Simplifying kiosk management for IT with Windows 10
Published Apr 27 2018 06:00 AM 81.2K Views
Microsoft

This post outlines the investments Microsoft is making to simplify the configuration and management of kiosk devices, improving Windows 10 as a kiosk platform for IT organizations. Our investments in kiosk and Firstline Worker scenarios are part of a bigger mission to simplify IT in the modern workplace.

You see kiosks everywhere you go: in airports, supermarkets, movie theaters, restaurants, banks, and many other places. Kiosks have many forms and functions. What most people don’t realize is that many of them are powered by Windows.

Windows has long been the platform of choice for kiosk devices because of its security capabilities, the availability of applications, enterprise software assurance support, and a broad ecosystem of device and peripheral partners. Today we see a growing number of IT organizations developing and deploying their own kiosk solutions using standard hardware and, in some cases, repurposing existing hardware.

We use the term “kiosk” as an umbrella term for a broad category of devices, but it generally boils down to two main scenarios:

  1. Kiosks that are used in the “public” domain and do not require users to login or authenticate.
  2. Kiosks that are shared by Firstline Workers to complete a specific task, which typically requires the user to authenticate before accessing the device.

Both usage scenarios have a few requirements in common:

  • The need for security, regardless of where the kiosks are deployed.
  • A consistent experience for each person who uses them, so that no one person can modify the device in a way that impacts the next user.
  • The need for an intuitive experience that is focused on the task at hand.

In the past year, with every Windows feature update, we’ve introduced significant improvements to our kiosk capabilities:

  • Assigned access enables you to create not only single app kiosks for customers, but also provides the capability to create a kiosk that runs multiple apps.
  • Assigned access now works with Windows 10 Pro and higher, including in S Mode.
  • Windows Configuration Designer includes a wizard for single-app kiosk configuration. Install a provisioning package and your device is ready to go.
  • Multi-app kiosks now support both Universal Windows Platform (UWP) apps and classic Win32 apps.
  • You can deploy curated kiosk experiences directly from the cloud using Microsoft Intune.
  • We continue to add more policies that enable IT to tailor the experience for end users. To name a few: power settings to enable any device to run 24/7, touch keyboard configuration policies, locked down Start screen, and more.

For more information, see Set up a kiosk or digital signage on Windows 10. You can also watch a quick demo on setting up a kiosk using Microsoft Intune or using a provisioning package.

With the upcoming release of Windows 10, version 1803, we are taking the next steps in our efforts to make kiosks even more capable – and easier to deploy and configure. Some key assigned access enhancements include:

  • Support for multiple screens for digital signage use cases.
  • The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page.
  • The ability to configure and run Shell Launcher in addition to existing UWP Store apps.
  • A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases.
  • For multi-user Firstline Worker kiosk devices, instead of specifying every user, it’s now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups.
  • To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues.

Kiosk Browser

We are excited to complete the circle of support for classic Windows desktop apps and UWP Store Apps with a new Kiosk Browser app. The Kiosk Browser app is built on Microsoft Edge and can be used to create a tailored browsing experience. Kiosk Browser is great for presenting interactive web apps and digital signage content. Kiosk Browser can be configured to navigate to a default URL without showing any UI. When used with other types of kiosks, it can be configured with a list of allowed URLs and the UI elements that should be presented (e.g. navigation buttons). It can also be configured to automatically clear user data between sessions.

To ensure IT has control, Kiosk Browser can only be configured through provisioning or an MDM provider such as Intune. Please refer to our documentation for more information on how to deploy and configure Kiosk Browser.

The Kiosk Browser is available in the Microsoft Store for Business for you to try out yourself

 

kiosk-browser-app.png

Looking forward

This post would not be complete without sharing some of our future plans. We will continue to make it easier for IT departments to manage, configure, and deploy Windows 10 kiosks for customers and Firstline Workers, and plan to include the following capabilities in a future Windows 10 feature update:

  • Deploy a kiosk device with minimal user interaction, thanks to Windows AutoPilot and device management support. Simply unbox the device, start it up, and the device is ready to go. Stay tuned; this will be available to Windows Insiders in preview soon.
  • Enabling device management to remotely trigger a Windows AutoPilot Reset to bring a kiosk back to a pristine state for a reliable kiosk experience.
  • Integration of the Kiosk Browser’s functionality directly into Microsoft Edge to support a larger scope of web scenarios.

To learn more about Windows kiosks, check out our Windows kiosk documentation. I encourage you to try out the capabilities and leave a comment below if there are other enhancements and scenarios you would like from the platform.

  


Continue the conversation. Find best practices. Bookmark the Windows 10 Tech Community.

Looking for support? Visit the Windows 10 IT pro forums.


 

18 Comments
Brass Contributor

It is really disappoint that kiso mode browser does not support group policy. This is really going to impact adoption of this feature.

Microsoft

@Alan Burchill -

Thanks for the comment and interest. You observed correctly, we are putting a lot of effort and energy around our modern management scenarios (MDM). For multiple reasons, including security and connectivity, we believe Windows 10S as an ideal platform to be used for Kiosk and Firstline works especially where there is a need to run & manage those devices off corp network.
We see increasing demand for these scenario with special emphasis on simplicity and security. MDM + Windows 10S are ideal. 

* To be clear: All the above will work just fine with Win10 Pro. Windows 10S is not mandatory. But for those customers who will choose to go with Windows 10s, we need a none GP solution.
Our goal is to provide those capabilities to IT and be believe modern manageability with modern OS can provide those (more news to come). 

 

That all being said, we are in listening mode and would love to hear more about your scenarios, your needs and features ask.  Feel free to ping me directly as needed.

Thanks again.

 

Copper Contributor

Hi @Ariel Netz,

 

When will the new Kiosk Browser app be available in the store for business in Australia? 

I've had a look and can't seem to find it.

 

Also the Policy CSP documentation appears to be incomplete as the DataType for each policy isn't defined and the URL black list policies state the use of a wildcard but does not define what that is or URL formatting.

 

I may be just a little quick on trying to find the correct information.

 

Cheers,


Matt

Copper Contributor

Hi, @Ariel Netz

 

I'm also looking for the Kiosk Browser, any news?

Brass Contributor

Thanks for the article!  

 

Our organization has a very complex set of needs for our kiosk machines.  Historically, we've used Group Policy to configure and lock down machines with specific needs of the customers in mind.  We have somewhere between 10-20 different configurations, each with specific needs such as multiple applications, Control Panel/Settings lockdowns, etc.  I'm interested in these new options, but have some concerns.  Many of our customers need a full Windows environment to be able to work with Office documents, web browsers (Chrome, Firefox, IE) and the ability to use USB flash drives and network printers.  While simplified kiosks running one or two applications sound great to us from a development and management perspective, I'm afraid our environment is more complex than that.  I've been struggling to migrate our Windows 7 kiosks to Windows 10 compatible Group Policy-based kiosks, but have had a very difficult time with some of the requirements we have.  What kinds of options are there for situations like ours and what would your advice be on this?  Will there be live steaming events or recorded sessions on these new kiosk features that we could attend or watch later?  Thank you for your team's work on this!   

 

Micah

Microsoft

Hey @Micah Hibdon 

 

Would love to hear more about your scenarios and your challenges in moving from Windows 7 to Windows 10 for Kiosks that are GP based.

After that, we can discuss simplification. I will PM you. 

Microsoft

@Gustav Malm@Matthew Barrett ...

 

apologies in the delay.  We will have an update by end of week. 

 

a bit on "behind the scene" - We are timing the release of the app with a service component as the app useful only when configured properly via the MDM channel.

 

Brass Contributor

Any updates on this? I have a public kiosk project that we want to AutoPilot \ cloud manage and deploy. 

Microsoft

@nigel brown , @Matthew Barrett, @Gustav Malm and others ….

 

the app is in the store. you can find it in the Store for Business in the following link:

https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-...

 

You should also take a look at todays announcement as they help complete the story of where we are heading with Autopilot and how it can be used in the Kiosk and Shared Devices work load. 

 

https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Autopilot-What-s-new-and-what-s-n...

 

Try it out, let us know how goes.

Copper Contributor

Hi Ariel, we spoke previously at Ignite a few years ago. Great to see progress being made on this. I work with clients who have more complicated kiosks needs than simply displaying a webpage and have interactivity with services and hardware too - especially payment devices. We're not using Windows S (although it's interesting that it is being positioned for certain types of kiosks) but needed to use Windows 10 Enterprise IoT - mainly because of the OEM status and the need for Win32 apps (find me a major payment provider than doesn't use services on Windows, none of them are doing anything with UWP yet). Most of the more advanced on-boarding and enrolment features appear to have come post 1607 though, especially Auto-Pilot. Firstline is very interesting too, but I'm more interested in retail kiosks rather than firstline worker kiosks. Single app, but multi-modal. Do you have any retail scenarios where payment and printing are included? Thanks

Copper Contributor

Ciao Ariel, just a question about licensing. In my scenario (retail) i am going to have PC in kiosk mode used by users with NO Microsoft 365 license. These users just need to use a single application. I would like to use AutoPilot to set kiosk mode and configure PC but what about licensing? 

Thanks 

Paolo

Microsoft

Hey @Gary Cooper

 

Good to hear from you. Yes, I very much remember the conversations we had last year.

While we recommend 10S for these scenarios, we also recognize win32 apps may be required. Many if not all of the improvements you see, can work on a Pro device.

However, the device management must be an MDM provider like Intune which supports all the improvements made in the OS.  

What you cant do: You cant use our Assigned Access (running the app above the lock screen) with a Win32 app.

What you can instead is either: 1) Configure the device as a multiple app Kiosk, even if its a single app (which can be win32) or 2) Configure the device with Shell Launcher.

 

Hope this helps and hope to see you at Ignite 2018

 

 

Microsoft

Hey @Paolo Bodini

 

Would love to hear more about your scenario (feel free to IM directly). Specifically would love to hear how you plan on managing the device and configure them past the autopilot phase. 

If you look just to restart the device, why not use the WCD tool with a USB at startup if there is no need to manage the device past that point?

 

 

Copper Contributor

Is it possible to use Windows Hello for the authentication in the firstline workers kiosk scenario? So far, I have only come across scenarios in which Windows Hello would verify that a given user is logged in, but the features of Windows Hello actually make it viable to use it for user selection.

Microsoft

@georg.hinkel 

 

We are working making the Windows Hello experience easier for first line workers or in general what we will classify as "Shared PC". The challenge in these scenarios that typically there is no user profile on the device and once it been created, its usually been cleaned automatically up after sometime. That cleanup removes Windows Hello to the user.

 

We will share and show more about what we are doing in this space next month at Ignite. 

 

 

Copper Contributor

Hello,

 

Is it possible to set the Kiosk Browser as the default browser on Windows 10 Pro somehow?

I have set up a multi-app Kiosk for MDM managed devices.

One of the apps launches a browser to authenticate to AAD. Another requirement is that only a specific number of websites should be allowed on the device. 

I could solve this issue easily if I could configure the Kiosk Browser as default so it launches automatically to authenticate to AAD and configure the whitelisted URLS.

 

thanks in advance

Wannes

Copper Contributor

Autopilot, which occurs with the Applications of third parties that are not in the Store, how the profile is backed up, in case of theft of equipment, how it is restored and what the equipment and the user had, this type is necessary of information.
Use of Kiosk
AutoPilot recommendations for WAN links, Microwaves

Copper Contributor

I've been unsuccessful with my attempts to configure a multi-app Kiosk mode desktop. And I just spent 2.5 hours on a call with Microsoft Tech Support trying to solicit their assistance via a paid support incident. I was passed from one engineer to the next only to finally be told that configuring multi-app Kiosk mode is simply beyond the scope of what Microsoft Tech Support can deal with.

Version history
Last update:
‎Jun 07 2018 11:14 AM
Updated by: