Kiosk Mode Lockdown Windows
Editors Note: As much as we appreciate Microsoft supporting some sort of kiosk mode we can’t help but wish they could recommend “assistive” products like KioWare and Sitekiosk which eliminate the “learned my lesson” or didn’t. Companies who have spent years analyzing and dealing with the situation have a much more robust, time-saving and cost-effective solution. There are more complex solutions such as Nanonation and 22Miles which can also be used depending on the situation.
- Kiosk Mode Software Providers
Over the last 25 years we have seen repeated recurring cycles of company network technicians bored with their current tasks and deciding that by reading a few articles and running a test on their PC that they are perfectly knowledgeable. No offense but one critical credential for any supplier/provider is “how many times have you been hacked?”. Unless you have been hacked, repeatedly, you are essentially a neophyte.
Finally, no offense but it is worth considering Android for in-house locked down access. Active Directory is one vector to consider eliminating.
From KioWare — Two big gotchas of browser Kiosk Mode is user session management and crash management.
On a public use self-service kiosk, it is important that any trace of the previous user be deleted when done (cookies/cache/files). It is also important for the application to reset to its start page for the next user. While the web content could be programmed to do both of these, they usually do not. KioWare fully handles these issues as well as additional user session functionality.
While certainly more commonplace when web content used Flash that leaked memory and crashed after x hours, it is still common for web content to not be stable over long periods of time. KioWare has a service that runs in the background that does nothing but ensures that KioWare and the application is happy. Restarting or rebooting when they are not.
And also, depending on the application, there are other gotchas, but these two are the big ones.
Kiosk mode device setup Endpoint Manager
You will need to follow the steps in Microsoft document about “Deploy Microsoft Edge Legacy kiosk mode” (1-17-2020). In short, you would need to create the following:
- a device restriction profile with Edge browser settings
- a Windows 10 platform, kiosk configuration profile with the applications to be run by Windows Kiosk Device.
Examples of Kiosk Configuration Profile:
The easiest way to configure the application launched in Kiosk mode is using AUMID application as shown:
You may want to check one application as the default app and it will be automatically launched at sign-in time.
Besides the Troubleshooting guide from Microsoft document, Troubleshoot kiosk mode issues.
I have observed the other common setup problems, which prevent Windows 10 Kiosk mode from working properly.
KIOSK MODE SETUP COMMON PROBLEMS
- Incorrect Local Sign in Account Name.
- Whatever sign-in account we configured in Kiosk Profile, that account has to be accessible at targeted kiosk device.
- If we set up the Kiosk Profile with local sign in account, it has to be existed as local account in targeted windows 10 device,
In the following example, the “LocalKioskUser” account in profile matching to the Computer Management – User account named LocalKioskUser on target kiosk device:
- Local Kiosk Account is member of the local “Administrators” group
The sign-in local account must not be a member of the Administrator group.
If it is, windows will operate in normal mode.
- Edge Chromium is installed instead of Edge Legacy
You will need to uninstall Edge Chromium because the engine which runs the Windows Kiosk Configuration Profile is originally designed for Edge legacy.
This may change in the short future but up to this point of time, you have to use Edge legacy for Windows 10 Kiosk mode. (For more information on Edge Chromium vs Edge Legacy, you could read another article here)
- There is mismatch in “Use Microsoft Edge kiosk mode” setting in the Device Restriction Configuration Profile and Kiosk Configuration Profile. You need to configure these 2 profiles in accordance with each other.
- By default, the “Device restrictions” configuration profile has the value of “Use Microsoft Edge kiosk mode” is set to No:
Changing the “Use Microsoft Edge kiosk mode” to the appropriate kiosk option matching with the Kiosk Configuration Profile as shown in the following example image:
- Autopilot Profile is missing If you deploy image by Autopilot.
It is used for initial kiosk setup, no specific setting is required but the profile itself.
- Reboot is not proceeded on kiosk device after a change in kiosk profile setting.
If all of the above configuration settings are setup correctly and kiosk mode is still not working as expected, the Device may need to be synchronized with Endpoint Manager and reboot to have kiosk profile updated with new setting change.
Result example, Windows 10 Kiosk with Bing Weather autolaunch.
- Sign-in as localkioskuser
- After about 2 seconds, the Bing Weather will be automatically launched as shown:
- After about 3 to10 seconds, the Bing Weather detail screen will be impressively shown.
- To get other apps, you could move your mouse to the top right corner to close the current app, and then, open another one.
To Repurpose kiosk devices:
Once the assigned access feature, (kiosk mode) with multi-app configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. You will need to reset to factory default or reimage devices to clear all the policies.
Running Windows 10 Kiosk by Edge Chromium
An initial set of kiosk mode features are now available to test with Microsoft Edge Canary Channel, version 87. You can download Microsoft Edge Canary from the Microsoft Edge Insider Channels page as shown here:
Kiosk Association Recommendations for Microsoft Internet Edge Kiosk Mode
Rather than prove your knowledge of Microsoft tools (which come and they go much like Google), the better path whether you are running Windows or running Android is to utilize some purpose built lockdown browser tools that come with a ton of more granular control, device control, remote monitoring and more. Much better long term support as well. Sitekiosk and KioWare are excellent options and will save you time, money, keep you safer and give you reports on activity.