In this blog post, we’ll configure a Windows 10 Kiosk Mode in Single-App using Intune and Autopilot as the deployment method. We’ll also make sure that the user doesn’t have to log using the AutoLogin function. Our kiosk will be displaying a webpage to be used in a public area.

Some desktop such a public device can be “locked down” to show specifics applications only. Windows 10 Kiosk mode offers 2 different kiosk experiences :

  • Single-app kiosk: Runs a single app (UWP) in fullscreen on top of the lock screen. Users using the kiosk can see only that app. If the kiosk app is closed, it will automatically restart. If a user disconnect, the log screen can be configured to log back automatically. You can also use Shell Launcher to configure a kiosk device that runs a Windows desktop application as the user interface
  • Multi-app kiosk: Runs one or more apps from the desktop. Users using the kiosk see a customized Start Menu that shows only the tiles for the apps that are allowed.
Important Info

For this post, we use Windows 10 1903. If you encounter any problem or hang during your deployment, make sure to use the latest Windows version as all technology used in this post gets updated in each new Windows build.

AutoPilot Configuration

Before using Autopilot, make sure you’ve enabled all the prerequisites. You can read our complete blog post on the subject.

Kiosk single app Intune Autopilot – Device Enrollment

The first step to creating our Windows 10 kiosk using Intune is to enroll the device in our Tenant. We’ll be using an Autopilot deployment profile for this.

  • In the Intune Console
  • Go to Device enrollment
kiosk single app intune autopilot
  • Click on Windows enrollment and Deployment Profile on the right
kiosk single app intune autopilot
  • Click on the Create Profile at the top
  • On the Create Profile screen, enter a Name and Description
  • Click Next
kiosk single app intune autopilot
  • Enter Self-Deploying as a Deployment mode. This will ensure that no user intervention is needed during deployment
  • In Language, enter the needed OS locale
  • In Apply device name template, we choose to name our machine using a variable : SCD-%RAND:4%.
    • This will name machine randomly using 4 digit. Example : SCD-1234.
    • If you set this field to No, your machine will be randomly named. (Exemple : Desktop-FFEQQ6)
  • Click Next
intune autopilot kiosk single-app
  • In the Scope screen, click Next.
    • Scope tags determine which objects admins can see. The default scope tag feature is similar to the security scopes feature in System Center Configuration Manager.
intune autopilot kiosk single-app
  • On the Assignments tab, select the Group you want to deploy your profile by clicking Select Groups to Include
  • You can also Exclude a Group if needed
  • Click Next
intune autopilot kiosk single-app
  • Review your settings and click Create
intune autopilot kiosk single-app

Your deployment profile is now created. This profile will be used to enroll our Kiosk machines in Intune.

Configure the Kiosk

Once the machine is enrolled, we now need to configure the machine to enable the Kiosk. This is done by creating a Device Configuration Profile.

Our kiosk needs to launch an Edge browser for a specific web page and needs to Autologin. We’ll setup those configurations using Device Restrictions. We will also configure the kiosk to deny domain users to log on the computer.

  • In the Intune Console
  • Go to Device configuration – Profiles
  • Click on Profiles and then Create Profile

For our case, we need 3 different Profiles. One for the Kiosk, one to configure Edge and one for the login restriction.

For the Kiosk Profile, setup the profiles as the following. This will setup 3 of our requirement (Kiosk, Edge and Autologon)

  1. Name of your profile
  2. Platform: Windows 10 and later
  3. Profile Type: Kiosk
  4. Settings, click on Configure
  5. Kiosk mode: Single App
  6. User logon type: Autologon
  7. Application Type: Add Microsoft Edge
  8. Click on Microsoft Edge setting
  9. Microsoft Edge Kiosk Mode : Digital
  • Once configured, click on Create at the bottom
intune autopilot kiosk single-app
  • The Edge browser cannot be configured using the previous profile, to set the Start Page, we create another profile :
  1. Name of your profile
  2. Platform: Windows 10 and later
  3. Profile Type: Device Restriction
  4. Settings, click on Configure
  5. Click on Microsoft Edge Browser
  6. At the top select Digital in User Microsoft Edge Kiosk Mode
  7. Click on Start Experience
intune autopilot kiosk single-app
  • Enter the desired Start Page
  • Click Ok at the Bottom 3 times and complete the profile creation by clicking Create

The last profile we need to create is for the logon restriction. This will be a different profile type, what’s why we can’t use the same profile as the one we just created for Edge.

This profile is used to restrict a user to use its domain credentials to log on to the computer. If a user uses CTRL + ALT + DEL, the computer will use Autologin after 30 seconds. If a user tries to log using its domain credential, it will be refused using this policy. Since this can’t be made using the Intune UI, we will use OMA-URI for this.

We will also add a second custom setting to make sure that our MDM policy “wins” if a GPO tries to configure the same settings.

  1. Name of your profile
  2. Platform: Windows 10 and later
  3. Profile Type: Custom
  4. Settings, click on Configure
  5. Click on Add
  6. Enter the following:
  • OMA-URI : ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
  • Data Type : Integer
  • Value : 1
  • Click Ok
kiosk single app intune autopilot
  • Click Add, to add another setting
  • OMA-URI : ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
  • Data Type : String
  • Value : <![CDATA[*S-1-5-113]]>

Note : Reading through the documentation we selected the S-1-5-113 (LOCAL_ACCOUNT). This ensures that only local accounts can log to the machine, preventing our domain user to use their accounts on the Kiosk machine.

Assign your profile (Deploy it)

To initiate a Windows Autopilot deployment, your need to assign your deployment profile to a test machine.

  • Go back to Device Enrollment / Windows enrollment and Deployment Profile on the right
  • Select your Deployment profile and ensure that your profile is assigned
intune autopilot kiosk single-app
  • Go to Intune – Device configuration – Profiles
  • Select each profile (3) you created and assign them to the same Test group which contains your machine. Use the Assignment tab for this :
  • Once your Deployment profile and 3 configuration profile are assigned to the Test Machine, we can start a Kiosk deployment :
  • On the test machine, hold the SHIFT key and restart the PC
  • Select Reset this PC
  • If everything goes well, you should see Windows deployment. This is where Windows Autopilot is going its magic
Image associée
  • After Windows deployment, you’ll see the Enrollment Status Page (ESP)
  • Once completed, your device will use Autologon as specified in our Configuration Profile. The user will be “Kiosk”. In case you’re wondering what’s the password if someone logs off. It’s simply blank. If nothing is entered, the computer will auto log after 30 second
  • The webpage specified in the Edge Configuration Profile will be displayed in full screen

We hope this guide was helpful, in another post we will describe how to do a multiple apps kiosk.

Comments (4)

Christopher Nguyen

01.06.2020 AT 10:40 AM
Have you all been able to deploy apps via SCM when using single-app kiosk mode after the kiosk mode has been configured? I'm using a provisioning package to configure the kiosk mode and browser, but SCCM apps aren't deploying until I remove the kiosk mode and log in as the kiosk account.


11.10.2019 AT 09:59 PM
Can we use the Kiosk mode to target any application type , like Citrix client etc ..... or only Windows apps can be targeted ?

Sagar Trivedi

10.30.2019 AT 07:42 AM
You really have shared great insights for screenshots and this article is giving all the information which actually is required.


10.28.2019 AT 01:30 PM
Hello, I have this query for obtain all machines that have primary users. my problem is in sql because appears one row for every primary users that machines has. How can obtain all the primary users in the same column and row separate for commas (as appears in sccm console). Thanks. SELECT distinct TOP (100) PERCENT SYS.Name0 AS [Computer Name], SYS.User_Domain0 AS [Computer Domain], SYS.AD_Site_Name0 AS [Active Directory Site] , dbo.v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 AS [Chassis Types], dbo.v_GS_SYSTEM_ENCLOSURE.SMBIOSAssetTag0 AS [BIOS Asset Tag], dbo.v_GS_SYSTEM_ENCLOSURE.SerialNumber0 AS [Serial] , dbo.v_GS_SYSTEM_ENCLOSURE.Manufacturer0 AS [Manufacturer], dbo.v_GS_COMPUTER_SYSTEM.Model0 AS [Model], dbo.v_GS_PHYSICAL_MEMORY.Capacity0 [Memory in MB], dbo.v_GS_OPERATING_SYSTEM.Caption0 AS [OS Version], dbo.v_GS_OPERATING_SYSTEM.OSArchitecture0 AS [OS Architecture], dbo.v_GS_OPERATING_SYSTEM.BuildNumber0 AS [OS Build], dbo.v_GS_COMPUTER_SYSTEM.UserName0 AS [Last Logged User Domain], USR.Full_User_Name0 AS [User CN], USR.Mail0 AS [User Mail], USR.SID0, USR.Distinguished_Name0 AS [User DN], USR.Unique_User_Name0 AS [ Primary User Name], SYS.Last_Logon_Timestamp0 AS [Last Logon Time] FROM dbo.v_GS_OPERATING_SYSTEM INNER JOIN dbo.v_R_System AS SYS ON dbo.v_GS_OPERATING_SYSTEM.ResourceID = SYS.ResourceID INNER JOIN dbo.v_GS_SYSTEM_ENCLOSURE ON SYS.ResourceID = dbo.v_GS_SYSTEM_ENCLOSURE.ResourceID INNER JOIN dbo.v_GS_COMPUTER_SYSTEM ON SYS.ResourceID = dbo.v_GS_COMPUTER_SYSTEM.ResourceID INNER JOIN dbo.v_GS_PHYSICAL_MEMORY ON SYS.ResourceID = dbo.v_GS_PHYSICAL_MEMORY.ResourceID LEFT OUTER JOIN dbo.v_UsersPrimaryMachines AS upm LEFT OUTER JOIN dbo.v_R_User AS USR ON upm.UserResourceID = USR.ResourceID ON SYS.ResourceID = upm.MachineID WHERE dbo.v_GS_OPERATING_SYSTEM.Caption0 NOT LIKE ‘%Server%’ and dbo.v_GS_PHYSICAL_MEMORY.Capacity0 > 4 ORDER BY USR.Full_User_Name0