In this blog post I want to explain how to set up a Modern Kiosk PC. There are many use cases in companies where you don’t want to give the user complete access to Windows. Only one or selected applications should be allowed. Typical use cases would be:

• a device that plays a video in a sales room
• a device that is used for training of an application
• a terminal where someone can give feedback
  

and many more…

What is a kiosk PC

A kiosk PC is a PC that runs in a mode where the user’s rights and options are restricted. Typically, only one application is displayed, which cannot be terminated or exited. This is called single kiosk mode. But there is also a multi kiosk mode in which you have a selection of previously defined applications. Normally, no user logs on to these devices because this is done via an auto logon with an local user. But it is also possible to authenticate via an AAD account.

What are the prerequisites

To set up a Kiosk PC the following requirements are needed:

• Intune enviroment (Setup a Windows Autopilot test lab)
• Windows 10 1809 or later
• TPM 2.0 (Hardware is necessary)

Let’s get started

First of all, we need to create a dynamic group for the devices.

To do this, select groups from the left menu in the Mem Portal and create a new dynamic device group with a filter for the group tag. A detailed explanation of how to do this can be found here. I used the following filter for my group:

(device.devicePhysicalIds -any _ -eq "[OrderID]:KioskPC")

Hint: You can also choose another name for the Group Tag, just replace KioskPC with another name.

This will automatically add all devices with the group tag “Kiosk PC” to the group. You can specify this group tag when uploading the device hash, but you can also change it in the MEM portal under Devices -> Register Devices -> Devices.

You can upload the device hash with the following PowerShell commands (If the device is not enrolled press shift F10 in the OOBE):

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -GroupTag KioskPC -online

As next step we need an new deployment profile for the Kiosk PC.

To do this, navigate in the MEM portal to Devices -> Register Devices -> Deployment Profiles.

• Select Create Profile -> Windows PC
• Enter an name for the deployment profile and click Next
• Select “Self-Deploying (preview)” as Deployment mode
• Choose the other settings the way you want. In my example I give the devices a custem hostname starting with K for Kiosk followed by the serial number.
• Click Next

• Add the previously created group via Add Group
• Click Next
• Click Create

Creat the device configuration

• Navigate in the MEM Portal to Devices -> Configuration profiles
• Click Create profile
• Select Windows 10 and later as Platform and Templates as Profile type
• Select Kiosk
• Enter a name

Now we have to decide if we want to have a single App Kiosk PC or a multi App Kiosk PC. In this blog I explain both. We start with the single app kiosk pc. If you want to set up a Multi App Kiosk PC you can skip this chapter.

Singel App Kiosk Mode

As described above, only one App is started in full screen in this mode and it cannot be exited. To configure this we create a new configuration profile. You can choose between Edge, the Kiosk browser or a Store app. Win32 apps cannot be selected here.

First we select Single app, full screen kiosk. When this is selected, other configuration items appear which I will now explain.

• User logon type: Here you can configure the behavior of the login. With the autologon no login with a user is necessary (a default user with the name Kiosk is used) and the app starts directly after booting. This is useful for PCs located in public environments so that no interaction is required to launch the app on reboot. Alternatively, you can create a local user for the login or select an Azure ad user.

• Application type: Here you can choose the Edge browser, Legacy Edge or the Kiosk browser. It is also possible to select a store app. What is the difference between the Kiosk browser and Edge? The Kiosk browser is based on the Edge browser but offers more settings that can be useful in kiosk environments. Here you can e.g. show an End seassion button which deletes the browser data and goes back to the start page. Or you can also hide the navigation buttons. Additionally you can upload a CSV file with allowed URLs to the Kiosk Browser. In Store app mode, you can select any app that was previously imported into Intune via Windows Store for Business. With Edge browser you have the following 2 options to choose from:
  • Public Browsing (InPrivat): Users can browse publicly and open multiple tabs
  • Digital/Interactive Signage (InPrivate): Opens a URL in full-screen mode and displays only the content of that website.

• Specify Maintenance Window for App Restarts: Some apps need to be restarted to complete app installation or installation of updates. With this function you can schedule the Maintenance Windows for this restart.

This is my configuration. You can set the configurations as you need them for your use case.

• Click Next
• Assign this Configuration Profile to the group we created at the top of this blog

• Click Next
• Add the previously created group via Add Group
• Click Next
• Click Create

So now we have configured everything we need and can start deploying our test machine via windows autopilot.

What we notice is that no authendification is necessary for the autopilot process like on a standard PC, the process starts directly. This is the self deploying we have configured in the deployment profile.

Multi App Kiosk Mode

After we have looked at the single app kiosk mode, let’s now look at the multi app mode. This mode offers more choice of application types that we can use. Let’s start. Also here we have to create a new Configuration Profile with the Kiosk template as described above.

Here we choose this time Multi App Kiosk. The configuration options are a bit different this time. Also here I try to explain all these options to you.

• Target Windows 10 in S mode device: The S mode is a specific Windows 10 mode that is pre-configured to be more secure. You can only run apps from the MS Store.
  • Yes: Win32 apps are excluded by this. Store apps and AUMID apps are allowed in the kiosk profile.
  • No: Store apps, Win32 apps, and AUMID apps are allowed in the kiosk profile.
• User logon type: Here you can configure the behavior of the login. With the autologon no login with a user is necessary (a default user with the name Kiosk is used) and the app starts directly after booting. This is useful for PCs located in public environments so that no interaction is required to launch the app on reboot. Alternatively, you can create a local user for the login or select an Azure ad user. There is also the HoloLense visitor, but this is not interesting for our Workplace configuration.
• Browser and Applications:
  • Browser: Here, you have the Edge legacy and the Kiosk Bowser. With the Kiosk browser you can specify a default page. This is not possible with the Edge. With the Kiosk Browser you have much more configuration possibilities. Too bad that the Edge Chromium is not available here.
  • Applications: Here you have the choice between Store App, Win32 app and AUMID. For Store apps, you can select any app that was previously imported into Intune via Windows Store for Business. For Win32 is a normal desktop app that can also be installed via intune. To offer such an app you have to specify the path of the app to start it. The AUMID is an ID which is assigned for each appliication installed on a device. How to find this ID it is explained here.
• Use alternative Start layout: This option offers the possibility to upload an XML file that can be used to configure the position of the apps in the Start menu.
  To create this layout, setup an test device on which applications are installed that you want to have. Configure the start menu the way you want it. Open a Powershell console and enter the following command: Export-StartLayout -UseDesktopApplicationID -Path layout.xml
  You will receive an XML that you can customize and upload.
• Windows Taskbar: Possibility to hide the taskbar
• Allow access to Download folder: Possibility to lock the download order
• Specify Maintenance Window for App Restarts: Some apps need to be restarted to complete installation of updates. With this function you can schedule the Maintenance Windows for this restart.

These are the settings I selected for my test:

• Click Next
• Add the previously created group via Add Group
• Click Next
• Click Create

Now you have all the information you need to set up a Kiosk PC. Depending on the use case you have the possibility to select a single or multi app mode. The experience for the user is really good.

Stay healthy, Cheers
Jannik