Set up HoloLens as a kiosk
What is Kiosk mode?
Kiosk mode is a feature where you can control which applications are shown in start menu when a user signs-in to HoloLens. There are 2 supported scenarios:
Single app kiosk mode – No start menu is displayed, and a single app is launched automatically, when user signs in.
Example uses: A device that runs only Dynamics 365 Guides app.
Multiple app kiosk mode – Start menu shows only those applications, which were specified in kiosk configuration when a user signs in. An app can be chosen to automatically launch if desired.
Example uses: A device that shows only the Store app, Feedback Hub and Settings app in start menu.
Description of kiosk mode experience when a user signs-in
The following table lists the feature capabilities in the different kiosk modes.
Start menu | Quick Actions menu | Camera and video | Miracast | Cortana | Built-in voice commands | |
---|---|---|---|---|---|---|
Single-app kiosk | Disabled | Disabled | Disabled | Disabled | Disabled | Enabled* |
Multi-app kiosk | Enabled | Enabled* | Available* | Available* | Available* | Enabled* |
* For more information about how to enable disabled features, or how voice commands interact with disabled features and Cortana see HoloLens AUMIDs for apps.
Key general considerations before configuring kiosk mode
Determine the kind of user account signing into HoloLens in your environment - HoloLens supports Microsoft Entra accounts, Microsoft Accounts (MSA) and Local accounts. Additionally, temporarily created accounts called guests / visitors are also supported (only for Microsoft Entra join devices). Learn more at Manage user identity and sign-in for HoloLens.
Determine the targets of kiosk mode experience–Whether it's everyone, a single user, certain users, or users who are member of Microsoft Entra group(s), etc.
For multiple app kiosk mode, determine application(s) to show on start menu. For each application, its Application User Model ID (AUMID) will be needed.
Determine if kiosk mode will be applied to HoloLens via either runtime provisioning packages or Mobile Device Management (MDM) server.
Security considerations
Kiosk mode shouldn't be considered as a security method but as a means to control the start-up experience on user sign-in. You may combine kiosk mode experience with options mentioned below if there are specific security related needs:
When Settings app is configured to show in kiosk mode and you want to control which pages are shown in Settings app, refer to Page Settings Visibility.
When you want to control access to certain hardware capabilities, for example, camera, Bluetooth, etc. for certain apps, etc. refer to Policies in Policy CSP supported by HoloLens 2 - Windows Client Management. You can review our Common device restrictions for ideas.
Kiosk mode doesn't block an app (configured as part of kiosk experience) from launching other apps. When you want to completely block launching of certain apps / processes on HoloLens, refer to Use Windows Defender Application Control on HoloLens 2 devices in Microsoft Intune - Azure.
Key technical considerations for Kiosk mode for HoloLens
Applies only if you're planning to use runtime provisioning packages or creating kiosk configurations manually yourself. Kiosk mode configuration uses a hierarchical structure based on XML:
An assigned access profile defines which applications are displayed in start menu in kiosk mode. You can define multiple profiles in same XML structure, which can be referenced later.
An assigned access configuration references a profile and target user(s) of that profile, for example, a specific user, or Microsoft Entra group or visitor, etc. You can define multiple configurations in same XML structure depending on complexity of your usage scenarios (see supported scenarios section below).
To learn more, refer to AssignedAccess CSP.
Supported scenarios for kiosk mode based on identity type
See reference links for examples based on your scenario and update as needed before copy-pasting.
Note
Use XML only if not using Intune's UI to create kiosk configuration.
For users who sign-in as either Local account or MSA
Desired kiosk experience | Recommended kiosk configuration | Ways to configure | Remarks |
---|---|---|---|
Every user who signs in gets kiosk experience. | Configure multiple app Global Assigned Access profile | • Microsoft Intune custom template • Runtime provisioning - Multi app |
Global assigned access requires 20H2 and newer builds |
Specific user who signs in gets kiosk experience. | Configure single or multiple app assigned access profile (as required) specifying name of specific user. | See supported options below. | For single app kiosk mode, only local user account or MSA account is supported on HoloLens. For multiple app kiosk mode, only MSA account or Microsoft Entra account is supported on HoloLens. |
For users who sign-in as Microsoft Entra account
Desired kiosk experience | Recommended kiosk configuration | Ways to configure | Remarks |
---|---|---|---|
Every user who signs in gets kiosk experience. | Configure multiple app Global Assigned Access profile | • Microsoft Intune custom template • Runtime provisioning - Multi app |
Global assigned access requires 20H2 and newer builds |
Every user who signs in gets kiosk experience except certain users. | Configure multiple app Global Assigned Access profile by excluding certain users (who must be device owners). | • Microsoft Intune custom template • Runtime provisioning - Multi app |
Global assigned access requires 20H2 and newer builds |
Every Microsoft Entra user gets separate kiosk experience specific for that user. | Configure assigned access configuration for each user specifying their Microsoft Entra account name. | • Microsoft Intune custom template • Runtime provisioning - Multi app |
• For optimal experience with Microsoft Entra ID during sign-in, the recommendation is to use AADGroupMembershipCacheValidityInDayspolicy. |
Only specific Microsoft Entra user is used to automatically sign into HoloLens and experience kiosk targeted for that Microsoft Entra user. | Specify kiosk for Microsoft Entra user using either Multiple app assigned access profile for one Microsoft Entra account for one app or [HoloLens kiosk reference information] per your requirements. Specify that user's email address in MixedReality/AutoLogonUser policy. |
• Microsoft Intune custom template • Runtime provisioning - Multi app |
You may choose to have only one Microsoft Entra user sign-in. Once the user has signed in once the device will continue to sign them in automatically and never sign out. |
Users in different Microsoft Entra groups experience kiosk mode that is for their group only. | Configure assigned access configuration for each desired Microsoft Entra group. | • Microsoft Intune custom template • Runtime provisioning - Multi app |
• When a user signs-in and HoloLens is connected with Internet, if that user is found to be a member of Microsoft Entra group for which kiosk configuration exists, user gets to experience kiosk for that Microsoft Entra group. • If there's no internet available when user sign-in, then user will experience HoloLens failure mode behavior. • If internet availability isn't guaranteed when user signs-in and Microsoft Entra group based kiosk needs to be used, consider using AADGroupMembershipCacheValidityInDayspolicy. • For optimal experience with Microsoft Entra groups during sign-in, recommendation is to use AADGroupMembershipCacheValidityInDayspolicy |
Users who need to use HoloLens for temporary purposes get kiosk experience. | Configure assigned access configuration for visitors | • Microsoft Intune custom template • Runtime provisioning - Single app |
• Temporary user account is automatically created by HoloLens on sign-in and is removed when temporary user signs out. • Consider enabling visitor auto-login policy. |
Steps in configuring kiosk mode for HoloLens
Kiosk configurations can be created and applied in following ways:
- With MDM server's UI, for example, Intune's kiosk templates or it custom OMA-URI configurations, which are then remotely applied to HoloLens.
- With runtime provisioning packages, which are then directly applied to HoloLens.
Here are the following ways to configure, select the tab matching the process you'd like to use.
- Microsoft Intune single app kiosk template
- Microsoft Intune multi app kiosk template
- Microsoft Intune custom template
- Runtime provisioning - Multi app
- Runtime provisioning - Single app
- Microsoft Intune single app kiosk template
- Microsoft Intune multi app kiosk template
- Microsoft Intune custom template
- Runtime provisioning - Multi app
- Runtime provisioning - Single app
Microsoft Intune single app kiosk template
Create a configuration profile.
Choose kiosk template.
Choose whether single app or multiple app kiosk and also choose kind of user targeting for kiosk mode.
Choose the app to run in kiosk mode.
Leave rest of the options as is.
Choose which groups / devices or users this configuration profile should get assigned to.
Review and create to save configuration profile.
Perform MDM sync starting from either device or Intune to apply configuration to device. Sync devices from Intune or on device via Settings > Accounts > Work or school > select the connected account > Info > Sync.
Sign in as the target user to experience kiosk.
Frequently Asked Questions
How can visitor accounts automatically log on to kiosk experience?
- Available on builds Windows Holographic, version 21H1 and onwards, Microsoft Entra ID and Non-Azure AD configurations both support visitor accounts being autologon enabled for Kiosk modes.
By default devices configured for kiosk mode with visitor accounts will have a button on the sign-in screen that will sign in a visitor with a single tap. Once signed in, the device won't show the sign-in screen again until the visitor is explicitly signed out from the start menu or the device is restarted. However sometimes you may want to set up the device such that the sign-in screen is never shown and for the device to automatically sign in using a visitor account to the kiosk experience. To do this, configure the MixedReality/VisitorAutoLogon policy.
A device configured to automatically sign in using a visitor account won't have on-device UI to exit this mode. To ensure that a device isn't accidentally locked out, this policy requires that no other user accounts are present on the device. As a result, this policy must be applied during device setup either by using a provisioning package or by MDM using Autopilot.
Autologon with MDM
Visitor Auto logon can be managed via custom OMA-URI policy.
- URI value: ./Device/Vendor/MSFT/Policy/Config/MixedReality/VisitorAutoLogon
Policy | Description | Configurations |
---|---|---|
MixedReality/VisitorAutoLogon | Allows for a Visitor to Auto logon to a Kiosk. | 1 (Yes), 0 (No, default.) |
For details, see the Policy CSP page for MixedReality/VisitorAutoLogon.
Is kiosk experience supported on HoloLens (1st gen)?
Kiosk mode is available only if the device has Windows Holographic for Business. All HoloLens 2 devices ship with Windows Holographic for Business and there are no other editions. Every HoloLens 2 device is able to run Kiosk mode out of the box.
HoloLens (1st gen) devices need to be upgraded both in terms of OS build and OS edition. Here's more information on updating a HoloLens (1st gen) to Windows Holographic for Business edition. To update a HoloLens (1st gen) device to use kiosk mode, you must first make sure that the device runs Windows 10, version 1803, or a later version. If you have used the Windows Device Recovery Tool to recover your HoloLens (1st gen) device to its default build, or if you have installed the most recent updates, your device is ready to configure.
How to use device portal to configure kiosk in nonproduction environments?
Set up the HoloLens device to use the Windows Device Portal. The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
Caution
When you set up HoloLens to use the Device Portal, you have to enable Developer Mode on the device. Developer Mode on a device that has Windows Holographic for Business enables you to side-load apps. However, this setting creates a risk that a user can install apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable Developer Mode by using the ApplicationManagement/AllowDeveloper Unlock setting in the Policy CSP. Learn more about Developer Mode.
Kiosk Mode can be set via Device Portal’s REST API by doing a POST to /api/holographic/kioskmode/settings with one required query string parameter (“kioskModeEnabled” with a value of “true” or “false”) and one optional parameter (“startupApp” with a value of a package name). Keep in mind that Device Portal is intended for developers only and shouldn't be enabled on nondeveloper devices. The REST API is subject to change in future updates/releases.
Troubleshooting & Updates
- Update - Single app kiosk policy for launching other apps
- Issue - No apps are shown in start menu in kiosk mode
- Issue - Building a package with kiosk mode failed
- Issue – Provisioning package built successfully but failed to apply
- Issue – Multiple app assigned access to Microsoft Entra group doesn't work
Update - Single app kiosk policy for launching other apps
- Added in Windows Holographic, version 22H1
Introduced a new MDM policy MixedReality\AllowLaunchUriInSingleAppKiosk. This can be enabled to allow for other apps to be launched with in a single app Kiosk, which may be useful, for example, if you want to launch the Settings app to calibrate your device or change your Wi-fi.
By default, launching applications via Launcher API (Launcher Class (Windows.System) - Windows UWP applications) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
The OMA-URI of new policy: ./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowLaunchUriInSingleAppKiosk
- Bool value
Issue - No apps are shown in start menu in kiosk mode
Symptoms
When encountering failures in applying kiosk mode, the following behavior appears:
Prior to Windows Holographic, version 20H2 - HoloLens will show all applications in the Start menu.
Windows Holographic, version 20H2 - if a device has a kiosk configuration, which is a combination of both global assigned access and Microsoft Entra group member assigned access, if determining Microsoft Entra group membership fails, the user will see “nothing shown in start” menu.
Starting with Windows Holographic, version 21H1, Kiosk mode looks for Global Assigned Access before showing an empty start menu. The kiosk experience will fall back to a global kiosk configuration (if present) if there are failures during Microsoft Entra group kiosk mode.
Troubleshooting steps
Verify that AUMID of app is correctly specified and it doesn't contain versions. Refer to HoloLens AUMIDs for inbox apps for examples.
Ensure that application is installed on the device for that user.
If kiosk configuration is based on Microsoft Entra groups, ensure internet connectivity is present when the Microsoft Entra user signs in. If desired configure MixedReality/AADGroupMembershipCacheValidityInDays policy so this can function without internet as well.
If XML was used to create assigned access configuration (either via runtime provisioning or Intune custom-OMA URI), ensure that XML is well-formed by opening it in any web browser or XML editor. Refer to Kiosk XML code samples for well-formed and valid templates.
Issue - Building a package with kiosk mode failed
Symptoms
A dialog like below is shown.
Troubleshooting steps
- Click on the hyper-link shown as in the dialog above.
- Open ICD.log in a text editor and its contents should indicate the error.
Note
If you have made several attempts, check the time stamps in the log. This will help you check only the current issues.
Issue – Provisioning package built successfully but failed to apply.
Symptoms
Error is shown when applying the provisioning package on HoloLens.
Troubleshooting steps
Browse to the folder where Windows Configuration Designer project for runtime provisioning package exists.
Open ICD.log and ensure that there are no errors in the log while building the provisioning package. Some errors aren't showing during build but are still logged in ICD.log
Issue – Multiple app assigned access to Microsoft Entra group doesn't work
Symptoms
On Microsoft Entra user sign-in, device doesn't go into expected kiosk mode.
Troubleshooting steps
Confirm in Assigned Access configuration XML that GUID of Microsoft Entra group of which signed-in user is a member of is used and not the GUID of the Microsoft Entra user.
Confirm that in Intune portal that Microsoft Entra user is indeed shown as member of targeted Microsoft Entra group.
For Intune only, confirm that device is showing as compliant. For more information, see device compliance reference.