Create a Windows 10 Single-App kiosk device using Intune and AutoPilot

In this blog post, we’ll configure a Windows 10 Kiosk Mode in Single-App using Intune and Autopilot as the deployment method. We’ll also make sure that the user doesn’t have to log using the AutoLogin function. Our kiosk will be displaying a webpage to be used in a public area.

Some desktop such a public device can be “locked down” to show specifics applications only. Windows 10 Kiosk mode offers 2 different kiosk experiences :

• Single-app kiosk: Runs a single app (UWP) in fullscreen on top of the lock screen. Users using the kiosk can see only that app. If the kiosk app is closed, it will automatically restart. If a user disconnect, the log screen can be configured to log back automatically. You can also use Shell Launcher to configure a kiosk device that runs a Windows desktop application as the user interface

• Multi-app kiosk: Runs one or more apps from the desktop. Users using the kiosk see a customized Start Menu that shows only the tiles for the apps that are allowed.

AutoPilot Configuration

Before using Autopilot, make sure you’ve enabled all the prerequisites. You can read our complete blog post on the subject.

Kiosk single app Intune Autopilot – Device Enrollment

The first step to creating our Windows 10 kiosk using Intune is to enroll the device in our Tenant. We’ll be using an Autopilot deployment profile for this.

• In the Intune Console
• Go to Device enrollment

• Click on Windows enrollment and Deployment Profile on the right

• Click on the Create Profile at the top

• On the Create Profile screen, enter a Name and Description
• Click Next

• Enter Self-Deploying as a Deployment mode. This will ensure that no user intervention is needed during deployment
• In Language, enter the needed OS locale
• In Apply device name template, we choose to name our machine using a variable : SCD-%RAND:4%.
  • This will name machine randomly using 4 digit. Example : SCD-1234.
  • If you set this field to No, your machine will be randomly named. (Exemple : Desktop-FFEQQ6)
• Click Next

• In the Scope screen, click Next.
  • Scope tags determine which objects admins can see. The default scope tag feature is similar to the security scopes feature in System Center Configuration Manager.

• On the Assignments tab, select the Group you want to deploy your profile by clicking Select Groups to Include
• You can also Exclude a Group if needed
• Click Next

• Review your settings and click Create

Your deployment profile is now created. This profile will be used to enroll our Kiosk machines in Intune.

Configure the Kiosk

Once the machine is enrolled, we now need to configure the machine to enable the Kiosk. This is done by creating a Device Configuration Profile.

Our kiosk needs to launch an Edge browser for a specific web page and needs to Autologin. We’ll setup those configurations using Device Restrictions. We will also configure the kiosk to deny domain users to log on the computer.

• In the Intune Console
• Go to Device configuration – Profiles

• Click on Profiles and then Create Profile

For our case, we need 3 different Profiles. One for the Kiosk, one to configure Edge and one for the login restriction.

For the Kiosk Profile, setup the profiles as the following. This will setup 3 of our requirement (Kiosk, Edge and Autologon)

1. Name of your profile
2. Platform: Windows 10 and later
3. Profile Type: Kiosk
4. Settings, click on Configure
5. Kiosk mode: Single App
6. User logon type: Autologon
7. Application Type: Add Microsoft Edge
8. Click on Microsoft Edge setting
9. Microsoft Edge Kiosk Mode : Digital

• Once configured, click on Create at the bottom

• The Edge browser cannot be configured using the previous profile, to set the Start Page, we create another profile :

1. Name of your profile
2. Platform: Windows 10 and later
3. Profile Type: Device Restriction
4. Settings, click on Configure
5. Click on Microsoft Edge Browser
6. At the top select Digital in User Microsoft Edge Kiosk Mode
7. Click on Start Experience

• Enter the desired Start Page

• Click Ok at the Bottom 3 times and complete the profile creation by clicking Create

The last profile we need to create is for the logon restriction. This will be a different profile type, what’s why we can’t use the same profile as the one we just created for Edge.

This profile is used to restrict a user to use its domain credentials to log on to the computer. If a user uses CTRL + ALT + DEL, the computer will use Autologin after 30 seconds. If a user tries to log using its domain credential, it will be refused using this policy. Since this can’t be made using the Intune UI, we will use OMA-URI for this.

We will also add a second custom setting to make sure that our MDM policy “wins” if a GPO tries to configure the same settings.

1. Name of your profile
2. Platform: Windows 10 and later
3. Profile Type: Custom
4. Settings, click on Configure
5. Click on Add
6. Enter the following:

• OMA-URI : ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
• Data Type : Integer
• Value : 1
• Click Ok

• Click Add, to add another setting
• OMA-URI : ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
• Data Type : String
• Value : <![CDATA[*S-1-5-113]]>

Note : Reading through the documentation we selected the S-1-5-113 (LOCAL_ACCOUNT). This ensures that only local accounts can log to the machine, preventing our domain user to use their accounts on the Kiosk machine.

Assign your profile (Deploy it)

To initiate a Windows Autopilot deployment, your need to assign your deployment profile to a test machine.

• Go back to Device Enrollment / Windows enrollment and Deployment Profile on the right
• Select your Deployment profile and ensure that your profile is assigned

• Go to Intune – Device configuration – Profiles
• Select each profile (3) you created and assign them to the same Test group which contains your machine. Use the Assignment tab for this :

• Once your Deployment profile and 3 configuration profile are assigned to the Test Machine, we can start a Kiosk deployment :
• On the test machine, hold the SHIFT key and restart the PC
• Select Reset this PC

• If everything goes well, you should see Windows deployment. This is where Windows Autopilot is going its magic

• After Windows deployment, you’ll see the Enrollment Status Page (ESP)

• Once completed, your device will use Autologon as specified in our Configuration Profile. The user will be “Kiosk”. In case you’re wondering what’s the password if someone logs off. It’s simply blank. If nothing is entered, the computer will auto log after 30 second
• The webpage specified in the Edge Configuration Profile will be displayed in full screen

We hope this guide was helpful, in another post we will describe how to do a multiple apps kiosk.