Sync Azure AD Group with Kiosk Config Profile

I have already described in a previous blog how to deploy a device as a kiosk device using Intune. This actually works really well. There is only one small thing that is really inconvenient. If Azure AD user or group is selected as logon type (only specific users are allowed to logon on this devices), this policy must not only be assigned to a group, but also the allowed user must be defined in the profile. The option also allows to add AAD users and groups and the SIDs of these objects are also written to the local group but Windows cannot resolve the AAD groups (bug or feature?). The resolution of whether the user who is trying to log in is in one of the groups is done by Windows via Graph when MFA is disabled. it will also work. But if MFA is enabled windows fails to get the token. In this blog I want to show you how you can easily work around this by syncing an Azure AD group with this configuration profile.

Read More »

Setup an Modern Kiosk PC

In this blog post I want to explain how to set up a Modern Kiosk PC. There are many use cases in companies where you don’t want to give the user complete access to Windows. Only one or selected applications should be allowed. Typical use cases would be:

  • a device that plays a video in a sales room
  • a device that is used for training of an application
  • a terminal where someone can give feedback

and many more…

Read More »