After a few blogs about Android Enterprise and how to create an Android kiosk device using Microsoft Intune, in this blog post we switch to a Windows 10 kiosk device. Using Intune and Windows AutoPilot we are able to deploy a Windows 10 device right out of the box, without an user taking any action, as a kiosk device. The end result is a kiosk device configured to automatically logon and launch a kiosk app. In this case the Kiosk Browser is launched, but you can also choose the Edge browser or another app as kiosk app.
To get the job done we have to create a Windows AutoPilot profile, configure kiosk settings in a device configuration policy and deploy the Kiosk Browser app to our device. Optional I have used a custom configuration policy to block users from sign-in on to the device with the Azure AD account.
Setup Windows AutoPilot in self-deploying mode
We have two deployment modes in Windows AutoPilot, we will create an AutoPilot profile with self-deploying mode to configure the device without user interaction. To automatically add the device during enrollment in the right security group, to assign policies and apps, we can use an order id as part of the AutoPilot information. This order id is added to the AutoPilot information csv file we upload to Intune and used in the query of the dynamic security group.
Windows AutoPilot self-deploying mode prerequisites:
- Windows 10 1809 or later
- A device with a TPM 2.0 chip (virtual TPM in a virtual machine will not work)
Let`s first start with preparing the csv file with AutoPilot information you received from your vendor or queried from the device yourself. On the first line add a comma and OrderID. On every other line with AutoPilot information, at the end of each line, add a comma and the order id. In this case I added Win10KioskSingle as order id.
When done editing the csn file, upload the file in Intune. After uploading the AutoPilot information using a csv file, the order id is visible as Group Tag and can be used in a security group.
In the Azure AD portal, click Groups and create a dynamic device security group using the advanced query:
(device.devicePhysicalIds -any _ -eq “[OrderID]:Win10KioskSingle”)
Replace Win10KioskSingle with your own order id/ group tag.
More info on AutoPilot device groups can be found in this article.
Go further with creating the Windows AutoPilot profile.
- Sign-in to the Device Management Portal
- Click Device enrollment – Windows Enrollment
- Click Deployment Profiles
- Click Create Profile
- Give the AutoPilot profile a Name
- Give the profile a Description (Optional)
- Choose Self Deploying (preview) as Deployment mode
- Click the Out-of-box experience (OOBE) tab
- Choose the settings of your choice
- Click OK and Create
- Click the Assignments tab
- Search for the security group we created and select the group
- Click Save
Create Device configuration profile
To lock down the Windows 10 device as kiosk device we need to create and assign a device restrictions profile. We have the choice of two kiosk modes; single app, full screen or multi app. In this example I create a single app kiosk device. When creating a single app kiosk device, you can choose between three application types; Edge browser, Kiosk browser or store app. If you setup the kiosk device to run a browser like I do, have a look at this feature comparison to make a good decision between the Edge and Kiosk browser.
- Click Device configuration – Profiles
- Click Create Profile
- Give the configuration profile a Name
- Give the profile a Description (Optional)
- Choose Windows 10 and later as Platform
- Choose Kiosk as Profile type
- Click the Settings tab
- Choose Single app, full-screen kiosk as Kiosk mode
- Choose Auto logon as Logon type (supported on Windows 10 1803 and later)
- Add Kiosk browser as Application type
- Click the Kiosk browser settings tab
On the Kiosk browser settings tab we have a few options to set like the Default home page url. In this case I set it to my own home page and because I only want the user to be able to visit my site, I also uploaded a csv file with my website in it, to restrict access to a specific set of websites.
If we leave the other settings as default, the Kiosk browser is launched full screen without any navigation button. If you want to show any navigation button to your users set the switch to Show.
When finished click OK twice and click Create.
On the Assignments tab add the previously created security group and click Save.
Create custom configuration policy
Because I have seen users been able to get the sign-in page and even sing-in to the Kiosk device with their Azure AD account, I have now restricted that. The solution for that is to create a custom configuration policy. In that policy we set the User Right To Logon Locally (AllowLocalLogon) to only local accounts (the kiosk account is a local account). The custom policy is created with the information about the Policy CSP op Microsoft Docs.
- Click Device configuration – Profiles
- Click Create Profile
- Give the configuration profile a Name
- Give the profile a Description (Optional)
- Choose Windows 10 and later as Platform
- Choose Custom as Profile type
- Click the Settings tab
- Click Add to add an OMA-URI row
- Give the row a Name
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
- Data type: String
- Value: <![CDATA[Local account]]>
Get the Kiosk browser app
Because I choose to use the Kiosk Browser app, I need to get the app from the Microsoft Store for Business. I assume you have already setup the sync between Intune and the store and set Intune in the store as management tool.
In the store search for Kiosk Browser, click Get the app and click Close.
- In the Device Management portal click Client apps – Apps
- Click the Kiosk Browser app
- Click the Assignments tab
- Click Add group
- Select Required as assignment type
- On the Include tab search for the security group previously created and select the group
- Click OK twice and click Save
Enroll a Windows 10 device as kiosk device
Now everything is set, turn on the Windows 10 device. When the device is connected to the internet it performs an online check to determine if it is registered as Windows AutoPilot device at a tenant. When that`s the case the Deployment profile is downloaded to the device and the device is prepared for enrollment.
After a few minutes the Enrollment Status Page is shown. During the first phase the device is prepared for enrollment to Azure AD and Intune. During the second and third phase configurations policies are applied and apps are installed.
After the enrollment phases the sign-in page is shown and when Auto Logon is set in the configuration profile an auto logon is performed.
After logging on, the Kiosk Browser app is automatically started.
Depending on the choices you made for the navigation buttons in the configuration profile, the Kiosk Browser app is shown full screen, with or without navigation buttons.
If you restricted access to specific websites and visit another site, that site is blocked with a message like below.
If the user is able to get the sign-in page and tries to sign-in to the device with his Azure AD account, that is prohibited.
That`s it for today. Happy testing!
31 Comments
Great article Peter. When I make any edits to the .csv file I keep getting a ‘each row must have a minimum of 3 columns’ error which prevents upload.
Thanks James!
If I for example export the AutoPilot information using Michael Niehaus his script, I get a csv file with three columns. These are the three columns:
Device Serial Number,Windows Product ID,Hardware Hash
And I add a fourth:
Device Serial Number,Windows Product ID,Hardware Hash,OrderID
Usually on the second row you have the serialnumber and hardwarehash of your device filled in and the Windows Product ID column is empty.
How does your csv looks like?
Hi Peter
It looks exactly like you describe. I’ve tried uploading the unmodified version and it passes validation however if I add the extra column header and/or make any other changes it comes up with the validation error.
Hi James,
If you`d like You can send me an email and I send you my example csv file so you can try to modify that one with your own serial, hardware hash and orderid?
I had this issue from editing the CSV in Excel, as it adds quotation marks at the beginning at end.
James,
It doesn`t look like your issue but maybe it has something to do with your issue https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Known-Issue-with-importing-Windows-Autopilot-devices-using-Order/ba-p/624279
Maybe try to use Group Tag instead of OrderID.
Edge itself has Kiosk style policies (Public browsing InPrivate) – been using it with other Edge polices for a MultiApp Selfdeploying solution.
Hi Peter,
In your Custom Configuration Policy, you add a CSP for “AllowLocalLogOn” with a string value of “”. I noticed this value only seems to work OK when used in conjunction with an English OS. When I use a Dutch OS (for example), it doesn’t work anymore and I can’t logon with any account (not local nor Azure). Even the Admin account doesn’t work anymore.
I read this could be circumvented by using SIDs, quote from Microsoft:
“Even though strings are supported for well-known accounts and groups, it is better to use SIDs because strings are localized for different languages.”
I just can’t seem to get the correct value for the SID of “Local Users Only”. Can you help?
Sry, I can’t edit, but meant to say that value “” does not work for Dutch OS. How to convert that to SID?
Hi Ook,
I`m Dutch, but didn`t try this on a Dutch OS system 🙂
Have a look at the Microsoft docs, here you can find well known SID`s like the one for Local Account: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers#well-known-sids
Let me know if this does work with the SID.
Regards,
Peter
Thanks for the response Peter! With a bit of trial and error, I ended up using this syntax, which seems to do the trick:
(hmm, it dropped off!!)
“”
OK, site doesn’t like the format – feel free to edit my comments. I’ts basically:
[CDATA[*S-1-5-113]]
(in between the bigger/smaller brackets)
Thanks for the reply Ook!
Yes, WordPress screws up the comment unfortunately.
A helpful tutorial, Peter!
I have an use case in mind which requires a cloud user to sign-in, so that a Kiosk browser can consume AAD protected services like a dashboard.
Do you have any concerns here?
Peter
Hi Peter,
No that should be possible. Probably will build such a device myself next year.
This might be interesting if you run in the error:https://inthecloud247.com/windows-autopilot-securing-your-hardware-failed-0x800705b4/
Regards,
Peter
I am doing the same thing (self deploying) but using shared multi user mode. When i publish office 365 to this device/group it won’t install
I have no experience with a Shared multi-user device, so I don`t know the limitations of the device and app installs. If you think apps should be allowed to install, try another (small) app and see if that does install fine. Have a look at the event logs if you can find errors.
I’m doing the same, but when my kiosk user log in it’s failing with an error saying unable to start app, and login is halted.
I have published the app and profiles, and if I log in with my own UPN the Kiosk app is there. I’m not sure if it got installed as I signed in, or if it was there when the Kiosk user signed in as well.
I tried signing in with the kiosk again, but when i enter .\KIOSK with blank password I get wrong password.
You might want to have a look at this article if you set up a kiosk with a browser https://inthecloud247.com/setup-edge-chromium-based-kiosk-device-with-microsoft-intune/
Edge is the way to go in the future. I assume the current solution will be phased out and replaced with a solution based on the Edge browser.
Hi,
Thanks for the tutorial!
So for me adding orderID in the csv didn’t work, I had to put Group Tag and replace the request by this one:
(device.devicePhysicalIds -any (_ -eq “[OrderId]:NameofyourorderID”))
You can also just add Group Tag after the import is complete by going into the device and adding the Group Tag. I find this easier than editing the .csv
Hi,
Is it possible to remove user data when user log off or restart pc?
Browser bookmarks and Downloaded stuff
Is it possible to use the Kiosk setup with Digital/Interactive Signage, but load more than one tab in Microsoft Edge and then switch between the 2 tabs every minute?
The autologon does not work in my enviroment, it seems like it’s trying to autologon into the AzureAD instead of the local user, because it works when I add .\ before the username.
Any thoughts?
Hi Peter
Great article. I had an interesting issue when deploying apps via Intune, the kiosk device, when logged in as kiosk checks in with Intune but never pulled down the app, then for an unknown reason it started to pull down and install apps. The devices have no primary user UPN in Intune. I’ve since had to rebuild the kiosk devices and again now they do not pull down apps. Any ideas?
Hi Peter,
Great content and still relevant. Currently I am deploying a Kiosk device (single app). So far it works but the device goes to sleep within some time. I used the template version for the config, do you know if we can tweak settings within this config somewhere in Intune or should we use the settings catalogue? I don’t understand MS logic with providing a template but no options for power settings (full screen info dashboards presenting the whole day).
Additionally, what is the standard way of interrupting the Kiosk sessions on a device e.g. for adding a scheduled task?
Hi,
Wanting to prevent local log in on a kiosk device to all users bar admins. In the new config profiles options, I have added my list of allowed users, will this now “break” my kiosk on start up, or do I need to include the kiosk account in the list of allowed users?
What would be the licensing requirements for a multi-app kiosk device? Intune Device license, Windows 10 device license and if you use Microsoft 365 a Microsoft 365 device license?
The use case is having these devices available for users at a branch office so they can access their documents and mail in the cloud with the cheapest license possible. Documents cannot be saved locally, but must be available in the Cloud with OneDrive for Business.
Is there a way to deploy multiple individual web apps to the kiosk. I have tried with Chrome and edge administrative template ‘Force-install web app’ policies, but it doesn’t appear to be working in Kiosk mode.
It seems the Kiosk app is not allowing the allowed urls I’m importing. I looked up the documentation and there appears to be a disconnect between what it says in the Intune portal and what appears in the documentation. Namely the ability to use wildcards. Do you have an example of what your csv looked like when importing?
Thanks