Fotolia
How to enable Windows 8.1 kiosk mode for Modern apps
It's possible to control user application access on startup with Assigned Access, but note that Windows 8.1 kiosk mode works only for Modern apps.
In Windows desktop environments, kiosk mode enables administrators to replace the Windows Explorer shell with a selected application during user logon. In my previous article, I explained why some organizations may want to use Windows kiosk mode for limited uses, as well as control concerns for workstations that aren't locked down.
Microsoft addresses some of these concerns in Windows 8.1 by simplifying the process of configuring a workstation in kiosk mode. A new feature called Assigned Access enables you to quickly set up a desktop. It keeps the system secure by not allowing users to access the other components of the operating system, including the Windows desktop environment.
Benefits of using Assigned Access mode
When an application is configured in Assigned Access mode, it offers the following benefits:
- It allows you to configure an application in kiosk mode for a particular user.
- There is no risk of compromising the workstation. When a user is configured in Assigned Access mode, Windows 8.1 blocks access to desktop and any other components of the OS for that user. For example, a user configured for Assigned Access is never allowed to gain access to the desktop by using ALT+CTRL+DEL, ALT+F4 or any other key combinations.
- There is no need to configure Group Policy settings to block key combinations such as ALT+CTRL+DEL, etc.
- Assigned Access allows an assigned app to run in full-screen mode without needing any additional configuration of the application.
Assigned Access requirements
Before you can use the Assigned Access feature, note the following requirements:
- Assigned Access cannot be used with the standard edition of Windows 8.1. You must have the Professional or Enterprise edition of Windows 8.1 before you can use this feature.
- The application to be configured in Assigned Access mode should be a Modern app, not a desktop application. If it is a desktop application such as Microsoft Word, then you will end up using the traditional approach, which is to replace the Explorer.exe with the application EXE.
- You must also create a local user account which will be configured for Assigned Access. A domain user account is not supported to work with the Assigned Access feature. It is also important to note that this feature does not work for local administrator accounts.
How to use Assigned Access
You can create two types of user accounts: administrator and standard user accounts. An administrator account is required to assign an application to a standard user account.
To configure Assigned Access, follow these steps in the Professional or Enterprise edition of Windows 8.1:
1. Log on to the PC using the administrator account.
2. Launch PC Settings, click on Accounts and then create a local user account by name, like "KioskUser."
3. Log off the current user.
4. Next, log in using the KioskUser account. You must log on to the workstation using the local user account (KioskUser in this case) so that Windows installs and configures the default applications for the user in the temp profile.
5. Next, log off the KioskUser account. When you log off the KioskUser account, Windows creates the profile for the user.
6. Once logged out of the KioskUser user account, log in using the Administrator account. Note that only the local administrator account can configure the Assigned Access feature for local user accounts.
7. Click on Set up an Account for Assigned Access as shown below:
8. Next, click on Choose an Account and then select "KioskUser" account as shown in the below screenshot:
9. Once the user account is selected, click on the Choose an App button on the same page to assign the application to the user which is also shown in the below screenshot. For our purposes, we will select the "Internet Explorer" application.
10. Once the application is selected and assigned to the user, the next time "KioskUser" logs onto the workstation, the OS will launch the assigned app for the user rather than present the complete desktop.
Earlier versions of Windows did not offer an easy way to force users to run only one application. With Windows 8.1 and later, Microsoft made the process easier with Assigned Access. This new feature not only allows administrators to quickly assign an application to the local users, but it also eliminates the need for configuring the various Group Policy settings to completely lock down the Windows workstation in kiosk mode.
About the author:
Nirmal Sharma is an MCSEx3 and an MCITP and was awarded the Microsoft MVP award in Directory Services. He specializes in Directory Services, Microsoft Clustering, Hyper-V, SQL and Exchange and has been involved in Microsoft technologies since 1994. Sharma can be reached at [email protected].
