What is Assigned Access?

Assigned Access is a Windows feature that you can use to configure a device as a kiosk or with a restricted user experience.

When you configure a kiosk experience, a single Universal Windows Platform (UWP) application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it automatically restarts. Practical examples include:

  • Public browsing
  • Interactive digital signage

When you configure a restricted user experience, users can only execute a defined list of applications, with a tailored Start menu and Taskbar. Different policy settings and AppLocker rules are enforced, creating a locked down experience. The users can access a familiar Windows desktop, while limiting their access, reducing distractions, and potential for inadvertent uses. Ideal for shared devices, you can create different configurations for different users. Practical examples include:

  • Frontline worker devices
  • Student devices
  • Lab devices

Note

When you configure a restricted user experience, different policy settings are applied to the device. Some policy settings apply to standard users only, and some to administrator accounts too. For more information, see Assigned Access policy settings.

Requirements

Here are the requirements for Assigned Access:

  • To use a kiosk experience, User account control (UAC) must be enabled
  • To use a kiosk experience, you must sign in from the console. The kiosk experience isn't supported over a remote desktop connection

Windows edition and licensing requirements

The following table lists the Windows editions that support Assigned Access:

Windows Pro Windows Enterprise Windows Pro Education/SE Windows Education
Yes Yes Yes Yes

Assigned Access license entitlements are granted by the following licenses:

Windows Pro/Pro Education/SE Windows Enterprise E3 Windows Enterprise E5 Windows Education A3 Windows Education A5
Yes Yes Yes Yes Yes

For more information about Windows licensing, see Windows licensing overview.

Configure a kiosk experience

There are several options to configure a kiosk experience. If you need to configure a single device with a local account, you can use:

  • PowerShell: you can use the Set-AssignedAccess PowerShell cmdlet to configure a kiosk experience using a local standard account
  • Settings: use this option when you need a simple method to configure a single device with a local standard user account

For advanced customizations, you can use the Assigned Access CSP to configure the kiosk experience. The CSP allows you to configure the kiosk app, the user account, and the kiosk app's behavior. When you use the CSP, you must create an XML configuration file that specifies the kiosk app and the user account. The XML file is applied to the device using one of the following options:

  • A Mobile Device Management (MDM) solution, like Microsoft Intune
  • Provisioning packages
  • PowerShell, with the MDM Bridge WMI Provider

To learn how to configure the Shell Launcher XML file, see Create an Assigned Access configuration file.

The following instructions provide details how to configure your devices. Select the option that best suits your needs.

You can configure devices using a custom policy with the AssignedAccess CSP.

  • Setting: ./Vendor/MSFT/AssignedAccess/Configuration
  • Value: content of the XML configuration file

Assign the policy to a group that contains as members the devices that you want to configure.

Tip

For practical examples, see the Quickstart: Configure a kiosk with Assigned Access.

Configure a restricted user experience

To configure a restricted user experience with Assigned Access, you must create an XML configuration file with the settings for the desired experience. The XML file is applied to the device via the Assigned Access CSP, using one of the following options:

  • A Mobile Device Management (MDM) solution, like Microsoft Intune
  • Provisioning packages
  • PowerShell, with the MDM Bridge WMI Provider

To learn how to configure the Assigned Access XML file, see Create an Assigned Access configuration file.

The following instructions provide details how to configure your devices. Select the option that best suits your needs.

You can configure devices using a custom policy with the AssignedAccess CSP.

  • Setting: ./Vendor/MSFT/AssignedAccess/ShellLauncher
  • Value: content of the XML configuration file

Assign the policy to a group that contains as members the devices that you want to configure.

User experience

To validate the kiosk or restricted user experience, sign in with the user account you specified in the configuration file.

The Assigned Access configuration takes effect the next time the targeted user signs in. If that user account is signed in when you apply the configuration, sign out and sign back in to validate the experience.

Note

Starting in Windows 11, a restricted user experience supports the use of multiple monitors.

Autotrigger touch keyboard

The touch keyboard is automatically triggered when there's an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.

Tip

The touch keyboard is triggered only when tapping a textbox. Mouse clicks don't trigger the touch keyboard. If you're testing this feature, use a physical device instead of a virtual machine (VM), as the touch keyboard is not triggered on VMs.

Sign out of assigned access

By default, to exit the kiosk experience, press Ctrl + Alt + Del. The kiosk app exits automatically. If you sign in again as the Assigned Access account, or wait for the sign in screen timeout, the kiosk app relaunches. The default timeout is 30 seconds, but you can change the timeout with the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

To change the default time for Assigned Access to resume, add IdleTimeOut (DWORD) and enter the value data as milliseconds in hexadecimal.

Note

IdleTimeOut doesn't apply to the Microsoft Edge kiosk mode.

The Breakout Sequence of Ctrl + Alt + Del is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format modifiers + keys. An example breakout sequence is CTRL + ALT + A, where CTRL + ALT are the modifiers, and A is the key value. To learn more, see Create an Assigned Access configuration XML file.

Keyboard shortcuts

The following keyboard shortcuts are blocked for the user accounts with Assigned Access:

Keyboard shortcut Action
Ctrl + Shift + Esc Open Task Manager
WIN + , (comma) Temporarily peek at the desktop
WIN + A Open Action center
WIN + Alt + D Display and hide the date and time on the desktop
WIN + Ctrl + F Find computer objects in Active Directory
WIN + D Display and hide the desktop
WIN + E Open File Explorer
WIN + F Open Feedback Hub
WIN + G Open Game bar when a game is open
WIN + I Open Settings
WIN + J Set focus to a Windows tip when one is available
WIN + O Lock device orientation
WIN + Q Open search
WIN + R Open the Run dialog box
WIN + S Open search
WIN + Shift + C Open Cortana in listening mode
WIN + X Open the Quick Link menu
LaunchApp1 Open the app that is assigned to this key
LaunchApp2 Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator
LaunchMail Open the default mail client

Remove Assigned Access

Deleting the restricted user experience removes the policy settings associated with the users, but it can't revert all the configurations. For example, the Start menu configuration is maintained.

Next steps

Review the recommendations before you deploy Assigned Access:

Assigned Access recommendations