Menu
My company operates using public kiosks. These kiosks are running Windows 8 and though they are secure, they are certainly not as secure as the kiosks AKA ATMS you would see at a bank. The reason for running Windows 8 is to take advantage of the new Kiosk feature that Microsoft recently introduced. However, it seems that the OS only allows operation in this KIOSK mode if the software that is being run or intended to be run is available on the Windows Store as an application.
The software required is not able to be put out to the Windows Store at this moment, but I'd still like to take advantage of the Kiosk feature. How can I use the kiosk feature and still run the desired application? The official MS term for the Kiosk mode is Assigned Access.
We do try to lock down the kiosks as much as possible by giving least permission user access as well as booting the software on startup. In addition, we BitLock whenever possible. However, there is still a delay in booting the software and someone really determined the surf the web could very potentially do so.
I am aware that Microsoft had set the Assigned Access rule for a Windows Store app, but I am still looking for any potential workarounds. Even ways to make a Windows Store app really quickly, that is only available for my usage. Third party software is welcome. But any suggestions that can help our case is appreciated.
Surely playing around in Active Directory, GPEdit, and Registry will get closer to what I want to achieve. One of the main problems I am facing is that the Windows Desktop & Metronic UI will load before the application loads, whereas in Kiosk mode: see here - boot time is quicker.
Users use this launch time for time to check & time to use attacks. So even with great customization, I'm left with the problem that it will never be as efficient as MS could make it. In the end, I'd leave that to MS for optimal results.
Many people are searching for this answer, I'm sure, and any help is appreciated.
TLDR: How do you use the Windows 8.1 Kiosk feature without having a Windows Store App, but do have software?
803
It's not supported on Windows 11. The use of multiple monitors isn't supported for multi-app kiosk mode. A kiosk device typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app.
To exit from kiosk mode while the app is open, Go to Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings > Check the options Allow manually exiting kiosk mode and Exit manually from kiosk mode while an app is open.
Windows 10 and Windows 11 Kiosk Mode is a lock down mechanism that enables IT teams and admins to restrict Windows 10 & 11 devices to running only on a single app or a specific set of apps, for enhanced control and governance.
If you have Windows 8 Pro or Enterprise, you can achieve that with Group Policies (GP).
Next time you log in using this user, Windows won't load Explorer.exe, but your application instead. This way you won't have easy access to the desktop. Through GP you can tweak your system to prevent other stuff like blocking specific applications, removing features, etc.
You can also force an auto logon through registry. Further information can be found here: http://deployhappiness.com/group-policy-kiosk-mode-locking-down/
I hope that helps.
112
I had the same problem as you a few weeks ago so I can share my experience with you.
First of all, this statement of yours is not completely correct:
[...] it seems that the OS only allows operation in this KIOSK mode if the software that is being run or intended to be run is available on the Windows Store as an application.
It is true, that Assigned Access only works with Windows Store Apps, however these Apps don't have to be in the store necessarily. You can provide the App to your clients via "Sideloading" (http://blogs.msdn.com/b/windowsstore/archive/2012/04/25/deploying-metro-style-apps-to-businesses.aspx)
If not via the Windows Store, how do I deploy LOB Windows 8 apps?
You can sideload Windows Store apps. This means installing the app directly in Windows 8.1 without publishing it in the Windows Store. You can only sideload apps on Windows 8.1 Enterprise edition (or on Windows 8.1 Pro and Windows RT devices by installing a special sideloading product key on the device). There are additional requirements: the target computer must be joined to the corporate domain (unless you have installed a sideloading product key), the Group Policy setting "Allow all trusted apps to install" must be enabled; and the app must be signed by a trusted code-signing certificate.
Source: http://technet.microsoft.com/en-us/windows/jj721676.aspx#apps
As for your question to run a .NET Desktop App in Assigned Access mode - this is certainly not possible. You need a Windows Store App for the Kiosk-Mode in Windows 8.1 Partly because the Metro Apps run in a sandbox, that made it far easier for Microsoft to actually implement this Assigned Access Mode. I guess you already know the features and restrictions of the AA-Mode? (Only one user and one app per PC, no charms bar, no Ctrl-Alt-Del, etc)
If you have any further questions, don't hesitate to ask, I'll be glad to share my research with you :-)
39
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
