9. Sign in as the target user to experience kiosk.

Microsoft Intune custom template

Microsoft Intune custom template

1. Create xml configuration for your desired kiosk experience. See examples here to begin.

2. Create a custom configuration profile.

   

3. Specify name of custom configuration profile and click on “Add” in “Configuration settings” section to add OMA-URI settings.

   

4. Specify name of OMA-URI settings.

   1. In OMA-URI textbox, enter ./Device/Vendor/MSFT/AssignedAccess/Configuration

   2. Choose Data type as String.

   3. In value textbox, copy-paste the assigned access configuration xml (see reference links for examples based on your scenario and update as needed before copy-pasting).

   4. Select the save button to save the setting and configuration.

      

5. Choose which groups / devices or users this configuration profile should get assigned to.

   

6. Review and create to save configuration profile.

7. Perform MDM sync starting from either device or Intune to apply configuration to device. Sync devices from Intune or on device via Settings > Accounts > Work or school > select the connected account > Info > Sync

8. Sign in as the target user to experience kiosk.

Runtime provisioning - Multi app

Runtime provisioning - Multi app

1. Create xml configuration for your desired kiosk experience. See examples here to begin.

2. Open Windows Configuration Designer.

3. On the Start page select Provision HoloLens devices.

   

4. Select Provision HoloLens 2 devices, then select next.

   

5. Name your project. Optionally write a description. Select Finish to proceed.

6. In the bottom left of the screen, select Switch to advanced editor. Confirm switching to the advanced editor by selecting Yes.

   

7. On the left hand side, expand Runtime settings, AssignedAccess and select MultiAppAssignedAccess.

   

8. Select the Browse… button to open the file explorer. And select the your configured Kiosk xml file.

9. Select Export , then Provisioning Package.

   

10. Change owner type to IT Admin.

    

11. Select Next three times. Then select Build.

12. After your provisioning package builds, open the Output location folder. The .ppkg file is your provision package. Optional step: Save your project.

13. Now you can apply your provisioning package. You can either apply a provisioning package to HoloLens during setup or apply a provisioning package to HoloLens after setup.

14. Sign in as the target user to experience kiosk.

Runtime provisioning - Single app

Runtime provisioning - Single app

1. Open Windows Configuration Designer.

2. On the Start page select Provision HoloLens devices.

   

3. Select Provision HoloLens 2 devices, then select next.

   

4. Name your project. Optionally write a description. Select Finish to proceed.

5. In the bottom left of the screen, select Switch to advanced editor. Confirm switching to the advanced editor by selecting Yes.

   

6. On the left hand side, expand Runtime settings, AssignedAccess and select AssignedAccessSettings.

   

7. Define your kiosk in the text box. For example, the following creates a single app kiosk for a local account named LocalAccount that is the settings app. {"Account":"LocalAccount","AUMID":"BAEAEF15-9BAB-47FC-800B-ACECAD2AE94B_cw5n1h2txyewy!App"}

8. Select Export , then Provisioning Package.

   

9. Change owner type to IT Admin.

   

10. Select Next three times. Then select Build.

11. After your provisioning package builds, open the Output location folder. The .ppkg file is your provision package. Optional step: Save your project.

12. Now you can apply your provisioning package. You can either apply a provisioning package to HoloLens during setup or apply a provisioning package to HoloLens after setup.

Frequently Asked Questions

How can visitor accounts automatically log on to kiosk experience?

• Available on builds Windows Holographic, version 21H1 and onwards, Azure AD and Non-Azure AD configurations both support visitor accounts being autologon enabled for Kiosk modes.

By default devices configured for kiosk mode with visitor accounts will have a button on the sign-in screen that will log on a visitor with a single tap. Once logged on, the device will not show the sign-in screen again until the visitor is explicitly signed out from the start menu or the device is restarted. However sometimes you may want to set up the device such that the sign-in screen is never shown and for the device to automatically log on using a visitor account to the kiosk experience. To do this, configure the MixedReality/VisitorAutoLogon policy.

A device configured to automatically log on using a visitor account will not have on-device UI to exit this mode. To ensure that a device isn't accidentally locked out, this policy requires that no other user accounts are present on the device. As a result, this policy must be applied during device setup either by using a provisioning package or by MDM using Autopilot.

Autologon with MDM

Autologon with MDM

Visitor Auto logon can be managed via custom OMA-URI policy.

• URI value: ./Device/Vendor/MSFT/Policy/Config/MixedReality/VisitorAutoLogon

Policy	Description	Configurations
MixedReality/VisitorAutoLogon	Allows for a Visitor to Auto logon to a Kiosk.	1 (Yes), 0 (No, default.)

For details, see the Policy CSP page for MixedReality/VisitorAutoLogon.

Provisioning Package

Provisioning Package

1. Create a provisioning package that:
   1. Configures Runtime settings/Policies/MixedReality/VisitorAutoLogon to allow Visitor accounts.
   2. Optionally enrolls the device in MDM (Runtime settings/Workplace/Enrollments) so that it can be managed later.
   3. Do not create a local account
2. Apply the provisioning package.

Is kiosk experience supported on HoloLens (1st gen)?

Kiosk mode is available only if the device has Windows Holographic for Business. All HoloLens 2 devices ship with Windows Holographic for Business and there are no other editions. Every HoloLens 2 device is able to run Kiosk mode out of the box.

HoloLens (1st gen) devices need to be upgraded both in terms of OS build and OS edition. Here is more information on updating a HoloLens (1st gen) to Windows Holographic for Business edition. To update a HoloLens (1st gen) device to use kiosk mode, you must first make sure that the device runs Windows 10, version 1803, or a later version. If you have used the Windows Device Recovery Tool to recover your HoloLens (1st gen) device to its default build, or if you have installed the most recent updates, your device is ready to configure.

How to use device portal to configure kiosk in non-production environments?

Set up the HoloLens device to use the Windows Device Portal. The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.

Caution

When you set up HoloLens to use the Device Portal, you have to enable Developer Mode on the device. Developer Mode on a device that has Windows Holographic for Business enables you to side-load apps. However, this setting creates a risk that a user can install apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable Developer Mode by using the ApplicationManagement/AllowDeveloper Unlock setting in the Policy CSP. Learn more about Developer Mode.

Kiosk Mode can be set via Device Portal’s REST API by doing a POST to /api/holographic/kioskmode/settings with one required query string parameter (“kioskModeEnabled” with a value of “true” or “false”) and one optional parameter (“startupApp” with a value of a package name). Keep in mind that Device Portal is intended for developers only and should not be enabled on non-developer devices. The REST API is subject to change in future updates/releases.

Troubleshooting & Updates

• Update - Single app kiosk policy for launching other apps
• Issue - No apps are shown in start menu in kiosk mode
• Issue - Building a package with kiosk mode failed
• Issue – Provisioning package built successfully but failed to apply
• Issue – Multiple app assigned access to Azure AD group does not work

Update - Single app kiosk policy for launching other apps

• Added in Windows Holographic, version 22H1

Introduced a new MDM policy MixedReality\AllowLaunchUriInSingleAppKiosk. This can be enabled to allow for other apps to be launched with in a single app Kiosk, which may be useful, for example, if you want to launch the Settings app to calibrate your device or change your Wi-fi.

By default, launching applications via Launcher API (Launcher Class (Windows.System) - Windows UWP applications) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.

The OMA-URI of new policy: ./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowLaunchUriInSingleAppKiosk

• Bool value

Issue - No apps are shown in start menu in kiosk mode

Symptoms

When encountering failures in applying kiosk mode, the following behavior appears:

• Prior to Windows Holographic, version 20H2 - HoloLens will show all applications in the Start menu.

• Windows Holographic, version 20H2 - if a device has a kiosk configuration, which is a combination of both global assigned access and Azure AD group member assigned access, if determining Azure AD group membership fails, the user will see “nothing shown in start” menu.

  

• Starting with Windows Holographic, version 21H1, Kiosk mode looks for Global Assigned Access before showing an empty start menu. The kiosk experience will fall back to a global kiosk configuration (if present) if there are failures during Azure AD group kiosk mode.

Troubleshooting steps

• Verify that AUMID of app is correctly specified and it does not contain versions. Refer to HoloLens AUMIDs for inbox apps for examples.

• Ensure that application is installed on the device for that user.

• If kiosk configuration is based on Azure AD groups please ensure internet connectivity is present when the Azure AD user signs in. If desired configure MixedReality/AADGroupMembershipCacheValidityInDays policy so this can function without internet as well.

If XML was used to create assigned access configuration (either via runtime provisioning or Intune custom-OMA URI), please ensure that XML is well-formed by opening it in any web browser or XML editor. Refer to Kiosk XML code samples for well-formed and valid templates.

Issue - Building a package with kiosk mode failed

Symptoms

A dialog like below is shown.

Troubleshooting steps

1. Click on the hyper-link shown as in the dialog above.
2. Open ICD.log in a text editor and its contents should indicate the error.

Note

If you have made several attempts, check the time stamps in the log. This will help you check only the current issues.

Issue – Provisioning package built successfully but failed to apply.

Symptoms

Error is shown when applying the provisioning package on HoloLens.

Troubleshooting steps

1. Browse to the folder where Windows Configuration Designer project for runtime provisioning package exists.

2. Open ICD.log and ensure that there are no errors in the log while building the provisioning package. Some errors are not showing during build but are still logged in ICD.log

Issue – Multiple app assigned access to Azure AD group does not work

Symptoms

On Azure AD user sign-in, device does not go into expected kiosk mode.

Troubleshooting steps

1. Confirm in Assigned Access configuration XML that GUID of Azure AD group of which signed-in user is a member of is used and not the GUID of the Azure AD user.

2. Confirm that in Intune portal that Azure AD user is indeed shown as member of targeted Azure AD group.

3. For Intune only, confirm that device is showing as compliant. Refer to device compliance reference for more information.