Intune Kiosk Mode; Single Application

Content

  • Self-Deployment profile setup
  • Single Application Kiosk Mode Setup
  • Create OMA-URI to prevent Office 365 user from logging into the kiosk device (Optional) 
  • Create dynamic device group for kiosk devices 
  • Import hardware hash into Intune
  • Setup ready for use

Self-Deployment Profile Setup

  • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Windows Enrollment>>>click Create Profile, click the drop down arrow and click on Windows PC.
  • Name (Self-Deployment Entra Joined Autopilot Profile); Description(This device will be joined to Microsoft Entra ID only and it will work together with the Kiosk mode configuration profile to setup a kiosk device.)Convert All Targeted Devices to Autopilot(No)>>>click NEXT. 
  •  Deployment Mode (Self-Deploying);  Join to Microsoft Entra ID As (Microsoft Entra Joined)Microsoft Software License Terms (Hide); Privacy Settings (Hide); Hide Change Account Options (Hide); User Account Type (Standard); Allow Pre-Provisioned Deployment (No); Language (Region)(Operating System Default); Automatically Configure Keyboard (Yes); Apply Device Name Template (Yes), Enter Name (SkoaKiosk-%RAND:5%) – total should be 15 characters otherwise an error message will be displayed; 
  • Now assign the profile to a desired dynamic group if any and click click Review and Save.
  • Note: Self-Deployment is only available for Azure AD join; as at July 10, 2022, Hybrid Azure AD join was not supported.

Single Application Kiosk Mode Setup

  • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Configuration Profile>>>click Create Profile, .
  • Name (Intune_Kiosk_SingleApp_Profile); Description(This device will be joined to Azure AD only and it will work together the Self-Deploying Windows deployment profile to setup a kiosk device.)Profile Type(Kiosk)>>>click NEXT. 
  •  Select A Kiosk Mode (Single App, Full-screen Kiosk)User Logon Type (Auto Logon; Windows 10, version 1803 and later, or Windows 11); Application Type (Add Microsoft Edge Browser); Edge Kiosk URL (https://www.skoanowtechnologies.com); Microsoft Edge Kiosk Mode Type (Public Browsing-InPrivate); Refresh Browser After Idle Time (10); Specify Maintenance Window for App Restart (Require); Maintenance Window Start Time (7/17/2022; 2:00:00 AM); Maintenance Window Recurrence (Daily); 
  • Now assign the profile to a desired dynamic group if any and click Review and Save.

Create Custom OMA-URI To Prevent Office 365 User From Logging Into The Kiosk Device

  • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Configuration Profile>>>click Create Profile, .
  • Name (Custom_OMA-URI_Settings_Profile); Description(This device will Office 365 user from logging into the kiosk device.)Profile Type(Custom)>>>click NEXT. 
  •  Name (Custom_OMA-URI for Kiosk Device)Description (Prevent login from Office 365 users); OMA-URI (./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogon); Data Type (String); Value (<![CDATA[*S-1-5-113]]>)
  • Now assign the profile to a desired dynamic group if any and click click Review and Save.

Create Dynamic Device Group for Kiosk Devices

  • Within the Microsoft Endpoint Manager, click Groups>>>click New Group.
  • Group Type (Security); Group Name(HR), Group Description(This group is for HR devices)>>>Membership Type (Dynamic device)
  •  Under Dynamic Device Members; click Add Dynamic Query>>>click Add Express. In the script area, (device.devicePhysicalIds -any (_ -eq “[OrderID]:KioskSingleApp”))>>>click Create.
  •  Make sure to assign the Self-Deploying profile, Single App Kiosk mode and Custom OMA-URI configuration profiles to the dynamic device group. 

Import Hardware Hash Into Intune

  • Obtain the hardware hash of the device using Powershell;

 PS C:\Windows\system32>New-Item -Type Directory -Path “C:\HWID”
PS C:\Windows\system32>Set-Location -Path “C:\HWID”
PS C:\HWID>Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted 
PS C:\HWID>Install-Script -Name Get-WindowsAutoPilotInfo
PS C:\HWID>Get-WindowsAutoPilotInfo.ps1 -OutputFile AutopilotHWID.csv

The CSV file should look like this; 

Device Serial Number,Windows Product ID,Hardware Hash,Order ID
1234-1234-1234-1234-1234-1234-12,,T0GqAwEAHAAAAAoAAQDuQgA….,KioskSingleApp
1234-4123-1234-1234-1234-1234-12,,T0GqAwEAHQgAAAAAAoAAQDu….,KioskSingleApp

Note that once the CSV file is edited and items are added, then instead of comma-separated items, you need to create a new Excel sheet or use the same sheet and place the headers and their respective values in cells and then save the document as CSV (Comma delimited) document; once this is done then you can import it into Intune with no error messages.