Tuesday 19 June 2018

New super-slick kiosk mode with Windows 10 and Intune

It's been a while since I implemented Windows 10 kiosk mode and I remember that it previously wasn't a trivial task. There were quite a few steps involving AssignedAccess CSP and OMA-DM policy. I have to implement some single app browser-based kiosks (extranet only) for a customer next week so I figured that I'd have a look at how the solution has improved and I'm very impressed. It's so easy and now fully automated. This has been made possible by the introduction of the new Kiosk Browser app. This is so simple to configure and it took me about 10 minutes to configure the solution.

So what is this new browser that was published recently? The Kiosk Browser app (supported on W10 v1803 and later) can be found in the Microsoft Store for Business and has the following description:

"Kiosk Browser is a tool for IT departments, intended to be used with assigned access to create a kiosk browsing experience. Kiosk Browser is great for presenting interactive web apps and digital signage content. It is built on Microsoft Edge and allows IT to tailor the experience and apply restrictions such as allowed list of URLs and disabling navigation buttons. Kiosk Browser can be configured using runtime provisioning packages created from Windows Configuration Designer (also available in the store) or by using a modern management tool such as Intune. Search for “Guidelines for choosing an app for assigned access” to refer to our documentation for more details".

Getting the Kiosk Browser app

Launch the Microsoft Store for Business and search for the app



Select Get the app



Now Sync the MSfB apps with Intune.



Remember you must have added (and activated) Intune as a management tool first.


The app is now available in the Intune console.


Assign the app to a group containing the kiosk devices.


The app is installed on a device and can be seen in the start menu (you won't find it in Programs and Features).


The app can be manually launched


We can see that some configuration is required. We will do this using an Intune kiosk profile.

Intune Kiosk profile.

The What's new in Microsoft Intune for week on June 4 2018 tells us about a new kiosk profile. 

In the Intune console, navigate to Device Configuration > Profiles > Create profile


Name the profile, select Windows 10 and later as the platform and choose Kiosk (Preview) as the Profile type.


Click to Add a Kiosk configuration.


Name the configuration and choose a kiosk mode (in my case I want a "Single full-screen app kiosk")



More information is required. Select the Kiosk Browser app as the managed app. Choose Autologon as the user account type.



Add the row and create the kiosk configuration.

Next the kiosk web browser is to be configured.


I've configured the default home page URL and the website exceptions (only these websites can be accessed using the browser).

Finish creating the profile and assign to the group containing the kiosk computer.

Compare to previous Kiosk profile
This is a little different than before. Previously we would configure the Kiosk profile from the Device Restrictions blade. Incidentally that profile is still there and we're told that it is now obsolete.


The What's new doc tells us that this old profile type should now be renamed Kiosk (Obsolete) but it hasn't been yet. This is a little confusing so I'll report it to the product group.

It was a little more difficult to configure the old profile type. You had to specify a local kiosk user and the application user ID of the managed app.


Behaviour on the kiosk device

When the policy is applied the device restarts and is logged on automatically.


The Kiosk browser (with extranet) is available full screen as is the only available app. 


The device is restricted to the extranet only. Looks good and this was really easy to configure.

Until next time....