14 DAY FREE TRIAL

No Search Results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Kiosk Lockdown of Devices
  3. Windows

Category filter

How to lock down Windows devices in Multi App kiosk mode?

Jump To

Kiosk mode is a lockdown mechanism that allows you to restrict your devices to a single app or a few applications of your choice. Multi App kiosk mode locks your device to a handful of allowlisted applications, thus preventing the users from accessing any other features on the device. Restricting the device to a few apps reduces user distractions and provides users with only the things that they need to access.

Notes:


Windows Multi App kiosk mode is supported on:

  • Windows 10 Pro, Enterprise and Education editions running 1709 or later versions.
  • Windows 11 Pro, Enterprise, and Education editions.

Configure Multi App kiosk

Before associating the policy, you must create a local user account on your device and install the Universal Windows Platform (UWP) apps that you want to run in kiosk mode.

Notes:

  • The kiosk account should be a local standard user account.
  • The Multi App Kiosk Lockdown policy can also be applied to an Active Directory user account, provided the user has logged in to the device at least once before applying the kiosk policy.
  • Once the user logs in to the kiosk user account, the kiosk mode status and the name of the kiosk account will be displayed under Enrollment details on the Device Summary page.

Step 1: Create a local user account on your Windows 10/11 device

To create a local user account on Windows 10 Pro version:

  1. Click on the Start button.
  2. Navigate to Settings > Accounts > Family & other users.
  3. Select the option Add someone else to this PC under Other users.
  4. Click on the link I don’t have this person’s sign-in information.
  5. Select the option Add a user without a Microsoft account.
  6. Fill in the kiosk user’s name, password, and other required fields.

To create a local user account on Windows 10 Enterprise and Education versions:

  1. Click on the Start button.
  2. Navigate to Settings > Accounts > Other people. On some Windows editions the option would be named as Other users.
  3. Select the option Add someone else to this PC.
  4. In the inset box, select Users.
  5. Under Actions, select Users > More actions > New User.
  6. Fill in the kiosk user’s name, password, and other required fields.

To create a local user account on Windows 11 Pro version:

  1. Click on the Start button.
  2. Navigate to Settings > Accounts > Other users.
  3. Select the option Add account.
  4. In the inset box, select Users.
  5. Under Actions, select Users > More actions > New User.
  6. Fill in the kiosk user’s name, password, and other required fields.

Now, the user account will be set up on the device.

Step 2: Install the kiosk apps within the local account

After setting up the account, make sure the apps to be set in kiosk mode are installed on both the admin and local user accounts.

Note:


Kiosk mode works only with Universal Windows Platform apps (apps that come pre-installed with Windows 10/11 or sourced from Microsoft Store) and Windows desktop apps (MSI, Win32, Exe apps).


Step 3: Create a Multi app kiosk lockdown policy
  1. Log in to your Hexnode UEM portal and navigate to the Policies tab.
  2. Click on New Policy to create a new one or click on any policy name to edit an existing one. If you are creating a new policy enter the Policy Name and Description in the provided fields.
  3. Go to Kiosk Lockdown > Windows Kiosk Lockdown, select Multi App > Configure.
  4. Enter the name of the user account you want to run in multi app kiosk mode in the Kiosk Account Name field.
    Note:


    You can specify the kiosk account name in any of the following formats:

    • machinename\account
    • .\account name
    • account name

    Choose from the following kiosk account types:

    1. Local user: Enter the name of a local user account.
    2. AD user: Enter the Active Directory user account name.
    3. Microsoft Entra ID user: Enter the user’s Microsoft Entra ID email address.

      If you are using the Microsoft account to enable sign in to the kiosk, you can specify the account name in either of the following formats:

      • For an AD user – domain\samAccountName.
      • For a Microsoft Entra ID user – email address.
    4. Autologon (supported on Windows 10 version 1809 and later, and Windows 11): This option lets you specify a name for the kiosk account. A local standard user account with the chosen name is created on the device and automatically signed into the kiosk after the device restarts.
  5. Click on the + button to select the app to be added in kiosk mode. You can add local apps, public store apps and desktop apps to the kiosk.
  6. Select your preferred Start menu layout:

    Custom Start menu layout

    Customizing a Start layout involves arranging the apps (to be set in kiosk mode) in a way the user wants to view them on the Start menu and on the device screen. Login to the admin account on the device and follow the steps below to prepare and export the Start layout manually.

    Notes:
    • Check the Run as administrator option if you are prompted to enable the same (specific to certain folders).
    • The Windows device in which you are setting up the Start menu layout (XML or JSON) should have the same OS version of the devices to which you are deploying the policy.

    1. The following steps allow you to customize the Start layout from the device.
      • Pin apps to Start: Choose the desired app from Start by typing in the app name. Right-click the app and click Pin to Start.
      • Apps that are not to be displayed in the layout can be unpinned. Right-click the app and then click Unpin from Start.
      • Drag tiles to group apps.
    2. Right-click Start > select Windows PowerShell.
    3. Execute the below command in Windows PowerShell:
      1. If the device is running Windows 10 version 1607, 1703, or 1803:
        • For example, Export-StartLayout -path C:\Users\Robert\Kiosk.xml
      2. If the device is running Windows 10 version 1809 or above:
        • For example, Export-StartLayout -UseDesktopApplicationID -path C:\Users\Robert\Kiosk.xml
      3. If the device is running Windows 11:
        • For example, Export-StartLayout -path C:\Users\Robert\Kiosk.json

      4. Here, –path is a required parameter that specifies the path and file name of the XML or JSON file to be exported on the device.

      Note:


      The file name must include the .xml or .json extension. The policy settings require the extensions and the Export-StartLayout cmdlet does not append the file name extension.

      Auto-generated Start menu layout

      Hexnode allows you to automatically generate the Start menu layout based on the apps included in your multi-app kiosk policy. To set this up:

      1. Go to the Start menu layout section of your multi-app kiosk policy.
      2. Select Auto-generated as the layout type.
      3. Click Add Apps to import applications from those already configured in the multi-app kiosk policy. Only these apps can be selected for inclusion in the Start menu layout.
      4. Drag and drop app rows to set apps' display order in the Start menu.
      5. Select a tile size for each app: Small, Medium, Wide, or Large. (For desktop apps, only Small and Medium sizes are available).
      6. Choose an app to Auto-launch after the kiosk user logs in (optional). The app set to auto-launch will automatically open right after the user logs into the multi-app kiosk account on the Windows device.

        7. Multi App kiosk – option to automatically generate the Start menu layout

  7. Under Advanced Kiosk Settings, configure additional options as needed:
    1. Access all files (Supported on Windows 10(v1809+) devices): Enabling this option provides access to the entire File Explorer while the device is in multi-app kiosk mode.
    2. Access Downloads folder (Supported on Windows 10(v1809+) devices): Enabling this option allows access exclusively to the Downloads folder in File Explorer during multi-app kiosk mode.
    3. Access removable drives (Supported on Windows 10(v1809+) devices): If this option is left unchecked, users will be restricted from accessing removable drives through File Explorer while the device is in multi-app kiosk mode.
    4. Windows taskbar (Supported on Windows 10(v1809+) and Windows 11 devices): Enabling this option allows the taskbar to appear in multi-app kiosk mode on devices. By clicking Add Apps, you can import apps already included in the multi-app kiosk configuration into the taskbar layout. Only these apps are eligible for taskbar inclusion. Once the apps are added, you can arrange them by dragging and dropping the rows in the app list, giving you control over the order in which the apps are displayed on the device's taskbar. Note that pinning apps to the taskbar and configuring their order is only supported on Windows 11 devices.

      On devices running Windows 11 24H2, disabling the taskbar via the Windows taskbar setting does not hide it completely. Instead, it hides until the user interacts with it using the mouse.

      Multi App kiosk – option to configure taskbar

  8. Save the policy.

Notes:
  • Ensure that the apps to be added in the kiosk mode are present in the local user account.
  • If you add an app in the Start menu layout (XML or JSON) but haven't added that in the kiosk policy, that app cannot be opened on the device.
  • Similarly, if you include the app in the multi-app kiosk policy but not in the Start menu layout, it cannot be opened from the Start menu. However, the same application can be accessed in the background.
  • Any modifications to the multi-app kiosk policy are reflected on the device end only after:
    • the device restarts, or,
    • the user signs out and logs in back to the kiosk account.
  • Ensure that you add all the background processing apps to the Multi App kiosk policy. Failure to include them leads to interruptions on the device functioning by prompting the user that the application is blocked. The app could also exhibit inconsistent behavior in this scenario, including the app icon disappearing or the app stopping abruptly.

  • When the multi-app kiosk policy is initially applied to a device, the apps selected for pinning to the taskbar will appear in the order specified in the policy. These apps will remain pinned to the taskbar even after the kiosk lockdown is removed, and you will need to manually unpin them from the device’s taskbar.
  • If the taskbar app order is changed in an existing multi-app kiosk policy, the updated app order will not reflect on the device. The apps will stay pinned to the device’s taskbar in the initial order when the policy was initially applied. To apply the new taskbar app order:
    1. Remove the initial kiosk lockdown policy from the device.
    2. Manually unpin the apps from the device’s taskbar.
    3. Update the kiosk lockdown policy with the new app order and reapply the updated policy to the device.
  • If you want to add a newly installed app on the device to the taskbar within the kiosk lockdown, you must first include the app in the multi-app kiosk policy and configure the taskbar settings accordingly. After adding the app to the policy, reapply the policy to reflect the changes on the device.

Exception:


Network folders cannot be accessed in kiosk mode.


How to add desktop apps to kiosk?

Other than local apps and public store apps, Hexnode even allows you to add desktop apps to the kiosk. While customizing a Start layout, only pin the desktop apps that the user needs to see in the Start Menu. The desktop apps not added to the Start Menu will run in the background whenever necessary, provided you add them to the kiosk. To add desktop apps to the kiosk:

  1. Click on Policies > New Policy to create a new one or click on any policy name to edit an existing one. If you are creating a new policy enter the Policy Name and Description in the provided fields.
  2. Go to Kiosk Lockdown > Windows Kiosk Lockdown, select Multi App > Configure.
  3. Enter the Kiosk account name.
  4. Click on the + button and select Desktop Apps. Click on the Add button after providing the app name and the location of the app on the device. For example, to add Hexnode UEM app as a kiosk application, enter HexnodeUEM.exe and C:\Hexnode\Hexnode Agent\Current\HexnodeUEM.exe as the App name and Path respectively.
  5. Import/auto-generate the Start menu layout containing the apps that need to be present in the Start menu.
  6. Save the policy.

How to associate the policy with devices/groups?

There are two ways by which you can assign restrictions to the devices in bulk.
If you haven’t saved the policy yet,

  1. Navigate to Policy Targets.
  2. Click on + Add Devices, search and select the required devices to which you need to apply the policy and click OK.
  3. Click on Save to apply the policies to the devices.

To associate the policies with a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy with Users, User Groups, or Domains from the same pane.

If you’ve already saved the policy and you’re taken to the page which displays the policy list,

  1. Select the required policy, click on Manage and select Associate Targets.
  2. Select Device/ User/ Device Group/ User Group/ Domain.
  3. Search and select the devices/ users/ device groups/ user groups/ domains to which you need to apply the policy and click Associate.

What happens at the device end?

Restart the device after applying the policy for it to take effect. When a user logs into their local user account, the apps added in the kiosk mode will be displayed on the start screen. The user will be unable to access the settings or other apps on the device.

Secondary displays on Windows kiosks

While in the kiosk lockdown mode, a Windows device can be connected to secondary displays.

How to exit kiosk mode?

You can exit devices from kiosk mode either by disassociating or archiving the policy. Besides, you also need to restart the device to remove it from kiosk mode.

Method 1: Disassociate the policy

Disassociate the kiosk policy from the device or delete the policy and restart the device.

  1. Log in to your Hexnode UEM portal.
  2. Navigate to the Policies tab.
  3. Click on the required policy name and go to Policy Targets. Click on the Remove option corresponding to the device.

Or
  1. Log in to your Hexnode UEM portal.
  2. Navigate to the Manage tab.
  3. Click on the required device and go to Policies. Click on the trash icon corresponding to the kiosk policy.

Method 2: Archive the policy

  1. Log in to your Hexnode UEM portal.
  2. Navigate to the Policies tab.
  3. Select the required Policy, click on Manage > Move to Archive.
Notes:


The archived policies can be viewed under Policies > Archived Policies.

  • To permanently delete an archived policy,
    1. Login to your Hexnode UEM portal.
    2. Navigate to Policies > Archived Policies.
    3. Select the required policy. Click on Manage > Delete > Confirm deletion.
  • To restore an archived policy,
    1. Login to your Hexnode UEM portal.
    2. Navigate to Policies > Archived Policies.
    3. Select the required policy, click on Manage > Restore.

On restoring an archived policy, the policy targets won’t be restored (the policy stays disassociated from the target device).

Method 3

If the methods mentioned above fail to remove the kiosk policy from the device, press CTRL+ALT+DEL. This locks the screen and allows users to sign in with a different account from the login page. However, the previous user account remains in kiosk mode, and once the user logs in to the account, the kiosk mode gets relaunched.

Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Kiosk Lockdown of Devices