INTUNE MULTIAPP KIOSK SETUP

Content

  • Self-Deployment profile setup
  • Multi Application Kiosk Mode Setup
  • Custom Policy To Restrict Settings Application in MultiApp Kiosk To Show Only About, Access work or school, Bluetooth & other devices, Date & time, Display, Printers & scanners, USB, Wi-Fi,  Windows Update and View update history
  • Create OMA-URI to prevent Office 365 user from logging into the kiosk device
  •  Kiosk Browser Application Deployment
  • Create dynamic device group for MultiApp kiosk devices 
  • Import hardware hash into Intune
  • Setup ready for use

Self-Deployment Profile Setup

  • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Windows Enrollment>>>click Create Profile, click the drop down arrow and click on Windows PC.
  • Name (Self-Deployment Entra Joined Autopilot Profile); Description(This device will be joined to Microsoft Entra ID only and it will work together with the Kiosk mode configuration profile to setup a kiosk device.)Convert All Targeted Devices to Autopilot(No)>>>click NEXT. 
  •  Deployment Mode (Self-Deploying)Join to Microsoft Entra ID As (Microsoft Entra Joined); Microsoft Software License Terms (Hide); Privacy Settings (Hide); Hide Change Account Options (Hide); User Account Type (Standard); Allow Pre-Provisioned Deployment (No); Language (Region)(Operating System Default); Automatically Configure Keyboard (Yes); Apply Device Name Template (Yes), Enter Name (SkoaKiosk-%RAND:5%) – total should be 15 characters otherwise an error message will be displayed; 
  • Now assign the profile to a desired dynamic group if any and click click Review and Save.
  • Note: Self-Deployment is only available for Microsoft Entra ID join; as at March 22, 2024, Hybrid Azure AD join was not supported.

Multi- Application Kiosk Mode Setup

  • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Configuration Profiles>>>click Create and in the drop down, click New Policy.
  • Platform (Windows 10 and Later); Profile Type(Templates); search for Kiosk, click on it to select it and click Create.
  • Name (Intune_Kiosk_MultiApp_Profile); Description(This device will be joined to Microsoft Entra ID only and it will work together with the Self-Deploying Windows deployment profile to setup a Multi-app kiosk device.); Platform (Windows 10 and Later); Profile Type(Kiosk) >>> click NEXT. 
  •  Select A Kiosk Mode (Multi app Kiosk); Target devices running Windows 10/11 in S Mode (No); User Logon Type (Auto Logon; Windows 10, version 1803 and later, or Windows 11); 

Add Kiosk Browser

  • Under Browsers and Applicationsclick on Add Kiosk Browser [Kiosk Browser Settings; Default Home Page URL https://skoanowtechnologies.com/); Home Button (Show); Navigation Buttons (Show); End Session Button (Show); Refresh Browser After Idle Time (30); Allowed Websites (Choose a CSV file; up to 500 URLs)]>>>click OK to complete adding Kiosk Browser application.
 

Add Microsoft Edge Browser

  • Under Browsers and Applications, click on Add Win32 App>>> [Name (Microsoft Edge); AUMID/PATH (C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe); DesktopApplicationID/AUMID for the Win32 App (MSEdge); Tile Size (Medium)] >>>click Save.
  • Use configuration profile to set cleanup rules and other configurations for the Microsoft Edge Browser. 
 

Add File Explorer (For Access To Only Downloads folder) 

  • Under Browsers and Applications, click on Add Win32 App>>> [Name (File Explorer);   AUMID/PATH (C:\Windows\explorer.exe); DesktopApplicationID/AUMID for the Win32 App (Microsoft.Windows.Explorer) ;  Tile Size (Medium)] >>>click Save.
 

Add Photos Application (For Viewing Photos)

  • Under Browsers and Applications, click on Add Win32 App>>> [Name (Photos);   AUMID/PATH (Microsoft.Windows.Photos_8wekyb3d8bbwe!App); DesktopApplicationID/AUMID for the Win32 App (Leave it empty); Tile Size (Medium)] >>>click Save.

Or 

Under Browsers and Applications, click on Add by AUMID>>> [Application Name (Photos); Application User Model ID (AUMID) (Microsoft.Windows.Photos_8wekyb3d8bbwe!App);  Tile Size (Medium)] >>>click Save.

Add Windows Fax and Scan (For Printing and Scanning)

  • Under Browsers and Applications, click on Add Win32 App>>> [Name (Windows Fax and Scan);    AUMID/PATH (%Windir%\System32\WFS.exe); DesktopApplicationID/AUMID for the Win32 App ({1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WFS.exe); Tile Size (Medium)] >>>click Save.
 

Add Quick Assist (For Remote Assistance-Built Into Windows 10 and 11)

  • Under Browsers and Applications, click on Add Win32 App>>> [Name (Quick Assist);   AUMID/PATH (%Windir%\System32\quickassist.exe); DesktopApplicationID/AUMID for the Win32 App ({1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\quickassist.exe); Tile Size (Medium)] >>>click Save.
 

Add Remote Help (For Remote Assistance-license required)

  • Under Browsers and Applications, click on Add Win32 App>>> [Name (Remote Help); AUMID/PATH (C:\Program Files\Remote Help\RemoteHelp.exe); DesktopApplicationID/AUMID for the Win32 App ({6D809377-6AF0-444B-8957-A3773F02200E}\Remote Help\RemoteHelp.exe); Tile Size (Medium)] >>>click Save.
  • Make sure to package deploy and install the Remote Help application on the computer since it is not an inbuilt application. 
  • Also make sure Remote Help is correctly setup in your environment before using Remote Help, otherwise, you can use Quick Assist or other tools such Splashtop which are comparatively easier to setup. 
 

Add Remote Desktop Connection (Remotely Connect to A Computer/Server)

  • Under Browsers and Applications, click on Add Win32 App>>> [Name (Remote Desktop Connection); AUMID/PATH (%Windir%\System32\mstsc.exe); DesktopApplicationID/AUMID for the Win32 App (Microsoft.Windows.RemoteDesktop); Tile Size (Medium)] >>>click Save.
 

Add VLC media player 

  • Under Browsers and Applications, click on Add Win32 App>>> [Name (Quick Assist); AUMID/PATH (C:\Program Files\VideoLAN\vlc.exe); DesktopApplicationID/AUMID for the Win32 App ({7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VideoLAN\VLC\vlc.exe (32bit) or {6D809377-6AF0-444B-8957-A3773F02200E}\VideoLAN\VLC\vlc.exe (64bit)); Tile Size (Medium)] >>>click Save.
  • Make sure to package, deploy and install the VLC Media Player application on the computer since it is not an inbuilt application. 
 

Add Windows Media Player

  • Under Browsers and Applications, click on Add Win32 App>>> [Name (Windows Media Player); AUMID/PATH (C:\Program Files\Windows Media Player\wmplayer.exe); DesktopApplicationID/AUMID for the Win32 App (Microsoft.Windows.MediaPlayer32); Tile Size (Medium)] >>>click Save.
 

Add Clock

  • Under Browsers and Applications, click on Add by AUMID>>> [Application Name (Clock); Application User Model ID (AUMID) (Microsoft.WindowsAlarms_8wekyb3d8bbwe!App);  Tile Size (Medium)] >>>click Save.
 

Add Calculator

    • Under Browsers and Applications, click on Add by AUMID>>> [Application Name (Calculator); Application User Model ID (AUMID) (Microsoft.WindowsCalculator_8wekyb3d8bbwe!App);  Tile Size (Medium)] >>>click Save.
 

Add Notepad

  • Under Browsers and Applications, click on Add Win32 App>>> [Name (Notepad); AUMID/PATH (%Windir%\System32\notepad.exe); DesktopApplicationID/AUMID for the Win32 App ({1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe); Tile Size (Medium)] >>>click Save.
 

Add WordPad

  • Under Browsers and Applications, click on Add Win32 App>>> [Name (WordPad); AUMID/PATH (C:\Program Files\Windows NT\Accessories\wordpad.exe); DesktopApplicationID/AUMID for the Win32 App ({6D809377-6AF0-444B-8957-A3773F02200E}\Windows NT\Accessories\wordpad.exe); Tile Size (Medium)] >>>click Save.
 

Add Adobe Acrobat

  • Under Browsers and Applications, click on Add Win32 App>>> [Name (Quick Assist); AUMID/PATH (C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe); DesktopApplicationID/AUMID for the Win32 App ({6D809377-6AF0-444B-8957-A3773F02200E}\Adobe\Acrobat DC\Acrobat\Acrobat.exe); Tile Size (Medium)] >>>click Save.
 
Add Skype
  • Under Browsers and Applications, click on Add by AUMID>>> [Application Name (Skype); Application User Model ID (AUMID) (Microsoft.SkypeApp_kzf8qxf38zg5c!App); Tile Size (Medium)] >>>click Save.
 
Add Zoom
  • Under Browsers and Applications, click on Add Win32 App>>> [Name (Zoom Meeting); AUMID/PATH (C:\Program Files (x86)\Zoom\bin\Zoom.exe); DesktopApplicationID/AUMID for the Win32 App (zoom.us.Zoom Video Meetings); Tile Size (Medium)] >>>click Save.
 

Add Settings Application (Use Custom Policy To Allow Only Required Apps)

  • Under Browsers and Applications, click on Add by AUMID>>> [Application Name (Settings); Application User Model ID (AUMID) (windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel); Tile Size (Medium)] >>>click Save.
 
  • After creating the multiapp-kiosk applications, set User Alternative Start Layout (No); Windows Taskbar (Show); Allow Access to Downloads Folder (Yes); Specify Maintenance Window for App Restarts (Require);  Maintenance Window Start Time (3/27/2024; 6:00:00 PM); Maintenance Window Recurrence (Monthly); Day of Month(18).
  • Now assign the profile to a desired dynamic group if any and click Review and Save.
  • Note: If you are deploying a lot of these kiosk applications, then you may need to set the Tile Size to Small otherwise there will be no space to accommodate all of them.  

Custom Policy To Restrict Settings Application in MultiApp Kiosk To Show Only About, Access work or school, Bluetooth & other devices, Date & time, Display, Printers & scanners, USB, Wi-Fi, Windows Update and View update history

  • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Configuration Profiles>>>click Create and in the drop down, click New Policy.
  • Platform (Windows 10 and Later); Profile Type(Templates); search for Custom, click on it to select it and click Create.
  • Name (Intune_Kiosk_MultiApp_Restricted_Settings); Description(This restricts the Settings application so that only Network and Internet, Windows Updates, Access Work or School Settings can be accessed on the computer); Platform (Windows 10 and Later); Profile Type(Custom) >>> click NEXT.  
  • Under Configuration Settings, click on the Add button; [Name(Restricted Settings Application); Description(This restricts the Settings application so that only Bluetooth & other devices, About, Display, Printers & scanners, USB, Wi-Fi, Access work or school,Date & time, Windows Update and View update history Settings can be accessed on the computer); OMA-URI(./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList (applies to all users even administrators) or ./User/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList (applies to all users except administrators)); Data Type (String); Value(showonly:network-wifi;windowsupdate;windowsupdate-history;printers;usb;workplace;display;about;bluetooth;dateandtime) and then click Save. Click Next to go the Assignments page.
  • Now assign the profile to a desired dynamic group if any and click Review and Save.

Create OMA-URI To Prevent Office 365 User From Logging Into The Kiosk Device

  • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Configuration Profiles>>>click Create and in the drop down, click New Policy.
  • Platform (Windows 10 and Later); Profile Type(Templates); search for Custom, click on it to select it and click Create.
  • Name (Prevent Office 365 Login On Kiosk Devices); Description(Prevent Office 365 accounts from logging into Kiosk devices); Platform (Windows 10 and Later); Profile Type(Custom) >>> click NEXT.  
  • Under Configuration Settings, click on the Add button; [Name(Restricted Office 365 Account Login); Description((Prevent Office 365 accounts from logging into Kiosk devices); OMA-URI(./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogon); Data Type (String); Value(<![CDATA[*S-1-5-113]]>) and then click Save. Click Next to go the Assignments page.
  • Now assign the profile to a desired dynamic group if any and click Review and Save.

Microsoft Edge Configuration Settings for MultiApp Kiosk Devices

    • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Configuration Profiles>>>click Create and in the drop down, click New Policy.
    • Platform (Windows 10 and Later); Profile Type(Settings Catalog) and click Create.
    • Name (Microsoft Edge Settings for MultiApp Kiosk Devices); Description(Set cleanup rules and other settings for Microsoft Edge browser on Multiapp kiosk devices.); Platform (Windows 10 and Later)>>> click NEXT.  
    • Click on the Add Settings link and then search for Browser and press Enter key to show the list of settings associated with Browser (Microsoft Edge browser in kiosk mode) [select Configure Kiosk Mode (User) and Configure Kiosk Mode and enable them; set Configure Kiosk Reset After Idle Timeout (User) and Configure Kiosk Reset After Idle Timeout to the default 5 minutes or 15 minutes or other preferred time (This is usually done after selecting all your desired configuration items).
    • Within the Settings Picker page, search for Microsoft Edge and select Microsoft Edge to display the list of settings associated with Microsoft Edge. Select Enable AutoFill for credit cards (User), Enable AutoFill for credit cards, Enable AutoFill for addresses (User), Enable AutoFill for addresses, Configures availability of a vertical layout for tabs on the side of the browser (User), Configures availability of a vertical layout for tabs on the side of the browser, and set them to Disabled. Select Enable deleting browser and download history (User), Enable deleting browser and download history, Disable saving browser history (User), Disable saving browser history, Configure Do Not Track (User), Configure Do Not Track, Clear history for IE and IE mode every time you exit (User), Clear history for IE and IE mode every time you exit, Clear cached images and files when Microsoft Edge closes (User), Clear cached images and files when Microsoft Edge closes, Clear browsing data when Microsoft Edge closes (User), Clear browsing data when Microsoft Edge closes, Allow sites configured for Internet Explorer mode to open in Microsoft Edge (User), Allow sites configured for Internet Explorer mode to open in Microsoft Edge and set them to Enabled. Select and set Configure InPrivate mode availability (User) and Configure InPrivate mode availability to Enabled and set both Configure InPrivate mode availability (User) and Configure InPrivate mode availability (Device) to InPrivate Mode Forced. Select and set Define a list of allowed URLs (User) and Define a list of allowed URLs to Enabled and then either upload a list or type the list of allowed URLs under Define a list of allowed URLs (User) and Define a list of allowed URLs (Device).
    • Within the Settings Picker page, search for Microsoft Edge and select Microsoft Edge >>Default Settings>>>Startup, homepage, and new tab to display the list of associated configurations. Select and set Action to take on startup (User) and Action to take on startup to Enabled and set both Action to take on startup (User) and Action to take on startup (Device) to Open A List of URLsSelect and set Sites to open when the browser starts (User) and Sites to open when the browser starts to Enabled and then either upload a list or type the list of URLs under Sites to open when the browser starts (User) and Sites to open when the browser starts (Device). 
    • Note that the Action to take on startup and Sites to open when the browser starts go together and need to be configured as a pair. Also, when you configure these policies, then there is no need to select the Configure the home page URL policy since that one only provides space for one URL.
    • Within the Settings Picker page, search for Microsoft Edge and select Microsoft Edge >>Extensions to display the list of associated configurations. Select and set Blocks external extensions from being installed (User) and Blocks external extensions from being installed to Enabled.
    • Within the Settings Picker page, search for Microsoft Edge and select Microsoft Edge >>Kiosk Mode settings to display the list of associated configurations. Select and set Swipe gestures in Microsoft Edge kiosk mode enabled (User), Swipe gestures in Microsoft Edge kiosk mode enabled, Delete files downloaded as part of kiosk session when Microsoft Edge closes (User), Delete files downloaded as part of kiosk session when Microsoft Edge closes  to Enabled. Select and set Configure address bar editing for kiosk mode public browsing experience, and Configure address bar editing for kiosk mode public browsing experience (User) to Enabled or Disabled based on your requirements; Enabled will prevent end users from changing the URL in the Address bar while Disabled, which is the default option, will allow users to change the URL in the Address bar.
    • Click Next to go the Scope Tags page and then Assignments page.
    • Now assign the profile to a desired group if any and click Create in the Review and Save page.

Kiosk Browser Application Deployment

  • The Kiosk browser is not a built-in application for Windows operating system and so it needs to be deployed to the device and then the Multiapp kiosk configuration profile can restrict it as desired. 
  • Navigate to Apps>>>Windows>>>click on Add.
  • App Type [Microsoft Store app(new)] and click Select.
  • Under App Information, navigate to Select app and click Search the Microsoft Store app(new) link>>>type Kiosk Browser, and then select the Kiosk Browser where the Publisher is Microsoft Corporation. After that click Select to open the application settings.
  • You can leave all the default settings or make custom changes and then click Next.
  • Assign the application to the device assignment group>>>click Next and then click Create.

Create Dynamic Device Group for Kiosk Devices

  • Within the Microsoft Endpoint Manager, click Groups>>>click New Group.
  • Group Type (Security); Group Name(HR), Group Description(This group is for Multiapp kiosk devices)>>>Membership Type (Dynamic device)
  •  Under Dynamic Device Members; click Add Dynamic Query>>>click Add Express. In the script area, (device.devicePhysicalIds -any (_ -eq “[OrderID]:KioskMultiApp”))>>>click Create.
  •  Make sure to assign the Self-Deploying profile, application packages, security policies, Multi App Kiosk mode setup profile and other configuration profiles to the group. 

Import Hardware Hash Into Intune

    • Obtain the hardware hash of the device using Powershell;

 PS C:\Windows\system32>New-Item -Type Directory -Path “C:\HWID”
PS C:\Windows\system32>Set-Location -Path “C:\HWID”
PS C:\HWID>Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted 
PS C:\HWID>Install-Script -Name Get-WindowsAutoPilotInfo
PS C:\HWID>Get-WindowsAutoPilotInfo.ps1 -OutputFile AutopilotHWID.csv

The CSV file should look like this; 

Device Serial Number,Windows Product ID,Hardware Hash,Order ID
1234-1234-1234-1234-1234-1234-12,,T0GqAwEAHAAAAAoAAQDuQgA….,KioskMultiApp
1234-4123-1234-1234-1234-1234-12,,T0GqAwEAHQgAAAAAAoAAQDu….,KioskMultiApp

Note that once the CSV file is edited and items such as Order ID are added and uploaded into Intune, it may produce errors with the import. To avoid this instead of editing the CSV file produced by the Powershell script, you may need to create a new Excel sheet or use the same sheet and place the headers and their respective values in cells and then save the document as CSV (Comma delimited) document; once this is done then you can import it into Intune with no error messages.