Configuring multi-app kiosk mode on Windows 11

This week is all about multi-app kiosk mode on Windows 11 devices. Kiosk mode on itself is nothing new, nor is the configuration of kiosk mode. However, until a few months ago, it was not possible to configure multi-app kiosk mode on Windows 11. That’s possible now, except the configuration options via Microsoft Intune are not that straight forward yet. As in, it’s not available via a standardized configuration profile yet. It is, however, already possible to configure multi-app kiosk mode via the MDM WMI Bridge Provider. That provider relies on configuration capabilities within the MDM channel, which means that the configuration can also be achieved directly via Microsoft Intune. Multi-app kiosk mode relies on assigned access to run one or more apps from the desktop. This blog post will mainly focus on applying the multi-app kiosk mode on Windows 11 devices, by using Microsoft Intune. Besides that, it will describe the main configurations for creating the multi-app kiosk mode configuration. This post will end by showing the user experience with the applied multi-app kiosk mode configuration.

Note: The configuration option described in this post, relies on a custom configuration XML-file. That provides a lot of flexibility, but also relies on some more detailed knowledge. Make sure to be familiar with the required technology.

Creating the custom multi-app kiosk mode configuration

When looking at configuring multi-app kiosk mode, by relying on a custom configuration, it starts with the creation of the XML-file that describes the configuration. That XML-file can be used to apply the multi-app kiosk mode on Windows 11 devices. The configuration of that XML-file is still pretty similar to what it was for Windows 10. Just with some minor tweaks. The basic structure of the XML-file contains basically two sections. The first section is the profiles section, which contains a unique profile id and describes the applications that are allowed to run, the Start layout configuration, and the taskbar configuration. There can be multiple profiles within that section, each with their own unique profile id. Besides that, there is the config section. That section associates a non-admin user account to a profile. There can also be multiple configurations within that section. All focused on connecting a profile to an account. Now let’s briefly walk through the those different sections in a bit more detail.

Profile id

The first section, within the profiles section, is the profile id section. That id is a GUID that is used to uniquely identify the profile. That GUID just needs to be unique within the XML-file. Within that section the configuration that belongs to that id is described. Any additional profile requires their own unique id. Below is an example of the profile id section.

<Profiles>
  <Profile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}">       
  </Profile> 
</Profiles>

AllowedApps

The next section, within the profile section, is actually the AllAppList section. That section, however, only contains the AllowedApps section. The AllowedApps section contains the apps that are allowed to run on the device. By default, the multi-app kiosk mode configuration applies AppLocker configurations to only allow the specified apps. That can be both, UWP apps and desktop apps. Below is an example of the AllowedApps section that contains Calculator, Notepad, Paint, Photos, and Settings.

<AllAppsList>
  <AllowedApps> 
    <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
    <App AppUserModelId="Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" /> 
    <App AppUserModelId="Microsoft.Paint_8wekyb3d8bbwe!App" /> 
    <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
    <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /> 
  </AllowedApps> 
</AllAppsList> 

Note: When allowing the Settings app, make sure to scope the available functionality to only what’s really needed.

StartPins

The next section, within the profile section, is the StartPins section. That section configures the apps that should be pinned to the Start layout. This section should be in line with the previous section. Mainly because apps in the Start layout must be allowed to run, for the user to be able to start those apps. Below is an example of the StartPins section that also contains Calculator, Notepad, Paint, Photos, and Settings.

<win11:StartPins>
  <![CDATA[  
    { "pinnedList":[
      {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
      {"packagedAppId":"Microsoft.WindowsNotepad_8wekyb3d8bbwe!App"},
      {"packagedAppId":"Microsoft.Paint_8wekyb3d8bbwe!App"},
      {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
      {"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"}
    ] }
  ]]>
</win11:StartPins>

ShowTaskbar

The last section, within the profile section, is the ShowTaskbar section. That section configures whether the taskbar should be visible. Below is an example of the ShowTaskbar section that configures the taskbar as visible.

<Taskbar ShowTaskbar="true"/>

Note: Besides this it’s now also possible to add a TaskbarLayout section to pin specific apps to the taskbar.

Config

The config section connects a profile to a user account. That account can actually be a group or an individual account. In both cases that can be something local, something from Active Directory, or something from Entra ID. Besides that, it can also be used to configure an auto logon account. Below is an example of the Config section that connects the user MultiAppKioskUser to the created profile.

<Config>
  <Account>MultiAppKioskUser</Account>
  <DefaultProfile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}"/>
</Config>

Important: When using a local account that account must already exist before applying the configuration.

Note: Keep in mind that a profile has no effect when it’s not associated to an account in the config section.

Complete configuration overview

Putting all the different sections together, brings the complete picture of the multi-app kiosk mode configuration. Below is an example that brings all the pieces together that are briefly described in this post.

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration  
  xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}">       
      <AllAppsList>
        <AllowedApps> 
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
          <App AppUserModelId="Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" /> 
          <App AppUserModelId="Microsoft.Paint_8wekyb3d8bbwe!App" /> 
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
          <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /> 
        </AllowedApps> 
      </AllAppsList> 
      <win11:StartPins>
        <![CDATA[  
          { "pinnedList":[
            {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
            {"packagedAppId":"Microsoft.WindowsNotepad_8wekyb3d8bbwe!App"},
            {"packagedAppId":"Microsoft.Paint_8wekyb3d8bbwe!App"},
            {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
	    {"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"}
          ] }
        ]]>
      </win11:StartPins>
      <Taskbar ShowTaskbar="true"/>
    </Profile> 
  </Profiles>
  <Configs>
    <Config>
      <Account>MultiAppKioskUser</Account>
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}"/>
    </Config>
  </Configs>
</AssignedAccessConfiguration>

Applying multi-app kiosk mode configuration

When looking at applying the multi-app kiosk mode configuration, all roads point to the AssignedAccess CSP. That CSP can be used to configure a Windows device to run in (multi-app) kiosk mode. Once the CSP has been executed, the next user login that is associated with the (multi-app) kiosk mode puts the device into the specified kiosk mode. That CSP is the same that is also already used in the examples, provided by Microsoft, to configure the multi-app kiosk mode via the MDM WMI Bridge Provider. Within Microsoft Intune a Custom profile can be used to apply a custom multi-app kiosk mode configuration via the AssignedAccess CSP. The following nine steps walk through applying the custom multi-app kiosk mode configuration by using the configuration node of the AssignedAccess CSP.

1. Open the Microsoft Intune admin center navigate to Devices > Windows > Configuration profiles
2. On the Windows | Configuration profiles blade, click Create > New policy to open the Create a profile page
3. On the Create a profile page, provide the following information and click Create

• Platform: Select Windows 10 and later as value
• Profile type: Select Templates as value
• Template name: Select Custom as value

4. On the Basics page, provide a unique Name to distinguish the profile from other custom profiles and click Next
5. On the Configuration settings page, as shown below in Figure 1, click Add to add rows for the following custom settings and click Next

• OMA-URI setting – This setting is used to configure multi-app kiosk mode on Windows 11
  • Name (1): Provide a name for the OMA-URI setting to distinguish it from other similar settings
  • Description (2): (Optional) Provide a description for the OMA-URI setting to further differentiate settings
  • OMA-URI (3): Specify ./Vendor/MSFT/AssignedAccess/Configuration as value to configure multi-app kiosk mode
  • Data type (4): Select String as value
  • Value (5): Specify the created XML-file as value to set the required multi-app kiosk mode configuration

6. On the Scope tags page, configure the applicable scopes and click Next
7. On the Assignments page, configure the assignment and click Next
8. On the Applicability rules page, configure the applicability rules and click Next
9. On the Review + create page, verify the configuration and click Create

Note: At some point in time this setting might become directly available within Microsoft Intune.

Experiencing multi-app kiosk mode on Windows 11

When the configuration of the multi-app kiosk mode is applied, it’s relatively easy to very the configuration. Simply sign in with a user account that has the multi-kiosk mode configured and see what happens. In this case there are a few things that are easily visible within a screenshot. With the configuration created throughout this post a few obvious items are configured and shown below in Figure 2. That shows the user account that is used with number 1, the pinned items in the Start layout with number 2, and the available taskbar with number 3. Besides that, when testing this configuration also try starting apps that are not allowed. Simply to verify the assigned access that comes with the multi-app kiosk mode.

More information

For more information about multi-kiosk mode on Windows 11 devices, refer to the following docs.

• Set up a multi-app kiosk on Windows 11 – Configure Windows | Microsoft Learn
• Find the Application User Model ID of an installed app – Configure Windows | Microsoft Learn
• AssignedAccess CSP – Windows Client Management | Microsoft Learn
• Multi-app kiosk mode now available in Windows 11! – Microsoft Community Hub