Windows 10/11 Assigned Access (Kiosk Mode)

- 3 mins read

While an article like this isn’t what most people think of when they hear “cybersecurity”; many businesses’s discover the breach originated from a Kiosk Machine. They are often insecure and have unmonitored network access within the organization.

Microsoft’s Assigned Access feature allows us to lock down a Windows device so that it only runs specific applications under a dedicated local user account.

In this article, I’ll provide an Assigned Access script using PowerShell for Windows 10/11, ensuring an auto-login setup without requiring a password. This method is ideal for environments such as a meeting or conference room where you want to limit user access only to essential applications like Calculator, Microsoft Teams, and the Settings app. Feel free to modify the XML to include other AMUID or EXE for applications not included in my example.

Why Use Assigned Access?

  • Prevents unauthorized application usage
  • Reduces risk of malware or user misconfiguration
  • Auto-login streamlines access without user intervention
  • Works with both Windows 10 and 11 (though setup scripts differ)
  • Can be implemented in a domain or standalone environment

Prerequisites

Before proceeding, ensure you have:

✅ Administrator account (Local or Domain Joined)
✅ Windows 10 or 11 installed on the device

Optional

✅ Network segmentation in place (such as VLANs) for improved security
✅ Block Unused Ports – Disable USB storage access via Group Policy (GPO) or registry changes
✅ Monitor with Windows Event Logs – Set up logging to track unauthorized access attempts. Forward logs to your SIEM system for monitoring
✅ Remote Management Tools - Ease of access in an isolated environment\

Modify GUIDs and Display Name

Before applying the configuration, you need to generate and modify the GUIDs in the XML file.

  1. Run the following PowerShell command to create a new GUID: New-Guid

  2. Copy the generated GUID and replace both “Profile Id” & “DefaultProfile Id” with a new GUID.

  3. Update rs5:DisplayName as needed for better identification.

  4. Execute entire script within an elevated PowerShell prompt.

After applying the configuration, reboot the PC to finalize the kiosk setup. The computer will automatically start in kiosk mode with no password required.

The examples below are a baseline configuration designed to get you started.

$assignedAccessConfiguration = @"
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config">
<Profiles>
  <Profile Id="{c06870b6-c9d0-4676-a1a9-19f258663ea8}">
    <AllAppsList>
      <AllowedApps>
        <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
        <App AppUserModelId="MSTeams_8wekyb3d8bbwe!MSTeams" />
        <App DesktopAppPath="%windir%\explorer.exe" />
        <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
      </AllowedApps>
    </AllAppsList>
    <rs5:FileExplorerNamespaceRestrictions>
      <rs5:AllowedNamespace Name="Downloads" />
    </rs5:FileExplorerNamespaceRestrictions>
    <StartLayout><![CDATA[
                  <LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
                      <LayoutOptions StartTileGroupCellWidth="6" />
                      <DefaultLayoutOverride>
                      <StartLayoutCollection>
                          <defaultlayout:StartLayout GroupCellWidth="6">
                              <start:Group Name="">
                                  <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
                                  <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="MSTeams_8wekyb3d8bbwe!MSTeams" />
                                  <start:Tile Size="2x2" Column="2" Row="2" AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
                              </start:Group>
                          </defaultlayout:StartLayout>
                      </StartLayoutCollection>
                      </DefaultLayoutOverride>
                  </LayoutModificationTemplate>
              ]]></StartLayout>
    <Taskbar ShowTaskbar="true" />
  </Profile>
</Profiles>
<Configs>
  <Config>
    <AutoLogonAccount rs5:DisplayName="PC NAME" />
    <DefaultProfile Id="{c06870b6-c9d0-4676-a1a9-19f258663ea8}" />  
  </Config>
</Configs>
</AssignedAccessConfiguration>
"@

# Define the namespace and class name
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_AssignedAccess"

# Apply the new configuration
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
Set-CimInstance -CimInstance $obj
$assignedAccessConfiguration = @"
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
  <Profile Id="{c06870b6-c9d0-4676-a1a9-19f258663ea8}">
    <AllAppsList>
      <AllowedApps>
        <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
        <App AppUserModelId="MSTeams_8wekyb3d8bbwe!MSTeams" />
        <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
      </AllowedApps>
    </AllAppsList>
    <rs5:FileExplorerNamespaceRestrictions>
      <rs5:AllowedNamespace Name="Downloads" />
      <v3:AllowRemovableDrives />
    </rs5:FileExplorerNamespaceRestrictions>
    <v5:StartPins><![CDATA[{
        "pinnedList":[
          {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
          {"packagedAppId":"MSTeams_8wekyb3d8bbwe!MSTeams"},
          {"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"}
        ]
      }]]></v5:StartPins>
    <Taskbar ShowTaskbar="false" />
  </Profile>
</Profiles>
<Configs>
  <Config>
    <AutoLogonAccount rs5:DisplayName="PC NAME" />
    <DefaultProfile Id="{c06870b6-c9d0-4676-a1a9-19f258663ea8}" />
  </Config>
</Configs>
</AssignedAccessConfiguration>
"@

# Define the namespace and class name
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_AssignedAccess"

# Apply the new configuration
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
Set-CimInstance -CimInstance $obj