Setup a Windows 10 kiosk device using Intune and AutoPilot

After a few blogs about Android Enterprise and how to create an Android kiosk device using Microsoft Intune, in this blog post we switch to a Windows 10 kiosk device. Using Intune and Windows AutoPilot we are able to deploy a Windows 10 device right out of the box, without an user taking any action, as a kiosk device. The end result is a kiosk device configured to automatically logon and launch a kiosk app. In this case the Kiosk Browser is launched, but you can also choose the Edge browser or another app as kiosk app.

To get the job done we have to create a Windows AutoPilot profile, configure kiosk settings in a device configuration policy and deploy the Kiosk Browser app to our device. Optional I have used a custom configuration policy to block users from sign-in on to the device with the Azure AD account.

Setup Windows AutoPilot in self-deploying mode

We have two deployment modes in Windows AutoPilot, we will create an AutoPilot profile with self-deploying mode to configure the device without user interaction. To automatically add the device during enrollment in the right security group, to assign policies and apps, we can use an order id as part of the AutoPilot information. This order id is added to the AutoPilot information csv file we upload to Intune and used in the query of the dynamic security group.

Windows AutoPilot self-deploying mode prerequisites:

  • Windows 10 1809 or later
  • A device with a TPM 2.0 chip (virtual TPM in a virtual machine will not work)

Let`s first start with preparing the csv file with AutoPilot information you received from your vendor or queried from the device yourself. On the first line add a comma and OrderID. On every other line with AutoPilot information, at the end of each line, add a comma and the order id. In this case I added Win10KioskSingle as order id.

When done editing the csn file, upload the file in Intune. After uploading the AutoPilot information using a csv file, the order id is visible as Group Tag and can be used in a security group.


In the Azure AD portal, click Groups and create a dynamic device security group using the advanced query:
(device.devicePhysicalIds -any _ -eq “[OrderID]:Win10KioskSingle”)
Replace Win10KioskSingle with your own order id/ group tag.
More info on AutoPilot device groups can be found in this article.

Go further with creating the Windows AutoPilot profile.

  1. Sign-in to the Device Management Portal
  2. Click Device enrollmentWindows Enrollment
  3. Click Deployment Profiles

  1. Click Create Profile
  2. Give the AutoPilot profile a Name
  3. Give the profile a Description (Optional)
  4. Choose Self Deploying (preview) as Deployment mode
  5. Click the Out-of-box experience (OOBE) tab
  6. Choose the settings of your choice
  7. Click OK and Create

  1. Click the Assignments tab
  2. Search for the security group we created and select the group
  3. Click Save

Create Device configuration profile

To lock down the Windows 10 device as kiosk device we need to create and assign a device restrictions profile. We have the choice of two kiosk modes; single app, full screen or multi app. In this example I create a single app kiosk device. When creating a single app kiosk device, you can choose between three application types; Edge browser, Kiosk browser or store app. If you setup the kiosk device to run a browser like I do, have a look at this feature comparison to make a good decision between the Edge and Kiosk browser.

  1. Click Device configurationProfiles
  2. Click Create Profile

  1. Give the configuration profile a Name
  2. Give the profile a Description (Optional)
  3. Choose Windows 10 and later as Platform
  4. Choose Kiosk as Profile type
  5. Click the Settings tab

  1. Choose Single app, full-screen kiosk as Kiosk mode
  2. Choose Auto logon as Logon type (supported on Windows 10 1803 and later)
  3. Add Kiosk browser as Application type
  4. Click the Kiosk browser settings tab

On the Kiosk browser settings tab we have a few options to set like the Default home page url. In this case I set it to my own home page and because I only want the user to be able to visit my site, I also uploaded a csv file with my website in it, to restrict access to a specific set of websites.
If we leave the other settings as default, the Kiosk browser is launched full screen without any navigation button. If you want to show any navigation button to your users set the switch to Show.
When finished click OK twice and click Create.

Your here

On the Assignments tab add the previously created security group and click Save.

Create custom configuration policy

Because I have seen users been able to get the sign-in page and even sing-in to the Kiosk device with their Azure AD account, I have now restricted that. The solution for that is to create a custom configuration policy. In that policy we set the User Right To Logon Locally (AllowLocalLogon) to only local accounts (the kiosk account is a local account). The custom policy is created with the information about the Policy CSP op Microsoft Docs.

  1. Click Device configurationProfiles
  2. Click Create Profile
  3. Give the configuration profile a Name
  4. Give the profile a Description (Optional)
  5. Choose Windows 10 and later as Platform
  6. Choose Custom as Profile type
  7. Click the Settings tab
  8. Click Add to add an OMA-URI row

  1. Give the row a Name
  2. OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
  3. Data type: String
  4. Value: <![CDATA[Local account]]>

Get the Kiosk browser app

Because I choose to use the Kiosk Browser app, I need to get the app from the Microsoft Store for Business. I assume you have already setup the sync between Intune and the store and set Intune in the store as management tool.
In the store search for Kiosk Browser, click Get the app and click Close.

  1. In the Device Management portal click Client appsApps
  2. Click the Kiosk Browser app

  1. Click the Assignments tab
  2. Click Add group
  3. Select Required as assignment type
  4. On the Include tab search for the security group previously created and select the group
  5. Click OK twice and click Save

Enroll a Windows 10 device as kiosk device

Now everything is set, turn on the Windows 10 device. When the device is connected to the internet it performs an online check to determine if it is registered as Windows AutoPilot device at a tenant. When that`s the case the Deployment profile is downloaded to the device and the device is prepared for enrollment.

After a few minutes the Enrollment Status Page is shown. During the first phase the device is prepared for enrollment to Azure AD and Intune. During the second and third phase configurations policies are applied and apps are installed.

After the enrollment phases the sign-in page is shown and when Auto Logon is set in the configuration profile an auto logon is performed.

After logging on, the Kiosk Browser app is automatically started.

Depending on the choices you made for the navigation buttons in the configuration profile, the Kiosk Browser app is shown full screen, with or without navigation buttons.

If you restricted access to specific websites and visit another site, that site is blocked with a message like below.

If the user is able to get the sign-in page and tries to sign-in to the device with his Azure AD account, that is prohibited.

That`s it for today. Happy testing!


  1. Great article Peter. When I make any edits to the .csv file I keep getting a ‘each row must have a minimum of 3 columns’ error which prevents upload.

  2. Edge itself has Kiosk style policies (Public browsing InPrivate) – been using it with other Edge polices for a MultiApp Selfdeploying solution.

  3. Hi Peter,

    In your Custom Configuration Policy, you add a CSP for “AllowLocalLogOn” with a string value of “”. I noticed this value only seems to work OK when used in conjunction with an English OS. When I use a Dutch OS (for example), it doesn’t work anymore and I can’t logon with any account (not local nor Azure). Even the Admin account doesn’t work anymore.
    I read this could be circumvented by using SIDs, quote from Microsoft:

    “Even though strings are supported for well-known accounts and groups, it is better to use SIDs because strings are localized for different languages.”

    I just can’t seem to get the correct value for the SID of “Local Users Only”. Can you help?

  4. A helpful tutorial, Peter!

    I have an use case in mind which requires a cloud user to sign-in, so that a Kiosk browser can consume AAD protected services like a dashboard.

    Do you have any concerns here?


  5. I am doing the same thing (self deploying) but using shared multi user mode. When i publish office 365 to this device/group it won’t install

    • I have no experience with a Shared multi-user device, so I don`t know the limitations of the device and app installs. If you think apps should be allowed to install, try another (small) app and see if that does install fine. Have a look at the event logs if you can find errors.

Leave a Reply

Your email address will not be published.