What is Assigned Access in Windows devices

Windows devices are built for versatility. But when you only need one app and zero distractions, that versatility can get in the way.

Assigned Access on Windows 10 and 11 takes that broad capability and narrows it into purpose. It delivers a focused, fast, and frictionless experience; the user sees only what they need, and nothing more.

In high-pressure environments like healthcare and finance, that precision isn’t a luxury. It’s essential. A nurse shouldn’t scroll past apps to check vitals. A banking associate can’t afford to click into the wrong screen during a customer interaction.

Ready to unpack what Assigned Access is, how it works, how it compares to Shell Launcher, and how to configure it right, so your Windows devices stay powerful, focused, and under control.

What is Windows Assigned Access?

Assigned Access is a feature built into Windows that lets IT admins configure a device to run only a single Universal Windows Platform (UWP) app or a set of pre-defined apps, depending on the configuration.

Once set up, the device boots directly into the assigned app(s), bypassing the full Windows experience. End users can’t access desktop features, settings, or any other app. That’s the whole point.

It’s designed for use cases where devices are shared or serve a very specific purpose like:

• Self-service kiosks
• Check-in terminals
• Digital signage
• Customer feedback stations
• Retail POS systems
• Library/public access computers

It’s minimal, secure, and purpose-built.

Assigned Access vs. kiosk mode

You’ll often hear “kiosk mode” tossed around when talking about locked-down Windows devices, but technically, it’s powered by a feature called Assigned Access.

To put it simply, Assigned Access acts as the rulebook, and Kiosk Mode as the game being played. Same tech, different viewpoints. Microsoft itself uses the terms interchangeably in documentation, which doesn’t help. But here’s the breakdown:

• Single-App Kiosk: The device launches and stays locked to one UWP app, running full-screen. Users can’t switch, minimize, or exit.
• Multi-App Kiosk (only on Windows 10/11 Enterprise or Education): The device runs a limited set of apps, shown on a customized Start menu. It’s still locked down—just with more flexibility.

So when IT talks about “kiosk mode,” they’re usually referring to how Assigned Access is implemented on the front end, either as a single-task device or a tightly scoped multi-app experience.

Why IT admins choose Assigned Access

Fewer clicks for users means fewer fires for IT. Assigned Access puts limits in all the right places.

1. Fewer support tickets: No users fiddling with settings, downloading random apps, or browsing inappropriate content. That’s fewer calls to IT. Everyone wins.

2. Locked-down experience: Users can’t exit the assigned app, open Task Manager, or even press Ctrl+Alt+Del to escape the kiosk mode. This makes it great for public or unmonitored use.

3. Faster boot-up and operation: Assigned Access skips the desktop entirely. Devices launch straight into the designated app. That saves time and keeps the experience focused.

4. Compliance and security: Since users are limited to one app (or a defined set), compliance risks from accidental data exposure, unauthorized access, or misuse go down dramatically.

5. Scalability via MDM: If you’re managing devices at scale, assigned access settings can be pushed via mobile device management (MDM) tools using configuration profiles or CSPs (Configuration Service Providers).

Requirements for Assigned Access setup

Before you get started, ensure:

• The device is running Windows 10 Pro, Enterprise, or Education, or Windows 11 Pro/Enterprise/Education
• You have access to a local standard user account for assigned access setup (not admin)
• The app to be assigned is a UWP app (for single-app kiosk) or MSI/desktop apps (for multi-app kiosk with Shell Launcher or Windows Shell Customization)

How to set up Assigned Access on Windows devices

There are a few methods. Here’s the simplest one for small-scale deployment:

Method 1: Manually via Windows settings

1. Create a standard user account for kiosk mode
2. Go to Settings > Accounts > Other users > Set up a kiosk
3. Click Get started
4. Enter a name for the kiosk account
5. Choose the app you want the user to access
6. Configure settings (e.g., restart behavior)
7. Done! On next login, that user account launches into the assigned app only

Method 2: Scalefusion kiosk configuration 

If you’re using an MDM like Scalefusion:

Step 1: Start with a Device Profile
Go to Device Profiles & Policies > Device Profiles. Either edit an existing Windows profile or create a new one.

Step 2: Navigate to Kiosk Mode settings
Inside the profile, head to Settings > Single App / Kiosk Mode to access kiosk app options.

Step 3: Select the app type
From the dropdown, select the type of app you want to lock the device to. You’ll see icons next to each type, a Windows icon for Modern Management and a Scalefusion icon for Agent-managed devices.

Here’s what you can pick:

• Skip kiosk app – Default option; removes any existing kiosk setting.
• Pre-Installed Applications – Use a built-in UWP app already installed in your profile.

• Enterprise Third Party Application – Set a custom UWP app developed by your organization.

• Browser Application – Lock the device to Chrome, Edge, Firefox, or Windows Kiosk Browser.

• Win32 Application – Choose a classic Windows desktop app.

Step 4: Choose the user account for Kiosk mode
Once you’ve picked your kiosk app, you’ll need to assign a user account:

• Enter primary username – Type in a username that exists on the device. 
• Auto-Create Kiosk user account – Let Windows create a temporary user account. It disappears when you remove the kiosk setting.

With these steps, you can easily turn any Windows 10 or 11 device into a focused, secure, single-app workstation using Scalefusion UEM. 

For a full step-by-step guide, check out the detailed instructions here.

Best practices for smooth Assigned Access deployment

To ensure a smooth, secure, and simplified single-app experience, it’s important to prepare your Windows devices properly before deploying Assigned Access. The following best practices help reduce setup errors, improve reliability, and keep the user experience consistent across all devices.

• Test configurations on a non-production device first
• Disable unnecessary services (like Windows Update popups)
• Use auto logon to make boot-to-app seamless
• Use a firewall to limit network access if needed
• Keep the app updated and crash-resistant, kiosk mode relies on it

Alternatives to Assigned Access

Assigned access works well for basic use cases, like locking a device to one UWP app for kiosks or student testing. But it does come with limitations:

• It only supports UWP apps (not traditional Win32 apps).
• It offers limited customization and control over device behavior.
• There’s no built-in remote management, which can be a dealbreaker for IT teams managing multiple devices.

If you’re running into these roadblocks, here are a few alternatives worth considering:

a. Scalefusion Kiosk mode

For teams looking to simplify configuration, enable remote control, and apply granular restrictions across Windows devices, Scalefusion offers a more scalable, admin-friendly solution.

b. Shell launcher

Use Shell Launcher when you need to run a Win32 desktop app that Assigned Access doesn’t support. It replaces the default Windows shell with your app, removing access to the Start menu, taskbar, and desktop. Ideal for dedicated-use scenarios where users should only interact with one application.

c. Third-party lockdown tools

Some tools act as kiosk wrappers, which means software layers that lock down the device interface and control user access. Unlike basic kiosk setups, these provide more flexibility by allowing multiple apps, custom branding, and deeper restrictions. They’re especially useful in retail, healthcare, or any shared-device setup where more control is needed than what Assigned Access offers.

These aren’t replacements for Assigned Access—they’re extensions for when your use case outgrows it.

Key takeaways

• Assigned Access lets you run Windows devices in kiosk mode, locking users into a single app or set of apps
• It’s ideal for frontline, shared, or public-use devices
• Best suited for retail, healthcare, education, and customer-facing use cases
• Works best with UWP apps, but can be extended to desktop apps with proper configuration
• For large fleets, use MDM solutions for easy deployment and updates

Final thoughts

If you’re managing Windows devices that serve a narrow, repeatable purpose, don’t give users a full operating system. Give them the tool they need, and nothing else.

Assigned Access does exactly that. It’s fast, simple, and effective. And when combined with MDM, it scales beautifully.

Looking to simplify kiosk setup across hundreds of devices? Scalefusion makes it easy. From single-app lockdowns to advanced policy controls, it’s everything Assigned Access wants to be just easier and smarter.

Why waste hours on rigid Assigned Access policies?

FAQs

1. What is assigned access in Windows?

Assigned Access in Windows allows IT admins to restrict a local standard user account to a single Universal Windows Platform (UWP) app. It’s commonly used to create kiosk-mode devices where users can’t exit the app, access settings, or run other programs. This setup enhances security and reduces distractions for use cases like check-ins, retail, or digital signage. It can be configured via Settings, PowerShell, or MDM tools.

2. What is the difference between assigned access and shell launcher?

Assigned access in Windows 10 and Windows 11 lets you lock a device to a single Universal Windows Platform (UWP) app which is ideal for kiosk setups. It’s quick to configure and works well for simple, app-specific use cases.

Shell Launcher, on the other hand, is used when you want to replace the default Windows shell (like Explorer) with a custom shell, typically a classic Win32 app or command-line interface. It offers more flexibility but requires deeper configuration and is better suited for advanced, locked-down environments.

2. Which version of Windows has assigned access?

Windows assigned access is available in:

• Windows 10 Pro, Enterprise, and Education
• Windows 11 Pro, Enterprise, and Education

It’s not supported in Home editions. If you’re configuring a device for kiosk mode or a single-use application, make sure it’s running one of the supported versions. Assigned access is managed either through local settings or MDM platforms for bulk deployments.

4. What is restricted user experience with assigned access?

With Windows assigned access enabled, users are restricted to a single app, either a UWP app (Windows 10) or a designated app set via MDM (Windows 11). This means:

• No Start menu or taskbar
• No ability to switch apps or access system settings
• No notifications or pop-ups from other apps

This restricted user experience is intentional. It ensures that kiosk or single-purpose devices stay focused, secure, and tamper-proof which is ideal for shared use in retail, healthcare, or education environments.