Configuring multi-app kiosk mode on Windows 11

This week is all about multi-app kiosk mode on Windows 11 devices. Kiosk mode on itself is nothing new, nor is the configuration of kiosk mode. However, until a few months ago, it was not possible to configure multi-app kiosk mode on Windows 11. That’s possible now, except the configuration options via Microsoft Intune are not that straight forward yet. As in, it’s not available via a standardized configuration profile yet. It is, however, already possible to configure multi-app kiosk mode via the MDM WMI Bridge Provider. That provider relies on configuration capabilities within the MDM channel, which means that the configuration can also be achieved directly via Microsoft Intune. Multi-app kiosk mode relies on assigned access to run one or more apps from the desktop. This blog post will mainly focus on applying the multi-app kiosk mode on Windows 11 devices, by using Microsoft Intune. Besides that, it will describe the main configurations for creating the multi-app kiosk mode configuration. This post will end by showing the user experience with the applied multi-app kiosk mode configuration.

Note: The configuration option described in this post, relies on a custom configuration XML-file. That provides a lot of flexibility, but also relies on some more detailed knowledge. Make sure to be familiar with the required technology.

Creating the custom multi-app kiosk mode configuration

When looking at configuring multi-app kiosk mode, by relying on a custom configuration, it starts with the creation of the XML-file that describes the configuration. That XML-file can be used to apply the multi-app kiosk mode on Windows 11 devices. The configuration of that XML-file is still pretty similar to what it was for Windows 10. Just with some minor tweaks. The basic structure of the XML-file contains basically two sections. The first section is the profiles section, which contains a unique profile id and describes the applications that are allowed to run, the Start layout configuration, and the taskbar configuration. There can be multiple profiles within that section, each with their own unique profile id. Besides that, there is the config section. That section associates a non-admin user account to a profile. There can also be multiple configurations within that section. All focused on connecting a profile to an account. Now let’s briefly walk through the those different sections in a bit more detail.

Profile id

The first section, within the profiles section, is the profile id section. That id is a GUID that is used to uniquely identify the profile. That GUID just needs to be unique within the XML-file. Within that section the configuration that belongs to that id is described. Any additional profile requires their own unique id. Below is an example of the profile id section.

<Profiles>
  <Profile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}">       
  </Profile> 
</Profiles>

AllowedApps

The next section, within the profile section, is actually the AllAppList section. That section, however, only contains the AllowedApps section. The AllowedApps section contains the apps that are allowed to run on the device. By default, the multi-app kiosk mode configuration applies AppLocker configurations to only allow the specified apps. That can be both, UWP apps and desktop apps. Below is an example of the AllowedApps section that contains Calculator, Notepad, Paint, Photos, and Settings.

<AllAppsList>
  <AllowedApps> 
    <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
    <App AppUserModelId="Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" /> 
    <App AppUserModelId="Microsoft.Paint_8wekyb3d8bbwe!App" /> 
    <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
    <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /> 
  </AllowedApps> 
</AllAppsList> 

Note: When allowing the Settings app, make sure to scope the available functionality to only what’s really needed.

StartPins

The next section, within the profile section, is the StartPins section. That section configures the apps that should be pinned to the Start layout. This section should be in line with the previous section. Mainly because apps in the Start layout must be allowed to run, for the user to be able to start those apps. Below is an example of the StartPins section that also contains Calculator, Notepad, Paint, Photos, and Settings.

<win11:StartPins>
  <![CDATA[  
    { "pinnedList":[
      {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
      {"packagedAppId":"Microsoft.WindowsNotepad_8wekyb3d8bbwe!App"},
      {"packagedAppId":"Microsoft.Paint_8wekyb3d8bbwe!App"},
      {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
      {"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"}
    ] }
  ]]>
</win11:StartPins>

ShowTaskbar

The last section, within the profile section, is the ShowTaskbar section. That section configures whether the taskbar should be visible. Below is an example of the ShowTaskbar section that configures the taskbar as visible.

<Taskbar ShowTaskbar="true"/>

Note: Besides this it’s now also possible to add a TaskbarLayout section to pin specific apps to the taskbar.

Config

The config section connects a profile to a user account. That account can actually be a group or an individual account. In both cases that can be something local, something from Active Directory, or something from Entra ID. Besides that, it can also be used to configure an auto logon account. Below is an example of the Config section that connects the user MultiAppKioskUser to the created profile.

<Config>
  <Account>MultiAppKioskUser</Account>
  <DefaultProfile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}"/>
</Config>

Important: When using a local account that account must already exist before applying the configuration.

Note: Keep in mind that a profile has no effect when it’s not associated to an account in the config section.

Complete configuration overview

Putting all the different sections together, brings the complete picture of the multi-app kiosk mode configuration. Below is an example that brings all the pieces together that are briefly described in this post.

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration  
  xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}">       
      <AllAppsList>
        <AllowedApps> 
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
          <App AppUserModelId="Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" /> 
          <App AppUserModelId="Microsoft.Paint_8wekyb3d8bbwe!App" /> 
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
          <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /> 
        </AllowedApps> 
      </AllAppsList> 
      <win11:StartPins>
        <![CDATA[  
          { "pinnedList":[
            {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
            {"packagedAppId":"Microsoft.WindowsNotepad_8wekyb3d8bbwe!App"},
            {"packagedAppId":"Microsoft.Paint_8wekyb3d8bbwe!App"},
            {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
	    {"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"}
          ] }
        ]]>
      </win11:StartPins>
      <Taskbar ShowTaskbar="true"/>
    </Profile> 
  </Profiles>
  <Configs>
    <Config>
      <Account>MultiAppKioskUser</Account>
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}"/>
    </Config>
  </Configs>
</AssignedAccessConfiguration>

Applying multi-app kiosk mode configuration

When looking at applying the multi-app kiosk mode configuration, all roads point to the AssignedAccess CSP. That CSP can be used to configure a Windows device to run in (multi-app) kiosk mode. Once the CSP has been executed, the next user login that is associated with the (multi-app) kiosk mode puts the device into the specified kiosk mode. That CSP is the same that is also already used in the examples, provided by Microsoft, to configure the multi-app kiosk mode via the MDM WMI Bridge Provider. Within Microsoft Intune a Custom profile can be used to apply a custom multi-app kiosk mode configuration via the AssignedAccess CSP. The following nine steps walk through applying the custom multi-app kiosk mode configuration by using the configuration node of the AssignedAccess CSP.

  1. Open the Microsoft Intune admin center navigate to Devices Windows > Configuration profiles
  2. On the Windows | Configuration profiles blade, click Create > New policy to open the Create a profile page
  3. On the Create a profile page, provide the following information and click Create
  • Platform: Select Windows 10 and later as value
  • Profile type: Select Templates as value
  • Template name: Select Custom as value
  1. On the Basics page, provide a unique Name to distinguish the profile from other custom profiles and click Next
  2. On the Configuration settings page, as shown below in Figure 1, click Add to add rows for the following custom settings and click Next
  • OMA-URI setting – This setting is used to configure multi-app kiosk mode on Windows 11
    • Name (1): Provide a name for the OMA-URI setting to distinguish it from other similar settings
    • Description (2): (Optional) Provide a description for the OMA-URI setting to further differentiate settings
    • OMA-URI (3): Specify ./Vendor/MSFT/AssignedAccess/Configuration as value to configure multi-app kiosk mode
    • Data type (4): Select String as value
    • Value (5): Specify the created XML-file as value to set the required multi-app kiosk mode configuration
  1. On the Scope tags page, configure the applicable scopes and click Next
  2. On the Assignments page, configure the assignment and click Next
  3. On the Applicability rules page, configure the applicability rules and click Next
  4. On the Review + create page, verify the configuration and click Create

Note: At some point in time this setting might become directly available within Microsoft Intune.

Experiencing multi-app kiosk mode on Windows 11

When the configuration of the multi-app kiosk mode is applied, it’s relatively easy to very the configuration. Simply sign in with a user account that has the multi-kiosk mode configured and see what happens. In this case there are a few things that are easily visible within a screenshot. With the configuration created throughout this post a few obvious items are configured and shown below in Figure 2. That shows the user account that is used with number 1, the pinned items in the Start layout with number 2, and the available taskbar with number 3. Besides that, when testing this configuration also try starting apps that are not allowed. Simply to verify the assigned access that comes with the multi-app kiosk mode.

More information

For more information about multi-kiosk mode on Windows 11 devices, refer to the following docs.

63 thoughts on “Configuring multi-app kiosk mode on Windows 11”

  1. hello, if we try for example an app, which ist running from userprofile – it will not work

    i’ll get in eventlog of applocker following error => error 8004 => %OSDRIVE%\USERS\KIOSKUSER0\APPDATA\LOCAL\WEBEX\CISCOWEBEXSTART.EXE blocked

    Reply
  2. Great article, Peter! Have you ever tried to assign apps in kiosk-mode, which require a username in the app path, such as “%OSDRIVE%\USERS\*\APPDATA\LOCAL\Webex\WebexHost.exe”? Thanks, Klaus

    Reply
  3. Hi,

    Great article, but what is the best way to create a local user on those kiosk systems.
    By using an remediation script or someting else?

    Gr,
    Nico

    Reply
  4. Hey,

    After pushing the exact XML to a Windows 11 device the configurations shows as “error” in Intune with an error code “0x87d1fde8”.

    Any idea as to why this could be happening? I’m using your exact configuration.

    Reply
  5. I did this and it worked for me, however it shows option for All Apps which user can easily go to select other Apps. It also shows Apps shortcut installed on Desktop.

    Actually what I want to achieve is a single app and not multi app. I have used this code below but not sure about the OMA-URI

    Test

    Two questions,
    – is this xml the correct format for kiosk mode?
    – what will be the OMA-URI in this instance?

    Thanks very much for your help

    Reply
  6. Hi Peter,

    Thanks for this but I am unable to get it working even with your xml. I have entered the quotations manually just incase I have the copy issue. But I am still unable to get this working.

    Error code is:
    -2016281112

    Any ideas?

    Reply
  7. Hi Peter,

    Thanks for the article!

    I’m just wondering if it’s possible to have the allowed apps using a tiled layout like in the Windows 10 kiosk? As I’m not a fan of the pinned list.

    Win10 code looks like the below.

    Also, how do we allow USB and access to the downloads folder, is it still like the below?

    Thanks!

    Reply
  8. Hi Peter,

    I’ve tried to implement a kiosk profile with your configuration but I keep getting error codes in intune:

    ERROR CODE
    0x87d1fde8

    SETTING
    Configuration [./Vendor/MSFT/AssignedAccess/Configuration]

    STATE
    Error

    Perhaps I need to change something within the XML file.

    Can you help me?

    Reply
  9. Hi Peter,

    The recycle bin being on the desktop is a hole for the non-admin kiosk user to be able to interact with the filesystem. Even though file explorer is not put in the AllowedApps section, it can still be opened and interacted with. Microsoft Edge is another example of an application somehow being allowed while not being included in the AllowedApps section of the XML.

    This was not the case in Windows 10. Is this normal behavior?

    I can see in Microsoft’s documentation:
    “Here are the predefined assigned access AppLocker rules for desktop apps:
    Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.

    https://learn.microsoft.com/en-us/windows/configuration/lock-down-windows-11-to-specific-apps#create-the-xml-file

    How would forcing these to run in a kiosk be a desired feature? Isn’t the point of a kiosk to whitelist what applications can be run? I sincerely hope Microsoft doesn’t think Edge is necessary to “boot and function”.

    Reply
    • Hi Mitch,
      I only know that there were some design changes indeed and I can imagine that Edge is now often integrated with many sign-in experiences etc. Besides that, I can’t say a lot about why it is the way it is..
      Regards, Peter

      Reply
  10. good article thanks, I’ve noticed that even though we apply what seem to be the correct power settings our kiosks, sleep – which is annoying. we have tried all sorts – have you seen this issue?

    Reply
  11. Hi Peter,
    Again a very interesting article. What do you advice on recommended deployment method and what intune license
    Only self deploying with a device license?
    Since the login user isnt AAD aware?

    regards,
    Tom

    Reply
  12. Hoi Peter,

    Bedankt voor je uitleg, alleen als ik het probeer op mijn Windows 11 23H2 dan krijg ik in intune te zien:

    AssignedAccessConfigurationRS5 – conflict

    Reply
  13. I know that this is all intune based but wanted to test randomly on a singular machine, I have 2 issues one is if you have a local account which yourself and microsoft both say can be used how would I get the profile ID or would I use the SID from the whoami. Secondly if you use the WMI bridge powershell where would be best location for the xml.

    As I say know it’s mostly intune based – I’m just seeing if I can workaround for a few standalone machines.

    Reply
  14. Hello Peter,

    I was wondering if it’s possible to deploy a win32-app to a KIOSK-pc? or can you push a powershell-script to a kiosk pc via Intune?
    What I need to do is to put a certificate in the personal -store of the auto-logged-on user to make a website work.

    Thx

    Reply
  15. You have any more information on why they got rid of the tablet ui? The changes makes kiosk look worse on Windows 11 + now we have to do this XML manually instead of right from the GUI. Don’t understand why Microsoft would do this.

    Reply
  16. I have tried the above XML, and the profile is failing from Intune. I am testing this on a Microsoft Surface Pro 9, which we want to roll out. Any idea why the profile is failing?
    Error code -2016281112

    Reply
  17. Hi Peter,

    I wish to publish the System app so the users can manually set the display-settings to Duplicate. You mention to make sure to scope the available functionality to only what’s really needed. However, is it possible to do this within the XML, or will I have to configure this by Configuration Profile? Because I don’t think it’s possible to set anything in regard to Display Settings in that way.

    Thanks!

    Reply
  18. Hi!
    Thanks for a great article.
    We are trying to add a part in the script where the account is deleted after use.
    To you have any suggestion? We have tried this code but get error code 0x87d101f4

    Setting #2:
    Name: “Add to Guests”
    Description: “Adds the kioskUser0 to the Guests group.”
    OMA-URI: “./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure”

    Data Type: String (XML File)

    Reply
  19. Hi Peter:

    Very helpful article. Do you know how we can hide or disable the recycle bin in Kiosk mode. We’ve found that users are able to access the file system from the recycle bin as another user noted and we need to prevent that.

    Thanks.

    Reply
      • Hi, but how Can you deploy a user policy to an kiosk local user account? I have created the local user by your oma-uri manual.

        Reply
    • I’ve used a setting from settings catalog which hides all the icons on the desktop and locks it. That way the experience is closer to the one had with win10

      Reply
      • I’ve had to do this too, but I used a CSP to do that so it’s all in the same custom policy.

        It’s a shame that it doesn’t work the same as Win10 and the MS documentation doesn’t state otherwise. According to the doc, Assigned Access should apply GPOs for things like hiding desktop icons and the task view button on the taskbar but it doesn’t work. I’ve had to add in half a dozen extras for disabling OneDrive sync, turning off co-pilot, restricting access to Docs/Downloads/Pictures, etc. The only issue is that as I’ve used the device scope it applies to all users, including admins, whereas Assigned Access settings would only be for non-admins.

        Reply
  20. Was anybody having the 0x87d1fde8 error able to fix that?
    formatting and quote marks looks correct, I’ve just changed the user to kioskUser0 (existing as local user with no password on the client).

    I’ve also tried the WMI bridge route by deploying the XML via powershell script, but despite the script seems to do fine the only thing happening is the autologon with the correct user, for the rest there’s no trace of multiapp kiosk settings.

    Reply
  21. Still a great article Peter, and used your XML multiple times already! Now I’m dealing with an application that’s installed in the %localappdata%\Programs folder of the KioskUser0.
    Application will not start, I think because it trows me an error that the %localappdata% location is not allowed to access.

    Do you have a workarround for this? Would be great!

    Regards, Michiel

    Reply
  22. Thanks for this write up! I tried executing it but i must be doing something wrong. Here’s what i did:

    1) Took your complete configuration and adjusted: ProfileID, Account, and DefaultProfileID
    2) ProfileID & DefaultProfileID are both randomly generated and match
    3) Account is the account name of the service account i want to use for this kiosk (not display name and not UPN)

    I get an 0x87d1fde8 error in Intune and i’m wondering if you can suggest where i should look?

    Reply
  23. Ok i’ll dig through the event viewer next time i try this. The account is indeed already available, its an Entra ID account, could that be why? does it have to be a local account?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.