Windows 11 Multi-app kiosk is finally here, when writing this it is not released in the cumulative update for Windows 11 22H2 yet. And because of that it is not possible to configure it through Intune or Provisioning packages just yet when I am writing this.
More information: Set up a multi-app kiosk on Windows 11 – Configure Windows | Microsoft Learn
Windows 11 22H2 multi app kiosk support is currently part of the “Windows Configuration update May 2023” only available through Windows Update as an optional update. It also contains a lot of other updates for Windows 11 22H2 – May 24, 2023—Windows configuration update – Microsoft Support
Why is the release of Multi-app kiosk a big thing then? Well for customers using Windows 10 Multi-app kiosk this has been a blocker for them to migrate their kiosk devices to Windows 11. Let’s hope we will see Intune support real soon.
Configuring Windows 11 Multi-app kiosk
To test it out now the May 24 Windows Configuration update mentioned above needs to be installed through Windows Update. This can be done by enabling “Get the latest updates as soon as they’re available” option. If that is greyed out as in my sample below, you need to remove the blocking Windows update policies. On my test machine I simply excluded it from my Windows Update rings and then it is possible to turn it on again.
When the update is in-place, either the Windows Configuration Update or the Cumulative update with the released version, we can configure it using PowerShell and PsExec (or any other way to run the script in System context as it is required for the MDM WMI Bridge Provider).
Microsoft has a sample script that can be used to start out the testing here in the bottom of this page – Set up a multi-app kiosk on Windows 11 – Configure Windows | Microsoft Learn
Note: that it includes Notepad and Paint as samples:
<App DesktopAppPath=”%windir%\system32\mspaint.exe” />
<App DesktopAppPath=”C:\Windows\System32\notepad.exe” />
Both of those apps are modern apps in Windows 11 22H2 so they will not show up or work.
I modified my .xml file to only have Edge and the Settings app, which I will explain later.
The end result looks like this.
The Get Started app shows up and disappears again in different scenarios for example if a support technician logs on with a different account to troubleshoot the device the Get started is shown again in Kiosk mode as well. Get started is now a built-in system component which is hard to block. The challenge with it is that the end user can launch Microsoft Edge from it of they go through the wizard.
To test it out:
Download PsExec and either save the Microsoft sample file or download the one I tested with here: https://github.com/Ccmexec/PowerShell/tree/master/Windows%2011%20Multi%20App%20Kiosk
- Run PsSxec -i -s cmd.exe
- In the Command Prompt running as system run “PowerShell -ep bypass -file kiosk.ps1” for example (I prefer this way as I still have the command prompt in system mode so I can troubleshoot easier when testing and it often fails when modifying the .xml file)
I have a PowerShell script that will automate and take username as input and configure autologon with the password stored as an LSA secret. Will post that when the Multi-App kiosk support is released.
Approving the settings App
When testing it out, if we click the volume icon and select open volume in the Taskbar we get the expected “This app has been blocked by your system administrator”.
By approving the settings app and adding a pinned icon on Start (if we want to) this issue is solved and the Volume mixer opens. The same goes for the network icon in the Taskbar.
But we don’t want to allow everything in the Settings app, and in the same way we did in Windows 10 we can control what settings are shown by using a Configuration Profile (or Group Policy) to only whitelist which settings menus should be visible. This can be done with the “Page Visibility List” settings and configuring it to for example:
Opening the settings app with these restrictions in place will show these options when launched.
Additional configuration in my test
I created two Configuration Profiles to modify the taskbar and set the desktop background image.
Configuration Profile – Device Restriction
Configuration Profile – Settings catalog
Widgets cannot be launched but they are still shown that is why I removed them. Search I do not want either so removed that.
The Task view icon can be removed as well setting the user registry value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTaskViewButton = “0”
This script can be used to deploy that settings – Customizing Taskbar and Start in Windows 11 22h2 with PowerShell – CCMEXEC.COM – Enterprise Mobility
A short summary of my testing:
I would not expect the Get Started app as it can launch Microsoft Edge.
Blocking Microsoft Edge if it has not been approved would also be a good thing but it is always approved (same in Windows 10 Multi-app kiosk)
Approving and locking down the settings app can be a good idea to get Volume mixer to work for example. Removing Task View and other Taskbar icons by default when configuring Multi-App kiosk mode.
What is great and that I assume is for Intune to be able to have seamless support for both Windows 10 and 11 is that we can have the same .xml file with both the Windows 10 start menu option and the Windows 11 .json pinned apps settings in the same configuration file. If the .xml file is applied to a Windows 10 device the not supported Pinned section is simply ignored.
This is some great work by the product team, cannot wait for Intune to have support for Windows 11 Multi-app kiosk configuration!