Set Up Kiosk Modewith Intune

Computer Uptime MPA Tools

Set up Windows Kiosk mode with Intune

Continuing our exploration of kiosk mode setup in Windows 11, this blog post is the third part of our Kiosk mode series. Today, we’ll dive into the world of Microsoft Intune configuration. Intune offers centralized management capabilities, allowing administrators to easily control and deploy kiosk mode settings across multiple devices..

What is Kiosk mode?

Just as a quick recap, Kiosk mode configures Windows 11 for a single-purpose device that runs only one (or two) application(s). Kiosk mode is also referred to as Assigned Access in Windows 11. You would typically use this feature to set up a computer as a kiosk device for guests to access the internet, fill out a form, or convert a device into a digital sign to demo products or promote your business.

Single app Kiosk mode

Typically, with Kiosk mode, the Windows 11 device would be configured to sign in automatically and launch only one application in full-screen mode using a restricted user account that won’t let anyone access the desktop, switch to a different app or change any system settings. This is the scenario that we will be focusing on in this article.

Multi app Kiosk mode

The Microsoft documentation references a multi-app kiosk mode, where one or more apps can be launched from the Start menu or desktop. People using the kiosk see a customized Start menu that shows only the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people.

For more information on how to set up a multi-app kiosk see Set up a multi-app kiosk on Windows 11 – Configure Windows | Microsoft Learn. Even though, in this article we will be focusing on the single app kiosk mode scenario, the multi-app kiosk mode is configured with either with Intune or the MDM Bridge WMI Provider so it may be worth reading the relevant sections below.

Kiosk mode configuration methods

There are several different ways to configure Kiosk mode with single or multiple UWP apps or desktop/Win32 apps and with a local user account, AD user account or Azure AD user account (Entra ID). This Microsoft article has a great breakdown of the different configuration options and provides the below summary: Configure kiosks and digital signs on Windows 10/11 desktop editions – Configure Windows | Microsoft Learn

A screenshot of a computer Description automatically generated

Configuring Kiosk mode with Intune using an Azure AD user account

For this configuration, we will need the following:

  • An Azure AD Registered, or Azure AD joined, or Hybrid Azure AD joined device.
  • An Azure AD / Entra ID account that will be used for the assigned access.

For more information, see Kiosk settings for Windows 10/11 in Microsoft Intune | Microsoft Learn.

Creating a device group

First, we will need to create a device group for the kiosk devices. We can do this by navigating to the Intune admin center (https://intune.microsoft.com), select groups then click New Group.

A screenshot of a computer Description automatically generated

Enter a name for the group, for example Kiosk Devices.

A screenshot of a computer Description automatically generated

Select the kiosk devices that are to be added to the new group.

A screenshot of a computer Description automatically generated

Click Create.

A screenshot of a computer Description automatically generated

Creating the Kiosk mode configuration profile

Next, we will create the Kiosk mode configuration profile. Select Devices, then select Configuration profiles and then click Create Profile.

A screenshot of a computer Description automatically generated

For the platform, select Windows 10 and later. For the profile type, select Templates and then enter “kiosk” to filter the templates names for the Kiosk option. Then click Create.

A screenshot of a computer Description automatically generated

Enter a name for the configuration profile and then click Next.

A screenshot of a computer Description automatically generated

Under the configuration settings select the Kiosk mode. In this example, we will select Single app, full-screen kiosk.

A screenshot of a computer Description automatically generated

For User logon type, select Azure AD user or group.Note: For kiosks in public-facing environments with Autologon enabled, Microsoft’s recommendation is to use a user account with the least privileges, such as a local standard user account. As such, if auto logon is required, we would suggest using the Auto logon option under Application type.

However, for this post we will be demonstrating the Azure AD user scenario and using Autologon from Sysinternals (see the section below titled Implementing Autologon).

A screenshot of a computer Description automatically generated

Next, we will need to select the assigned access account. Click Add.

A screenshot of a computer Description automatically generated

Select the Azure AD user account that will be used for the assigned access.

A screenshot of a computer Description automatically generated

Confirm that the assigned access account now appears in the logon user list.

A screenshot of a computer Description automatically generated

Next, we will set the application type. From the drop-down list select the application that will be used for the Kiosk mode. For this example, we will be selecting Microsoft Edge browser (Note: this option is for the desktop/Win32 version of Edge (Chromium).

A screenshot of a computer Description automatically generated

Since we selected Microsoft Edge browser, the Edge Kiosk URL will be required. Enter the URL that should be loaded at launch for the kiosk device.

A screenshot of a computer Description automatically generated

Next, we will set the Edge Kiosk mode type. The Digital/Interactive Signage mode launches Edge in full screen which does not provide a toolbar or navigation buttons, whereas the Public Browsing mode does. Earlier, at the beginning in the post, we had selected Digital/Interactive Signage so in this example, we will select Public Browsing to demonstrate the differences.

A screenshot of a computer Description automatically generated

Next, we will set the browser refresh idle time. When the idle time has been reached on the Kiosk device, then the browser window will be refreshed, and the Edge Kiosk URL will be reloaded.

A screenshot of a computer Description automatically generated

Next, we will need to specify the maintenance window when the Microsoft Edge browser app can be restarted, when the app has been updated.

A screenshot of a computer Description automatically generated

Lastly, we will need to assign the new Kiosk mode configuration profile to the device group that we had previously created. Under Included Groups, click Add groups.

A screenshot of a computer Description automatically generated

Select the Kiosk Devices group that we had created earlier.

A screenshot of a computer Description automatically generated

Click Next.

A screenshot of a computer Description automatically generated

Click Create.

A screenshot of a computer Description automatically generated

Syncing the client

On the kiosk device, under Settings, navigate to Accounts > Access work or school and then click the Info button for the Azure tenant connection.

A screenshot of a computer Description automatically generated

Scroll down and click the Sync button.

Restarting and testing

Once the sync is complete, restart the device.

A screenshot of a computer Description automatically generated

After the device has restarted, sign in with the designated user account specified in the Kiosk configuration profile.

A screenshot of a computer Description automatically generated

Once the Kiosk account has signed in, the Edge browser window will load in Edge kiosk mode, which provides an InPrivate browser session with the toolbar, tabs, and navigation buttons. The kiosk mode prevents access to the Start menu or anywhere else on the desktop and all keyboard shortcuts will be disabled.

A screenshot of a computer Description automatically generated

In the next post, we will look at how to set up Windows Kiosk mode using the MDM Bridge WMI provider in PowerShell. This will allow us to use an AD domain user account for the Kiosk mode. It will also allow the use of desktop/Win32 applications.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This