Kiosk mode is a specific function in Windows that limits the client to using only certain pre-approved applications in a fully immersive, fullscreen environment. In this mode, any other functions of Windows are disabled and inaccessible. Users are prevented from initiating unapproved applications or adjusting system preferences. This feature is commonly utilized in devices serving as self-service stations or public access computers designed to run promotional content, display videos, or provide access to specific websites. Below is a detailed guide to setting up a Windows 11 device to operate in kiosk mode.
Windows 11 offers two types of kiosk modes:
- Single-app kiosk mode – This mode is designed to launch either a designated UWP app or the Edge browser in fullscreen, barring the user from minimizing the app or accessing other desktop applications.
- Multi-app kiosk mode – In this mode, an administrator configures a selection of applications that are allowed to run, while restricting the launch of any other programs or access to system configurations.
How to Setup a Single-App Kiosk Mode in Windows 11
By default, only one of the installed UWP apps (whether pre-installed or installed from the Microsoft Store) can run in Windows 11 Kiosk mode. Kiosk mode in Windows 11 is enabled from the Settings menu:
- Navigate to Settings -> Accounts -> Other Users
- Under the Kiosk section, click Get Started.
- Specify the limited user account name to be created for the automatic login in the Kiosk mode.
- The next step is to select the application to launch in Kiosk mode. It is only possible to select one of the UWP apps that are installed or some of the built-in classic apps (such as the Microsoft Edge browser).
- The Edge browser can be launched in single-site access mode (
As a digital sign or interactive display) or in a public computer mode with a browser (As a public browser). In the latter, the kiosk user can view any website. - In this example, we will configure Kiosk mode to access only one website. Enter the URL of the site and the period of inactivity after which the previous session should be reset, which clears session data, cookies, and browser history.
- Click Next -> Finish.
Restart the computer. Windows will automatically sign in with a kiosk user account and open the target website in full-screen browser mode. The functionality of the Edge browser is limited in this mode: the address bar is missing, settings, shortcut menus, toolbar, hotkeys, etc. are not available.
The user cannot launch another application, access the desktop, or open another website in the browser (however, Edge does not restrict the user from following any external links on the site).
To deactivate Kiosk mode, press CTRL+ALT+DEL to access the Login Screen, and log in to Windows with your usual account credentials.
Adjust the settings or disable Kiosk mode entirely in Settings with an account that possesses local administrator rights.
UWP apps can be set up via the Windows Store app or by manually downloading and installing APPX/MSIX files.
Setting Up Multi-App Kiosk Mode in Windows 11
In Windows 11, users can operate multiple applications simultaneously in Kiosk mode. Setting up Multi-app Kiosk mode is more intricate and requires the use of MDM (Intune) or PowerShell scripts.
Visit our GitHub repository for a sample PowerShell script that enables Multi-App Kiosk mode in Windows 11 22H2 and 23H2 at https://github.com/maxbakhub/winposh/blob/main/WindowsDesktopManagement/enable-multi-app-kiosk-mode-win11-mdm-bridge.ps1. This script implements Windows kiosk mode configurations detailed in an XML format.
Important parameters include:
- Profile Id – a unique identifier for configuration, which can be obtained using the New-Guid command
- AllowedApps – specifies the list of UWP apps permitted in Kiosk mode
- windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel – enables access to the Settings menu. A simple Group Policy Object can help in controlling the visibility of Settings menu sections, more details here: https://woshub.com/hide-show-settings-pages-windows/
- StartPins – allows specific UWP apps to be pinned to the Start menu
- ShowTaskbar – enables the display of the Windows taskbar
- AutoLogonAccount – sets up a separate user account for operating Kiosk mode and logs in automatically with this account.
The detailed syntax of the assigned access configuration XML file for the Kiosk mode and examples of use are described here.
Save this PowerShell script to your computer. This PowerShell script changes the settings via the MDM Bridge WMI provider and must be run with LocalSystem permissions. Run the powershell.exe console as SYSTEM using the PsExec tool:
Psexec.exe -i -s powershell.exe
Allow PowerShell scripts to be run in the current session:
Set-ExecutionPolicy -scope Process RemoteSigned
Execute the initial script:
C:psenable-multi-app-kiosk-mode-win11-mdm-bridge.ps1
For the modifications to take effect, reboot your system. Upon restarting, you will be signed in automatically as KioskUser0. The system will initiate in tablet mode, showing tiles for the designated apps.
The restricted kiosk mode user can only run the applications that are specified in the XML file. If you try to run another UWP or Classic app, you’ll see an AppLocker message:
This app has been blocked by your system administrator.
To clear and disable the current Windows 11 kiosk mode configuration, run the following commands:
$obj = Get-CimInstance -Namespace "rootcimv2mdmdmmap" -ClassName "MDM_AssignedAccess"
$obj.Configuration = $NULL
Set-CimInstance -CimInstance $obj