My company operates using public kiosks. These kiosks are running Windows 8 and though they are secure, they are certainly not as secure as the kiosks AKA ATMS you would see at a bank. The reason for running Windows 8 is to take advantage of the new Kiosk feature that Microsoft recently introduced. However, it seems that the OS only allows operation in this KIOSK mode if the software that is being run or intended to be run is available on the Windows Store as an application.

The software required is not able to be put out to the Windows Store at this moment, but I'd still like to take advantage of the Kiosk feature. How can I use the kiosk feature and still run the desired application? The official MS term for the Kiosk mode is Assigned Access.

We do try to lock down the kiosks as much as possible by giving least permission user access as well as booting the software on startup. In addition, we BitLock whenever possible. However, there is still a delay in booting the software and someone really determined the surf the web could very potentially do so.

I am aware that Microsoft had set the Assigned Access rule for a Windows Store app, but I am still looking for any potential workarounds. Even ways to make a Windows Store app really quickly, that is only available for my usage. Third party software is welcome. But any suggestions that can help our case is appreciated.

Surely playing around in Active Directory, GPEdit, and Registry will get closer to what I want to achieve. One of the main problems I am facing is that the Windows Desktop & Metronic UI will load before the application loads, whereas in Kiosk mode: see here - boot time is quicker.

Users use this launch time for time to check & time to use attacks. So even with great customization, I'm left with the problem that it will never be as efficient as MS could make it. In the end, I'd leave that to MS for optimal results.

Many people are searching for this answer, I'm sure, and any help is appreciated.

TLDR: How do you use the Windows 8.1 Kiosk feature without having a Windows Store App, but do have software?

If you have Windows 8 Pro or Enterprise, you can achieve that with Group Policies (GP).

1. Create a user with the desired privileges;
2. As an admin account, run the Microsoft Management Console (mmc.exe);
3. Go to File > Add/Remove Snap In...
4. Select the Group Policy Object and press Add
5. Press the Browse... button
6. In the Users tab, select the user you just created
7. Press finish
8. Go to User Configuration > Administrative Templates > System and edit the Custom User Interface settings
9. Change it to Enabled and enter your application path (i.e "C:\Program Files\My Kiosk App\App.exe") in the Interface File Name field

Next time you log in using this user, Windows won't load Explorer.exe, but your application instead. This way you won't have easy access to the desktop. Through GP you can tweak your system to prevent other stuff like blocking specific applications, removing features, etc.

You can also force an auto logon through registry. Further information can be found here: http://deployhappiness.com/group-policy-kiosk-mode-locking-down/

I hope that helps.

I had the same problem as you a few weeks ago so I can share my experience with you.

First of all, this statement of yours is not completely correct:

[...] it seems that the OS only allows operation in this KIOSK mode if the software that is being run or intended to be run is available on the Windows Store as an application.

It is true, that Assigned Access only works with Windows Store Apps, however these Apps don't have to be in the store necessarily. You can provide the App to your clients via "Sideloading" (http://blogs.msdn.com/b/windowsstore/archive/2012/04/25/deploying-metro-style-apps-to-businesses.aspx)

If not via the Windows Store, how do I deploy LOB Windows 8 apps?

You can sideload Windows Store apps. This means installing the app directly in Windows 8.1 without publishing it in the Windows Store. You can only sideload apps on Windows 8.1 Enterprise edition (or on Windows 8.1 Pro and Windows RT devices by installing a special sideloading product key on the device). There are additional requirements: the target computer must be joined to the corporate domain (unless you have installed a sideloading product key), the Group Policy setting "Allow all trusted apps to install" must be enabled; and the app must be signed by a trusted code-signing certificate.

Source: http://technet.microsoft.com/en-us/windows/jj721676.aspx#apps

As for your question to run a .NET Desktop App in Assigned Access mode - this is certainly not possible. You need a Windows Store App for the Kiosk-Mode in Windows 8.1 Partly because the Metro Apps run in a sandbox, that made it far easier for Microsoft to actually implement this Assigned Access Mode. I guess you already know the features and restrictions of the AA-Mode? (Only one user and one app per PC, no charms bar, no Ctrl-Alt-Del, etc)

If you have any further questions, don't hesitate to ask, I'll be glad to share my research with you :-)

Assigned Access is not available for desktop applications at all. As per Microsoft's website (emphasis mine):

Assigned access is a setting that lets you restrict a specific standard account to using only one Windows Store app

Depending on what your app does and how much flexibility your users need, you can get similar behaviour for desktop apps by mucking around with Group Policy settings, or using a third party app like FrontFace Lockdown.