MSEndpointMgr

Create Windows 10 Kiosk devices using Microsoft Intune – multiple apps

Having tested Windows 10 Kiosk device configuration for many weeks now, it is time to write down my findings and experiences.

Before I go to details how to configure multiple apps in Kiosk devices, I would like to write down some notes:
(Please remember, all my information are based on my testing in this moment when I am writing this post. August.15. 2018)

  • Supported logon user:
    • Auto logon account
    • Local user, it is required that the account exist before you configure the account for assigned access
    • Local user group, it is required that the user group exist before you configure the account for assigned access
    • Azure AD user
    • Azure AD user group
  • If you assign UWP apps that has print function, you will need extra configurations for make your device more secure. I will explain more details.
  • Auto logon give best logon experience for Kiosk device
  • For auto logon to work, do not enforce password settings.

  • Kiosk (Preview) multiple apps doesn’t work with any Windows 10 with any combination testing.  Tested again, it works now. (updated. August.15.2018)
  • Windows AutoPilot User Driven Deployment profile, Windows 10 Insider 17704 Enterprise + Enrollment Status page (Preview), auto logon works
  • Windows AutoPilot User Driven Deployment profile, Windows 10, version 1803 + Enrollment Status page (Preview), auto logon doesn’t work

Make sure you read Microsoft documentation for more details, specially notes and warnings.
https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps

Configure Kiosk mode profile

There are two method in Intune configure Kiosk mode, we can use Kiosk (Preview) Profile or use custom OMA-URI

Option 1: Use Kiosk (Preview) Profile (I don’t recommend use this yet)

NOTE: This is still in Preview, during my testing it works only in one of my test tenant, but not the other two tenants. So I am not sure if this setting works.

  1. Create a new profile.
    Name: Device – Kiosk (Preview)
    Platform: Windows 10 and later
    Profile type: Kiosk (Preview)

  2. Create new multiapps profile

  3. Add some apps. In my example, I added these following apps:
    • Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic
    • Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo
    • Microsoft.Windows.Photos_8wekyb3d8bbwe!App
    • Microsoft.BingWeather_8wekyb3d8bbwe!App
    • Microsoft.WindowsCalculator_8wekyb3d8bbwe!App
    • Microsoft.KioskBrowser_8wekyb3d8bbwe!App
    • Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
    • Windows.PrintDialog_cw5n1h2txyewy!Microsoft.Windows.PrintDialog
    • windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel
    • C:\Windows\system32\mspaint.exe
    • C:\Windows\System32\notepad.exe

      NOTE: I added Windows.PrintDialog_cw5n1h2txyewy!Microsoft.Windows.PrintDialog and windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel, because I would like to have print feature in my Kiosk machine

  4. Add Start menu layout:

    This is my Start menu layout XML (You can download my XML from here )

    <StartLayout> 
    <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="https://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="https://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="https://schemas.microsoft.com/Start/2014/LayoutModification"> 
            <LayoutOptions StartTileGroupCellWidth="6" /> 
            <DefaultLayoutOverride> 
            <StartLayoutCollection> 
              <defaultlayout:StartLayout GroupCellWidth="6"> 
              <start:Group Name="Group1"> 
                <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
                <start:Tile Size="2x2" Column="0" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
                <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
                <start:Tile Size="2x2" Column="2" Row="2" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
                <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
                <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.KioskBrowser_8wekyb3d8bbwe!App" />
              </start:Group> 
              <start:Group Name="Group2"> 
                <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> 
                <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> 
              </start:Group>
              <start:Group Name="Group3"> 
                <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" /> 
              </start:Group> 							
              </defaultlayout:StartLayout> 
            </StartLayoutCollection> 
            </DefaultLayoutOverride> 
          </LayoutModificationTemplate> 
        ]]> 
    </StartLayout>

     

  5. Choose User account type Autologon

Option 2: Use  custom OMA-URI settings. (You can download my XML from here)

Create a new custom OMA-URI policy.OMA-URI: ./Device/Vendor/MSFT/AssignedAccess/Configuration
Data Type: String
Value:

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="https://schemas.microsoft.com/AssignedAccess/2017/config">
    <Profiles>
        <Profile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}">
      <AllAppsList> 
      <AllowedApps> 
        <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
        <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
        <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
        <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
        <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
        <App AppUserModelId="Microsoft.KioskBrowser_8wekyb3d8bbwe!App" />
        <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!BCHost" />
        <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!ContentProcess" />
        <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!F12" />
        <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
        <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!PdfReader" />
        <App AppUserModelId="Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe!App" />
        <App AppUserModelId="Windows.PrintDialog_cw5n1h2txyewy!Microsoft.Windows.PrintDialog" />
        <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />			
        <App DesktopAppPath="%windir%\system32\mspaint.exe" /> 
        <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> 
      </AllowedApps> 
      </AllAppsList> 
      <StartLayout> 
      <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="https://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="https://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="https://schemas.microsoft.com/Start/2014/LayoutModification"> 
              <LayoutOptions StartTileGroupCellWidth="6" /> 
              <DefaultLayoutOverride> 
              <StartLayoutCollection> 
                <defaultlayout:StartLayout GroupCellWidth="6"> 
                <start:Group Name="Group1"> 
                  <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
                  <start:Tile Size="2x2" Column="0" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
                  <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
                  <start:Tile Size="2x2" Column="2" Row="2" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
                  <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
                  <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.KioskBrowser_8wekyb3d8bbwe!App" />
                </start:Group> 
                <start:Group Name="Group2"> 
                  <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> 
                  <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> 
                </start:Group>
                <start:Group Name="Group3"> 
                  <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" /> 
                </start:Group> 							
                </defaultlayout:StartLayout> 
              </StartLayoutCollection> 
              </DefaultLayoutOverride> 
            </LayoutModificationTemplate> 
          ]]> 
      </StartLayout> 
      <Taskbar ShowTaskbar="true"/> 
        </Profile>
    </Profiles>
    <Configs>
        <Config>
            <AutoLogonAccount/>
            <DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
        </Config>
    </Configs>
</AssignedAccessConfiguration>

Configure Print feature Settings

Now that we have Kiosk mode configured, we continue configure print settings. Create a new custom OMA-URI policy to control what windows settings are allow to use.When assign UWP apps that has print function, users are able to click on “Add a printer“, they will have access to all Windows Settings.

I will configure this policy to allow users see only Printers & scanners:

OMA-URI:  ./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList
Data Type: String
Value:  showonly:printers

Assign both policy to your kiosk device group.

Here is the result how my Kiosk device looks like:

More information:

Customize and export Start layout: https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout
MDM policy: https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps#mdm-policy
Find AUMID: https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app
Kiosk XML sample: https://docs.microsoft.com/en-us/windows/configuration/kiosk-xml

Sandy Zeng

Sandy is an Enterprise Mobility MVP since 2018. She is an experienced Information Technology Specialist for over 10 years. Skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. Sandy's interests are mostly related to Microsoft Technologies, she has passions learning new skill sets to improve her professional career and also as her hobbies. She uses her expertise to help customers achieve their goals and solve their issues.

Sandy founded the https://sandyzeng.com blog and is now a blogger on MSEndPointMgr.

45 comments

  • Once in Settings Printers, if you select add a printe or scanner, we are presented with a policy block. Anyone been able to add printers from Settings?

    • did you allow these two apps as I mentioned in the post? Windows.PrintDialog_cw5n1h2txyewy!Microsoft.Windows.PrintDialog and windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel
      You can also logon to a admin account, check AppLocker logs from event viewer, see which app got blocked.

  • Hi Zeng, great post!

    Any experience running Kiosk-mode with Autopilot User-Driven mode? Our limitations are old hw and therefor no TPM 2.0 to run the Self-deployment mode.

    A few challenges i see with User-driven mode are:
    The use of a DEM-account for enrollment – autologon won’t work and activation will cause issues in the long run unless a Azure AD-user “regurarly” logs in to kiosk device to maintain the activation.

    I’m testing Autopilot User driven mode + Kiosk mode (singel app) + ESP + Autologon + DEM. I can tell you it doesn’t run smoothly, if it runs at all.

    Have you tried something similar?

    • As you already know, autologon requires local user, and Windows 10 Enterprise subscription step up activation requires AAD user regularly logs on, if your requirement is using Windows 10 Enterprise, then I think MAK key activation is the better option. I am using User driven mode + Kiosk mode (multiple) + ESP + Autologon + DEM, it does work, but I deployed a Win32app to those device and make it restart the machine, so that it will do the autologon in some point, and this Win32app is not tracked by ESP, because I don’t want it breaks ESP.

  • Has anyone encountered where you log in too quickly before certain software titles are installed, and that group never populates in your custom start layout until a reapply of policy is forced?

  • Hi Zeng,
    I have accidentally assigned the kiosk profile to a device. Then I remove the profile out of the device.
    But this device still getting the kiosk mode. How do make this device back to normal windows 10? Thank you

    • It should have reverse back to normal once when kiosk profile is not assigned, but it might be just slow and need to wait a bit.

  • Hi Zeng, I’m having troubles starting Windows 10 UWP Apps in Kiosk Mode.

    The apps show up, but close down almost immediately. When I log out and login with another user the same apps start without any issues. In the log files I see that the apps crash with error 0xC000027B.

    Assigned access is configured to auto-login with a Kiosk user account, which is deleted after the users shuts down the machine.

    • I don’t have any information about why those UWP apps crashed, I wish I do.

  • I am trying to deploy Kiosk mode with the profile, when I dig down into the computer that I am trying to apply it to it is saying the state is not applicable.

  • Thank you for your feedback. I have a kiosk AAD User, but for some reason the profile is saying it’s applying, but it is not displaying the full screen kiosk mode as auto logon did. I wanted to see if anyone else was having an issue with this particular configuration.

  • Hi – Great article! I am able to get the multi-app kiosk profile to work with Auto logon, but not with an Azure AD User or group. Does this work in Intune?

  • Zeng, Thanks for your reply! This is what I have in my allowapp and startlayout. I can see the icon on my kiosk layout and when I click it tries to open for a split second then closes. I have tried this on multiple test systems.

    Thanks Lee

  • Hello and Thanks for all the good Information. I really need Internet Explorer to run in multiapp kiosk mode. I have it allowed and have it in my startlayout.xml. IE will only open and immediately closes. Applocker is not blocking the app so I am thinking that IE is dependent on some other process that is not allowed. Any help would be appreciated.
    Thanks Lee

  • I have an issue with accessing Intune deployed UWP apps on the start layout in Kiosk mode.

    – I enrolled the device into Intune using Autopilot and upon enrollment, apps are deployed to the device and installed (the apps are deployed to a device based group so not user based)
    – I can see the apps are visible and after I reboot with Autologon using the local user account created, that tile which is meant to hold that UWP is constantly blank
    – Is it possible to display a UWP deployed app to the start layout? I see you have the Kiosk browser displayed, it’s not an inbuilt app like the rest, how did you get it to come up?

    • I deployed Kiosk Browser from Intune as required app, it was synced vial Windows Store for business. The XML file in my blog is from Windows 10 1803, it might be different in 1809. The correct way to do that, you can login with non-kiosk account, configure your start menu, then export it with powershell command: Export-StartLayout “your path”. You can get those UWP app names follow this doc https://docs.microsoft.com/en-us/windows/configuration/find-the-application-user-model-id-of-an-installed-app. I also use this PowerShell command: Get-StartApps

      I have run into situation that had to create a shortcut url for some apps, and put the shortcut to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs folder, then add that url path to start layout.

  • Interesting the Share PC policies do not work here – sounds like something to bring back to Microsoft as a deleting profile is key here. Do you know a good way to deploy a start up script in InTune? 🙂

    • Didn’t find any better way, pack the GroupPolicy folder as msi or Intune 32app will do the trick.

    • I’m uploading a 3GB Intunewin package (Office 2019 VL ProPlus C2R) right now, I will test this and report back to you. Startup script is done with MSI as you said, no other way to do this right now.

      • I am interested in this – let me know and maybe share the MSI if it clears the Kiosk account 🙂

      • I finally figured something out that works, I’m using the Office Deployment Tool to download and install the Volume License. The activation keys are stored in a folder that resides outside the user profile folder so that everytime the user profile is deleted Office stays activated.

        I will post the necessary script here tonight.

        By the way, I was rolling out some new devices today and ran into this error:

        ERROR CODE
        0x87d101f4
        ERROR DETAILS
        Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request

        Anyone familiar with this one? I haven’t changed anything to the settings.

      • Here’s the Powershell I’ve used to deploy:

        New-Item -ItemType directory -Path C:\ODT -Force
        Invoke-WebRequest -Uri “URI TO XML” -OutFile “C:\ODT\XMLFILE.xml”
        Invoke-WebRequest -Uri “URI TO SETUP.EXE” -OutFile “C:\ODT\setup.exe”
        Start-Process -Filepath C:/ODT/setup.exe -Args “/download C:/ODT/XMLFILE.xml” -Wait
        Start-Process -Filepath C:/ODT/setup.exe -Args “/configure C:/ODT/XMLFILE.xml”

        Create your own config at https://config.office.com/ and use a folder outside your profile folder for activation and use your own VLK to activate Office. Then it should work. 🙂

  • I’m getting several errors in the Windows 10 log file when I try to apply the XML with OMA.

    Custom AssignedAccess Configuration failed
    XML document must have a top level element

    ErrorCode 0xc00ce558

    My XML is a copy paste of the XML just to test it out.

      • Hi Zeng, thanks! No need to apologise for the late reply. 🙂

        I will test this out today and let you know the outcome, on this machine I’ve already used the Kiosk Preview function of Intune, it’s not assigned anymore but could this also cause issues?

      • Hi Zeng, I’ve copied the raw content from github and pasted it into Intune and the error messages stay the same. Could it have something to do with the Windows build (1809) i’m using for this test scenario? Any ideas on this?

      • Hello Michel, can you try download the xml from github, in Intune, choose String(XML) instead of String, upload the xml to Intune. I also had problem with copy and paste, Intune will tell you if something wrong with XML when you import that. Or you can try the option 1, use Kiosk (Preview) Setting, but it doesn’t support multi kiosk profile. I am using the same Kiosk XML in Windows 10 1809 en-US Enterprise, it should work. What event log saying?
        Please let me know how is your testing.

      • Hi Zeng, I ran my XML through an XML validator and saw the mistake I made in Notepad++ with some double quotes. Everything works now! Thanks for taking your time to help me with this.

        I’ve even been able to add the downloads folder to the Kiosk mode so users can temporarely save files. Information about this I found on: https://docs.microsoft.com/en-us/windows/configuration/kiosk-xml

        Downside is that the Downloads folder isn’t automatically emptied, I have to create some Powershell stuff to do this automatically. 🙂

      • Awesome you got it working! There are some downside of using autologon, I can’t use shared PC mode to remove autologon profile. What I am now doing for Kiosk autologon profile, is I disable all the log off, shutdown button, put an icon that will restart the machine, then use start script to remove KioskUser profile. It’s depends what application you allow to user use, some apps save user’s credentials in somewhere, that’s why I had to remove the whole profile. 🙂

      • I’ve also managed to do this the same way by deleting the whole kioskuser profile with the powershell command Remove-WmiObject. Do you also have the Office applications published in Kiosk mode? I’m having issues with the activation, is there a way to deploy a VL Office or make sure that Office is still activated after the profile is deleted?

      • I am not sure, haven’t tested that. Perhaps can pack the VL Office as Intune Win32 app and deploy it, but I don’t know how big size package Intune support, did try it with big package. If deploy O365, there is option mark that it’s a share PC, have you try that one?

  • Have you found a way to allow USB drive access and possible even access to the Downloads folder?

  • Hello, we have been working with Kiosk mode for a couple of weeks. We currently use it to run Chrome to a specific URL. We had to use Powershell script to manipulate the master_preferences file for the url we need chrome to open to. The only issue we are having is that our machines our wifi only. In Kiosk mode, the wifi icon does not appear on lock screen or our menu layout when logged in. Do you know if it is possible to allow the wifi settings only in case they lose connection and need to re-connect?

    Thanks

  • Can this be assigned to any existing enrolled devices? I seem to have issues – the kiosk configuration policy always fails.

    • How those devices enrolled? What does event log say when apply Kiosk configuration policy?

      • Hi there – I enrolled via a provision package with a bulk enrollment token, as well as I’ve attempted with simply a User based AzureAD enrollment. I found that the AutoLogonAccount node was problematic, and I can get this functional and stable by targeting a local user account.

        There is a now an InTune profile for Kiosk to accomplish what the XML does. It’s been useful. I would like to narrow down the AutoLogonAccount issue moving forward.

        Another thing to mention is the Kiosk Browser is out now.

      • Hello, the Intune Kiosk (preview) has been there for awhile, as I mentioned the last time I tested that, it didn’t not work with multiple apps. I know Kiosk Browser is out, but I don’t like that doesn’t have print function. for local user account, we have to pre create the local account, otherwise apply kiosk profile policy will failed. I have tried use CSP create a local account, but I don’t like it enforce user change password, it’s not automatic. So far the autologonaccount works fine in my testing. I will expect more changes and improvement coming in the future from Microsoft.

  • I have been trying to use this technology for a year now. none of it actually works consistently.

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.