Set up a booth on Windows 10 Pro, enterprise, or education

Original: Set up a booth on Windows 10 Professional, Enterprise, or educational edition

Set up a kiosk on Windows Pro, Enterprise, or education

Suitable for

• Windows 10

Looking for the Windows Embedded 8.1 Industrial Edition information? See assigned access rights

Disposable devices or kiosk devices are easy to set up in Windows 10 Desktop edition.

• Using the Provision Kiosk Device Wizard in Windows Configuration Designer (Windows 10 version 1607 or later), you can create a provisioning package to configure a kiosk that runs a universal Windows app or a classic Windows application (Windows 10 Enterprise or education only) Preparation.

  Or

• To enable a kiosk device to run a universal Windows app, use the Assigned Access feature (Windows 10 Pro, Enterprise, or education).

  Or

• To enable a kiosk device to run a classic Windows application, use the Shell launcher to set the custom user interface to Shell (Windows 10 Enterprise or Educational edition only).

To return a device to a regular Shell, see Log off an assigned access permission.

Note

Universal Windows apps are based on universal Windows Platform (UWP) builds, which were first introduced as Windows Runtime in Windows 8. Classic Windows applications use classic Windows platforms (CWP) (such as COM, Win32, WPF, WinForms, and so on), and are typically used. EXE or. DLL file to start.

To set up a kiosk by using the Windows configuration designer

When you use the Provision Kiosk device Wizard in Windows Configuration designer, you can configure a kiosk to run a universal Windows app or a classic Windows application.

Important

When you build a provisioning package, you may include sensitive information in the project file and in the provisioning package (. ppkg) file. Although you can choose to encrypt the. ppkg file, the project file is not encrypted. You should store project files in a secure location and delete project files when they are no longer needed.

Install Windows Configuration Designer, and then open the Windows Configuration Designer and choose to provision a kiosk device . After you name the project, click Next , and then configure the settings as shown in the following table.

If you want to configure settings on this page, enable device settings. If it is enabled: Please enter a name for the device. Optionally, select the license file to upgrade Windows 10 to a different version. See allowed upgrades. Please turn off Configure the device for shared use . This setting optimizes Windows 10 for shared usage scenarios and is not required for kiosk scenarios. You can also choose to remove preinstalled software from your device.
  If you want to configure settings on this page, enable network settings. If enabled: Toggle on or off for wireless network connections. If you select on , enter the SSID, network type ( open or   wpa2-personal ) and (if it is   ) wpa2-personal ) The password for the wireless network.
  If you want to configure settings on this page, enable account management. &NBSP If enabled: You can enroll devices in Active Directory, register in Azure Active Directory, or create a local administrator account on your device To enroll a device in Active Directory, enter the credentials of the least privileged user account to join the device to the domain. Before you configure Azure ad bulk enrollment with the Windows Configuration Designer wizard, set up Azure AD join in your organization. The maximum number of devices per user setting in the Azure AD tenant is used to determine how many times you can use the volume tokens that you get in the wizard. To enroll a device in Azure AD, select the option and enter the friendly name of the bulk token you want to get with the wizard. Sets the expiration date of the token (up to 30 days from the date the token was obtained). Click Get Bulk Tokens . In the let us sign in window, enter the account that has the permissions to join the device to Azure AD, and then enter the password. Click Accept to provide the required permissions to the Windows configuration designer. Warning : You must run Windows configuration Designer on Windows 10 to configure Azure Active Directory registration with any wizard. To create a local administrator account, select the option, and then enter a user name and password. &NBSP Important : If you create a local account in a provisioning package, you must apply the change password every 42 days using settings . If the password is not changed during this period, the account may be locked and cannot be logged in.
You can provision a kiosk app in the Add Application step. You can install multiple applications in one provisioning package, classic Windows (WIN32) apps and universal Windows Platform (UWP) apps. The settings in this step vary depending on the application that you select. For help with these settings, see Provision a PC with apps. warning : If you click the Plus button to add an application, you must specify the application for the provisioning package for validation. If an error occurs when you click the Plus button, select any executable file in the setup path , and then the Cancel button becomes available, allowing you to complete the provisioning package without using the application.
To provision a device using a Kiosk app's certificate, click Add Certificate . Enter a name for the certificate, and then browse to and select the certificate that you want to use.
Important : You must use the Windows Configuration Designer app in Microsoft store to select a classic Windows application as a kiosk app in the provisioning package. You can create a local standard user account that you want to use to run kiosk apps. If you switch no , make sure you have an existing user account that runs the Kiosk app. If you want to create an account, enter a user name and password, and then toggle Yes or no to automatically sign in to the account when the device starts. In the Configure Kiosk mode app , enter the name of the user account that will run the Kiosk mode app. Select the type of app you want to run in Kiosk mode, and then enter the path or file name (for classic Windows apps) or AUMID (for universal Windows apps). For classic Windows apps, if the file path is in the PATH environment variable, you can use the file name, otherwise the full path is required.
In this step, you select the options for the user experience and time-out settings for tablet mode, welcome screen, and shutdown screen.
You can set a password to protect your provisioning package. You must enter this password when applying a provisioning package to a device.

Note

If you want to use the Advanced editor in Windows Configuration designer, at run time, set > assignedaccess > assignedaccesssettings Specify user accounts and apps (via AUMID)

Learn how to apply a provisioning package.

Assigned access methods for universal Windows apps

With assigned access permissions, Windows 10 runs the specified universal Windows app on the lock screen, so the assigned access account does not have access to any other features on the device. You have the following options to set the access permissions assigned:

Method	Account Type	Windows 10 Version
Use "Settings" on your computer	Local standards	Professional Edition, Enterprise Edition, Education edition
Apply mobile device Management (MDM) Policies	All (domain, local standard, local administrator, etc.)	Enterprise Edition, Education edition
To create a provisioning package by using the Windows configuration designer	All (domain, local standard, local administrator, etc.)	Enterprise Edition, Education edition
Running PowerShell Scripts	Local standards	Professional Edition, Enterprise Edition, Education edition

Requirements

• Domain or local user account.

• The universal Windows app installed or configured for the account, which is the lock screen app above. For more information, see Choose an app guide with assigned access. For more information about building the lock screen app above, see Kiosk apps for assigned access: Best practices.

  The app can be an app from your own company that you provide in your App store. To use MDM or PowerShell to set the assigned access rights, you also need the application user model ID (AUMID) for the app. Learn how to get AUMID.

  Universal Windows apps must be able to handle multiple views and cannot launch other apps or dialog boxes.

Note

The assigned access rights are not effective on devices connected to multiple monitors.

Set the assigned access permissions on the PC settings.

1. Go to start > settings > accounts > other users .

2. Select Set access permissions for the assignment .

3. Select an account.

4. Select the app. Only apps that can run the above lock screen are displayed. For more information, see Choose an app guide with assigned access.

5. Turn off settings – The selections you make are automatically saved and will be applied the next time the user account logs in.

To remove assigned access, select turn off assigned access and log off the selected account .

To set the assigned access rights in MDM

There is only one set of access rights assigned, that is, Kioskmodeapp. In the Kioskmodeapp settings, you can enter the user account name and AUMID to enable the app to run in kiosk mode.

Learn how to get AUMID.

See Assigning access rights to configure a service provider's technical reference.

Use Windows PowerShell to set up assigned access rights

You can use any of the following PowerShell cmdlets to set the assigned access rights on multiple devices.

To open PowerShell on Windows 10, search for PowerShell, and then find the Windows PowerShell desktop app in the results. Run PowerShell as an administrator.

Copy

Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>

Copy

Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>

Copy

Set-AssignedAccess -AppName <CustomApp> -UserName <username>

Copy

Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>

Note

To use the-AppNameset assigned access permission, the user account specified for the assigned access permission must be logged on at least once.

Learn how to get AUMID.

Learn how to get AppName (see parameters ).

Learn how to get SIDS.

To remove the assigned access rights by using PowerShell, run the following cmdlet.

Copy

Clear-AssignedAccess

Set up automatic login

When your kiosk device restarts (whether from an update or a power outage), you can manually log in to the assigned access account or you can configure the device to automatically sign in to the assigned access account. Make sure that the Group Policy settings applied to the device do not prevent automatic logons.

Edit the registry to automatically log on to your account.

1. Open Registry Editor (Regedit.exe).

   Note

   If you are unfamiliar with Registry Editor, learn how to modify the Windows registry.

2. Go to

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

3. Sets the value of the following key.

   • AutoAdminLogon: Set the value to 1.

   • defaultusername: Set the value to the account you want to sign in to.

   • DefaultPassword: Sets the value to the password of the account.

     Note

     If defaultusername and DefaultPassword do not exist, add them as new > string Values .

   • DefaultDomainName: Sets the value for the domain and applies only to domain accounts. For local accounts, do not add this entry.

4. Open Registry Editor. The next time the computer restarts, the account is automatically logged on.

Unregister an assigned access permission

To exit the assigned access (kiosk) app, press Ctrl + Alt + Del, and then sign in with a different account. When you press Ctrl + Alt + Del to unregister the assigned access, the Kiosk app will automatically exit. If you log back in with an assigned access account or wait for the login screen to time out, the Kiosk app restarts. The assigned access user will remain logged on until the administrator account opens the Task Manager > user and logs off the user account.

If you press Ctrl + Alt + Del and do not sign in to another account, the assigned access will be restored after the set time. The default time is 30 seconds, but you can change the setting in the following registry key:

Hkey_local_machine\software\microsoft\windows\currentversion\authentication\logonui

To change the default time that an assigned access is restored, add IdleTimeOut (DWORD) and enter the value data in hexadecimal form (in milliseconds).

Shell launcher for Classic Windows applications

With the Shell launcher, you can configure the kiosk that runs the classic Windows application as the user interface. The application that you specify replaces the default Shell (Explorer.exe) that is typically run when the user logs on.

Note

You can also run a classic Windows application by configuring kiosk devices using the provision Kiosk Device Wizard.

Warning

The Shell launcher does not support custom shells with applications that start different processes and then quit. For example, you cannot specify write.exein the shell startup program. The shell launcher launches a custom shell and monitors the process to identify when the custom shell exits. Write.exe Creates a 32-bit wordpad.exe process and exits. Because the Shell launcher does not recognize the newly created Wordpad.exe process, the Shell launcher takes action based on the Write.exe exit code, such as restarting the custom Shell.

Requirements

• Domain or local user account.

• The classic Windows application installed for the account. The app can be your own company application or a common app, such as Internet Explorer.

See the Shell Launcher component for technical Reference.

Configuring the Shell Launcher

To set the classic Windows application as the shell, you first open the Shell Launcher feature, and then you can use PowerShell to set the custom shell to the default value.

Open the Shell launcher in Windows features

1. Go to Control Panel > programs and Features > turn Windows features on or off .

2. Expand Device Lockdown .

3. Select Shell startup program and OK .

Alternatively, you can useSMISettings > ShellLauncheror deploy the image Servicing and Management (DISM.exe) tool to open the Shell launcher from the Windows configuration designer in the provisioning package.

To open the Shell launcher by using DISM

1. Open a command prompt as an administrator.

2. Enter the following command.

   Copy

   Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher

Setting up a custom Shell

Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where to change the script to achieve your purpose. Save the script by extending the. PS1, open Windows PowerShell as an administrator, and run the script on the kiosk device.

Copy

# Check if shell launcher license is enabled
function Check-ShellLauncherLicenseEnabled
{
    [string]$source = @"
using System;
using System.Runtime.InteropServices;

static class CheckShellLauncherLicense
{
    const int S_OK = 0;

    public static bool IsShellLauncherLicenseEnabled()
    {
        int enabled = 0;

        if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
            enabled = 0;
        }

        return (enabled != 0);
    }

    static class NativeMethods
    {
        [DllImport("Slc.dll")]
        internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
    }

}
"@

    $type = Add-Type -TypeDefinition $source -PassThru

    return $type[0]::IsShellLauncherLicenseEnabled()
}

[bool]$result = $false

$result = Check-ShellLauncherLicenseEnabled
"`nShell Launcher license enabled is set to " + $result
if (-not($result))
{
    "`nThis device doesn‘t have required license to use Shell Launcher"
    exit
}

$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"

# Create a handle to the class instance so we can call the static methods.
try {
    $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
    } catch [Exception] {
    write-host $_.Exception.Message; 
    write-host "Make sure Shell Launcher feature is enabled"
    exit
    }


# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.

$Admins_SID = "S-1-5-32-544"

# Create a function to retrieve the SID for a user account on a machine.

function Get-UsernameSID($AccountName) {

    $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
    $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])

    return $NTUserSID.Value

}

# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.

$Cashier_SID = Get-UsernameSID("Cashier")

# Define actions to take when the shell program exits.

$restart_shell = 0
$restart_device = 1
$shutdown_device = 2

# Examples. You can change these examples to use the program that you want to use as the shell.

# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. 

$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)

# Display the default shell to verify that it was added correctly.

$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()

"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction

# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.

$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)

# Set Explorer as the shell for administrators.

$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")

# View all the custom shells defined.

"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction

# Enable Shell Launcher

$ShellLauncherClass.SetEnabled($TRUE)

$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()

"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled

# Remove the new custom shells.

$ShellLauncherClass.RemoveCustomShell($Admins_SID)

$ShellLauncherClass.RemoveCustomShell($Cashier_SID)

# Disable Shell Launcher

$ShellLauncherClass.SetEnabled($FALSE)

$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()

"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled

Additional settings to lock

To achieve a more secure kiosk experience, we recommend that you make the following configuration changes to your device:

• Put your device in tablet mode .

  If you want users to be able to use the touch (on-screen) keyboard, go to settings > system > tablet mode , and then select on.

• Hide the Ease of Use feature on the sign-in screen.

  Go to Control Panel > Ease of Use > easy access to the settings center and turn off all accessibility tools.

• Disable the Hardware power button.

  Go to Power Options > Select the power button's feature , change the setting to nothing , and then save your changes .

• Remove the power button from the login screen.

  Go to Computer Configuration > Windows Settings > security Settings > Local Policies > security Options > shutdown : Allow the system to shut down without logging in, and then select disabled .

• Disables the camera.

  Go to settings > privacy > camera , then turn off allow apps to use my camera .

• Turn off app notifications on the lock screen.

  Go to Group Policy Editor > Computer Configuration > Administrative Templates \ system \ Logon \ Turn off app notifications on the lock screen .

• Disables removable media.

  Go to Group Policy Editor > Computer Configuration > Administrative Templates \ system \ device installation \ device installation Restrictions . Review the policy settings provided in the device installation limits to ensure that these settings apply to your situation.

  Note

  To prevent this policy from affecting members of the Administrators group, enable the allow administrators to override device installation throttling policy in device installation restrictions .

Set up a booth on Windows 10 Pro, enterprise, or education