Having tested Windows 10 Kiosk device configuration for many weeks now, it is time to write down my findings and experiences.

Before I go to details how to configure multiple apps in Kiosk devices, I would like to write down some notes:
(Please remember, all my information are based on my testing in this moment when I am writing this post. August.15. 2018)

  • Supported logon user:
    • Auto logon account
    • Local user, it is required that the account exist before you configure the account for assigned access
    • Local user group, it is required that the user group exist before you configure the account for assigned access
    • Azure AD user
    • Azure AD user group
  • If you assign UWP apps that has print function, you will need extra configurations for make your device more secure. I will explain more details.
  • Auto logon give best logon experience for Kiosk device
  • For auto logon to work, do not enforce password settings.

  • Kiosk (Preview) multiple apps doesn’t work with any Windows 10 with any combination testing.  Tested again, it works now. (updated. August.15.2018)
  • Windows AutoPilot User Driven Deployment profile, Windows 10 Insider 17704 Enterprise + Enrollment Status page (Preview), auto logon works
  • Windows AutoPilot User Driven Deployment profile, Windows 10, version 1803 + Enrollment Status page (Preview), auto logon doesn’t work

Make sure you read Microsoft documentation for more details, specially notes and warnings.
https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps

Configure Kiosk mode profile

There are two method in Intune configure Kiosk mode, we can use Kiosk (Preview) Profile or use custom OMA-URI

Option 1: Use Kiosk (Preview) Profile (I don’t recommend use this yet)

NOTE: This is still in Preview, during my testing it works only in one of my test tenant, but not the other two tenants. So I am not sure if this setting works.

  1. Create a new profile.
    Name: Device – Kiosk (Preview)
    Platform: Windows 10 and later
    Profile type: Kiosk (Preview)

  2. Create new multiapps profile

  3. Add some apps. In my example, I added these following apps:
    • Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic
    • Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo
    • Microsoft.Windows.Photos_8wekyb3d8bbwe!App
    • Microsoft.BingWeather_8wekyb3d8bbwe!App
    • Microsoft.WindowsCalculator_8wekyb3d8bbwe!App
    • Microsoft.KioskBrowser_8wekyb3d8bbwe!App
    • Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
    • Windows.PrintDialog_cw5n1h2txyewy!Microsoft.Windows.PrintDialog
    • windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel
    • C:\Windows\system32\mspaint.exe
    • C:\Windows\System32\notepad.exe

      NOTE: I added Windows.PrintDialog_cw5n1h2txyewy!Microsoft.Windows.PrintDialog and windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel, because I would like to have print feature in my Kiosk machine

  4. Add Start menu layout:

    This is my Start menu layout XML (You can download my XML from here )

    <StartLayout> 
    <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> 
            <LayoutOptions StartTileGroupCellWidth="6" /> 
            <DefaultLayoutOverride> 
            <StartLayoutCollection> 
              <defaultlayout:StartLayout GroupCellWidth="6"> 
              <start:Group Name="Group1"> 
                <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
                <start:Tile Size="2x2" Column="0" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
                <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
                <start:Tile Size="2x2" Column="2" Row="2" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
                <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
                <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.KioskBrowser_8wekyb3d8bbwe!App" />
              </start:Group> 
              <start:Group Name="Group2"> 
                <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> 
                <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> 
              </start:Group>
              <start:Group Name="Group3"> 
                <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" /> 
              </start:Group> 							
              </defaultlayout:StartLayout> 
            </StartLayoutCollection> 
            </DefaultLayoutOverride> 
          </LayoutModificationTemplate> 
        ]]> 
    </StartLayout>

     

  5. Choose User account type Autologon

Option 2: Use  custom OMA-URI settings. (You can download my XML from here)

Create a new custom OMA-URI policy.OMA-URI: ./Device/Vendor/MSFT/AssignedAccess/Configuration
Data Type: String
Value:

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
    <Profiles>
        <Profile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}">
      <AllAppsList> 
      <AllowedApps> 
        <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
        <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
        <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
        <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
        <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
        <App AppUserModelId="Microsoft.KioskBrowser_8wekyb3d8bbwe!App" />
        <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!BCHost" />
        <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!ContentProcess" />
        <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!F12" />
        <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
        <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!PdfReader" />
        <App AppUserModelId="Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe!App" />
        <App AppUserModelId="Windows.PrintDialog_cw5n1h2txyewy!Microsoft.Windows.PrintDialog" />
        <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />			
        <App DesktopAppPath="%windir%\system32\mspaint.exe" /> 
        <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> 
      </AllowedApps> 
      </AllAppsList> 
      <StartLayout> 
      <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> 
              <LayoutOptions StartTileGroupCellWidth="6" /> 
              <DefaultLayoutOverride> 
              <StartLayoutCollection> 
                <defaultlayout:StartLayout GroupCellWidth="6"> 
                <start:Group Name="Group1"> 
                  <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
                  <start:Tile Size="2x2" Column="0" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
                  <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
                  <start:Tile Size="2x2" Column="2" Row="2" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
                  <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
                  <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.KioskBrowser_8wekyb3d8bbwe!App" />
                </start:Group> 
                <start:Group Name="Group2"> 
                  <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> 
                  <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> 
                </start:Group>
                <start:Group Name="Group3"> 
                  <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" /> 
                </start:Group> 							
                </defaultlayout:StartLayout> 
              </StartLayoutCollection> 
              </DefaultLayoutOverride> 
            </LayoutModificationTemplate> 
          ]]> 
      </StartLayout> 
      <Taskbar ShowTaskbar="true"/> 
        </Profile>
    </Profiles>
    <Configs>
        <Config>
            <AutoLogonAccount/>
            <DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
        </Config>
    </Configs>
</AssignedAccessConfiguration>

 

Configure Print feature Settings

Now that we have Kiosk mode configured, we continue configure print settings. Create a new custom OMA-URI policy to control what windows settings are allow to use.When assign UWP apps that has print function, users are able to click on “Add a printer“, they will have access to all Windows Settings.

I will configure this policy to allow users see only Printers & scanners:

OMA-URI:  ./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList
Data Type: String
Value:  showonly:printers

Assign both policy to your kiosk device group.

 

Here is the result how my Kiosk device looks like:


 

More information:

Customize and export Start layout: https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout
MDM policy: https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps#mdm-policy
Find AUMID: https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app
Kiosk XML sample: https://docs.microsoft.com/en-us/windows/configuration/kiosk-xml

 

(3450)

Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the http://thesccm.com blog and is now a guest blogger on SCConfigMgr.

comments
  • Marctwain
    Posted at 05:23 July 13, 2018
    Marctwain
    Reply
    Author

    I have been trying to use this technology for a year now. none of it actually works consistently.

  • nigel
    Posted at 22:39 July 23, 2018
    nigel
    Reply
    Author

    Can this be assigned to any existing enrolled devices? I seem to have issues – the kiosk configuration policy always fails.

    • Zeng Yinghua
      Posted at 10:57 July 30, 2018
      Zeng Yinghua
      Reply
      Author

      How those devices enrolled? What does event log say when apply Kiosk configuration policy?

      • nigel
        Posted at 23:34 August 1, 2018
        nigel
        Reply
        Author

        Hi there – I enrolled via a provision package with a bulk enrollment token, as well as I’ve attempted with simply a User based AzureAD enrollment. I found that the AutoLogonAccount node was problematic, and I can get this functional and stable by targeting a local user account.

        There is a now an InTune profile for Kiosk to accomplish what the XML does. It’s been useful. I would like to narrow down the AutoLogonAccount issue moving forward.

        Another thing to mention is the Kiosk Browser is out now.

        • Zeng Yinghua
          Posted at 15:55 August 2, 2018
          Zeng Yinghua
          Reply
          Author

          Hello, the Intune Kiosk (preview) has been there for awhile, as I mentioned the last time I tested that, it didn’t not work with multiple apps. I know Kiosk Browser is out, but I don’t like that doesn’t have print function. for local user account, we have to pre create the local account, otherwise apply kiosk profile policy will failed. I have tried use CSP create a local account, but I don’t like it enforce user change password, it’s not automatic. So far the autologonaccount works fine in my testing. I will expect more changes and improvement coming in the future from Microsoft.

  • Daniel Morales
    Posted at 03:20 August 15, 2018
    Daniel Morales
    Reply
    Author

    Hello, we have been working with Kiosk mode for a couple of weeks. We currently use it to run Chrome to a specific URL. We had to use Powershell script to manipulate the master_preferences file for the url we need chrome to open to. The only issue we are having is that our machines our wifi only. In Kiosk mode, the wifi icon does not appear on lock screen or our menu layout when logged in. Do you know if it is possible to allow the wifi settings only in case they lose connection and need to re-connect?

    Thanks

  • Nigel
    Posted at 16:29 August 24, 2018
    Nigel
    Reply
    Author

    Have you found a way to allow USB drive access and possible even access to the Downloads folder?

  • Michel
    Posted at 19:15 October 17, 2018
    Michel
    Reply
    Author

    I’m getting several errors in the Windows 10 log file when I try to apply the XML with OMA.

    Custom AssignedAccess Configuration failed
    XML document must have a top level element

    ErrorCode 0xc00ce558

    My XML is a copy paste of the XML just to test it out.

    • Zeng Yinghua
      Posted at 14:14 October 20, 2018
      Zeng Yinghua
      Reply
      Author

      Hello Michel, sorry for that late reply. When doing copy paste from blog post, those double quote characters went wrong somethings. Can you try use my XML from github? https://github.com/sandytsang/MSIntune/tree/master/Kiosk

      Regards, Sandy

      • Michel
        Posted at 09:15 October 21, 2018
        Michel
        Reply
        Author

        Hi Zeng, thanks! No need to apologise for the late reply. 🙂

        I will test this out today and let you know the outcome, on this machine I’ve already used the Kiosk Preview function of Intune, it’s not assigned anymore but could this also cause issues?

      • Michel ten Hove
        Posted at 21:16 October 23, 2018
        Michel ten Hove
        Reply
        Author

        Hi Zeng, I’ve copied the raw content from github and pasted it into Intune and the error messages stay the same. Could it have something to do with the Windows build (1809) i’m using for this test scenario? Any ideas on this?

        • Zeng Yinghua
          Posted at 12:51 October 24, 2018
          Zeng Yinghua
          Reply
          Author

          Hello Michel, can you try download the xml from github, in Intune, choose String(XML) instead of String, upload the xml to Intune. I also had problem with copy and paste, Intune will tell you if something wrong with XML when you import that. Or you can try the option 1, use Kiosk (Preview) Setting, but it doesn’t support multi kiosk profile. I am using the same Kiosk XML in Windows 10 1809 en-US Enterprise, it should work. What event log saying?
          Please let me know how is your testing.

          • Michel ten Hove
            Posted at 13:27 October 24, 2018
            Michel ten Hove
            Author

            Hi Zeng, I ran my XML through an XML validator and saw the mistake I made in Notepad++ with some double quotes. Everything works now! Thanks for taking your time to help me with this.

            I’ve even been able to add the downloads folder to the Kiosk mode so users can temporarely save files. Information about this I found on: https://docs.microsoft.com/en-us/windows/configuration/kiosk-xml

            Downside is that the Downloads folder isn’t automatically emptied, I have to create some Powershell stuff to do this automatically. 🙂

          • Zeng Yinghua
            Posted at 16:07 October 24, 2018
            Zeng Yinghua
            Author

            Awesome you got it working! There are some downside of using autologon, I can’t use shared PC mode to remove autologon profile. What I am now doing for Kiosk autologon profile, is I disable all the log off, shutdown button, put an icon that will restart the machine, then use start script to remove KioskUser profile. It’s depends what application you allow to user use, some apps save user’s credentials in somewhere, that’s why I had to remove the whole profile. 🙂

          • Michel
            Posted at 22:00 November 6, 2018
            Michel
            Author

            I’ve also managed to do this the same way by deleting the whole kioskuser profile with the powershell command Remove-WmiObject. Do you also have the Office applications published in Kiosk mode? I’m having issues with the activation, is there a way to deploy a VL Office or make sure that Office is still activated after the profile is deleted?

          • Zeng Yinghua
            Posted at 22:57 November 6, 2018
            Zeng Yinghua
            Author

            I am not sure, haven’t tested that. Perhaps can pack the VL Office as Intune Win32 app and deploy it, but I don’t know how big size package Intune support, did try it with big package. If deploy O365, there is option mark that it’s a share PC, have you try that one?

  • nigel
    Posted at 16:11 October 24, 2018
    nigel
    Reply
    Author

    Interesting the Share PC policies do not work here – sounds like something to bring back to Microsoft as a deleting profile is key here. Do you know a good way to deploy a start up script in InTune? 🙂

    • Zeng Yinghua
      Posted at 22:52 November 6, 2018
      Zeng Yinghua
      Reply
      Author

      Didn’t find any better way, pack the GroupPolicy folder as msi or Intune 32app will do the trick.

    • Michel ten Hove
      Posted at 21:48 November 7, 2018
      Michel ten Hove
      Reply
      Author

      I’m uploading a 3GB Intunewin package (Office 2019 VL ProPlus C2R) right now, I will test this and report back to you. Startup script is done with MSI as you said, no other way to do this right now.

      • nigel
        Posted at 22:33 November 7, 2018
        nigel
        Reply
        Author

        I am interested in this – let me know and maybe share the MSI if it clears the Kiosk account 🙂

  • Ebz
    Posted at 19:29 November 7, 2018
    Ebz
    Reply
    Author

    I have an issue with accessing Intune deployed UWP apps on the start layout in Kiosk mode.

    – I enrolled the device into Intune using Autopilot and upon enrollment, apps are deployed to the device and installed (the apps are deployed to a device based group so not user based)
    – I can see the apps are visible and after I reboot with Autologon using the local user account created, that tile which is meant to hold that UWP is constantly blank
    – Is it possible to display a UWP deployed app to the start layout? I see you have the Kiosk browser displayed, it’s not an inbuilt app like the rest, how did you get it to come up?

    • Zeng Yinghua
      Posted at 22:35 November 7, 2018
      Zeng Yinghua
      Reply
      Author

      I deployed Kiosk Browser from Intune as required app, it was synced vial Windows Store for business. The XML file in my blog is from Windows 10 1803, it might be different in 1809. The correct way to do that, you can login with non-kiosk account, configure your start menu, then export it with powershell command: Export-StartLayout “your path”. You can get those UWP app names follow this doc https://docs.microsoft.com/en-us/windows/configuration/find-the-application-user-model-id-of-an-installed-app. I also use this PowerShell command: Get-StartApps

      I have run into situation that had to create a shortcut url for some apps, and put the shortcut to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs folder, then add that url path to start layout.

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.