How to Configure Windows Kiosk Using Microsoft Intune | Windows 10 / 11

Windows kiosk is a lockdown mechanism to restrict device access to pre-defined applications. The applications appears on the desktop and user can only use those applications. Kiosk are mostly placed in public area to allow access to specific applications to authorized users or guests. For example, a self check-in kiosk at airport.

We can use Microsoft Intune to deploy a Device configuration profile to configure Windows kiosk mode on Windows 10 or Windows 11 devices. Windows 10 kiosk mode support single app or multi-app kiosk.

In this blog post, we will discuss about configuring an existing Windows 10 or Windows 11 device as Kiosk.

Configure Windows Kiosk on Windows 10 or Later Device as Single-app Full Screen Kiosk

A Single-app full screen Windows kiosk mode allow only a single application to launch on the device. The application will open in full screen mode. In this demonstration, we will use Microsoft Edge with website URL. The website will open automatically and user can only use that specific website ( Web app).

When the auto logon option is selected, a kiosk account (local standard user account) is used to sign in automatically. The app launch automatically after logon. If you close the app, it will restart again.

Follow the below steps to configure the device as Single-app full screen kiosk.

• In Microsoft Intune admin center, go to Devices | Configuration Profiles and click on Create Profile

• In the Create a profile window, select the following and click on Create
  • Platform: Windows 10 and later
  • Profile type: Template
  • Template : Kiosk

• In the Basics page, enter a name for Device configuration profile name and click on Next
• In the Configuration Settings page, select the following settings.
  • Select a Kiosk mode : Single app, full-screen kiosk
  • User logon type : Auto logon
  • Application type : Add Microsoft Edge browser (Required Edge version 87 and later with Windows version 1909 and later)
  • Edge Kiosk URL: Website link (company application url or any)
  • Microsoft Edge Kiosk mode type:
    • Digital / Interactive signage (InPrivate) – The link provided above in Edge Kiosk URL will open in full screen. User can navigate through that website only. We have selected this setting for demonstration.
    • Public Browsing (InPrivate) – The link provided above will open by default. However user can open another website in same or a new tab.
  • Specify Maintenance windows for App Restart – Select Required if you want to limit application upgrade during specific time. Provide the maintenance window start time and schedule recurrence in next options.

• Review the settings and click on Next to move to Assignment page.
• In the Assignments page, select the Azure AD group on which you want to apply the policy. Click on Next.

We have applied the policy on AAD group “Kiosk Computers – Edge browse” and our test device was added in this AAD group.

In the Applicability Rules page, click on Next

In the Review + Create page, review the settings and click on Create.

The Device configuration profile for Kiosk is now created. To expedite the testing you can sync the policy on device and reboot the machine. You can check policy compliance status from Device | Configuration Profiles blade.

End User Experience for Single-app Full Screen Windows Kiosk Mode

As discussed above, Microsoft Edge support two Kiosk modes which are Digital / Interactive signage (InPrivate) Mode & Public browsing (InPrivate) mode.

The end user experience for Digital / Interactive signage (InPrivate) mode will be similar to below. User will see the web page in full screen mode. They can browse through the website however can’t open any other websites.

We now change the Edge browser kiosk mode to Public browsing (InPrivate) mode. The end user experience changed once policy applied. The user can now open new tabs in Edge browser and open other websites as well.

Note: If you want to restrict the websites which user can open then other Device configuration profile can be created to for Microsoft Edge to restrict the URL which can be opened. You need to apply the policy on Kiosk computers. The Kiosk template does not have this option as of now.

Configure Windows Kiosk on Windows 10 or Later Device as Multi-app Kiosk

We have configured Single-app Full screen kiosk and tested the same. Now, we will modify the same policy to configure the device as Multi-app kiosk.

To edit the device configuration profile, follow the below steps.

• In Microsoft Intune admin center, go to Devices | Configuration Profiles and click select the profile.
• Scroll down to Configuration Settings and click on Edit.

• In the Configuration Settings, select the following settings for Multi-app kiosk.
  • Select a Kiosk mode : Multi-app
  • Target devices running Windows 10/11 in mode : No
  • User logon type : Auto logon
  • Browser and Applications:
    • Add Microsoft Edge > Public Browsing (InPrivate)
    • Add Store App > Microsoft Whiteboard
  • Autolaunch : No
  • Tiles Size : Large

• Use alternative Start layout : No
• Windows Taskbar : Hide
• Allow access to Downloads folder : No
• Specify Maintenance windows for App Restart – Select Required if you want to limit application upgrade between specific time. Provide the maintenance window start time and schedule recurrence in next options.

End User Experience for Multi-app Windows Kiosk Mode

Below are the end user experience for Multi-app Windows kiosk mode. You should be able to see the application icon on the desktop. However, the application icon not appeared in tiles during the testing. We will update the details if got an opportunity to test this again.

Related Posts

• Manage Edge Chromium favorites with Endpoint Manager | Intune
• Configure Edge Chromium Homepage & Startup Page
• Configure Microsoft Edge Sleeping Tabs using Intune
• Configure Google Chrome settings using Administrative templates | Intune | Endpoint Manager
• Block USB Device with Exception
• Deny Write Access to USB Devices Using Intune Catalog Settings