Setup a Windows 10 kiosk device using Intune and AutoPilot

After a few blogs about Android Enterprise and how to create an Android kiosk device using Microsoft Intune, in this blog post we switch to a Windows 10 kiosk device. Using Intune and Windows AutoPilot we are able to deploy a Windows 10 device right out of the box, without an user taking any action, as a kiosk device. The end result is a kiosk device configured to automatically logon and launch a kiosk app. In this case the Kiosk Browser is launched, but you can also launch the Edge browser or another app as kiosk app.

To get the job done we have to create a Windows AutoPilot profile, configure kiosk settings in a device configuration policy and deploy the Kiosk Browser app to our device.

Setup Windows AutoPilot in self-deploying mode

We have two deployment modes in Windows AutoPilot, we will create an AutoPilot profile with self-deploying mode to configure the device without user interaction. To automatically add the device during enrollment in the right security group, to assign policies and apps, we can use an order id as part of the AutoPilot information. This order id is added to the AutoPilot information csv file we upload to Intune and used in the query of the dynamic security group.

Windows AutoPilot self-deploying mode prerequisites:

  • Windows 10 1809 or later
  • A device with a TPM 2.0 chip (virtual TPM in a virtual machine will not work)

Let`s first start with preparing the csv file with AutoPilot information you received from your vendor or queried from the device yourself. On the first line add a comma and OrderID. On every other line with AutoPilot information, at the end of each line, add a comma and the order id. In this case I added Win10KioskSingle as order id.

When done editing the csn file, upload the file in Intune. After uploading the AutoPilot information using a csv file, the order id is visible as Group Tag and can be used in a security group.


In the Azure AD portal, click Groups and create a dynamic device security group using the advanced query:
(device.devicePhysicalIds -any _ -eq “[OrderID]:Win10KioskSingle”)
Replace Win10KioskSingle with your own order id/ group tag.
More info on AutoPilot device groups can be found in this article.

Go further with creating the Windows AutoPilot profile.

  1. Sign-in to the Device Management Portal
  2. Click Device enrollmentWindows Enrollment
  3. Click Deployment Profiles

  1. Click Create Profile
  2. Give the AutoPilot profile a Name
  3. Give the profile a Description (Optional)
  4. Choose Self Deploying (preview) as Deployment mode
  5. Click the Out-of-box experience (OOBE) tab
  6. Choose the settings of your choice
  7. Click OK and Create

  1. Click the Assignments tab
  2. Search for the security group we created and select the group
  3. Click Save

Create Device configuration profile

To lock down the Windows 10 device as kiosk device we need to create and assign a device restrictions profile. We have the choice of two kiosk modes; single app, full screen or multi app. In this example I create a single app kiosk device. When creating a single app kiosk device, you can choose between three application types; Edge browser, Kiosk browser or store app. If you setup the kiosk device to run a browser like I do, have a look at this feature comparison to make a good decision between the Edge and Kiosk browser.

  1. Click Device configurationProfiles
  2. Click Create Profile

  1. Give the configuration profile a Name
  2. Give the profile a Description (Optional)
  3. Choose Windows 10 and later as Platform
  4. Choose Kiosk as Profile type
  5. Click the Settings tab

  1. Choose Single app, full-screen kiosk as Kiosk mode
  2. Choose Auto logon as Logon type (supported on Windows 10 1803 and later)
  3. Add Kiosk browser as Application type
  4. Click the Kiosk browser settings tab

On the Kiosk browser settings tab we have a few options to set like the Default home page url. In this case I set it to my own home page and because I only want the user to be able to visit my site, I also uploaded a csv file with my website in it, to restrict access to a specific set of websites.
If we leave the other settings as default, the Kiosk browser is launched full screen without any navigation button. If you want to show any navigation button to your users set the switch to Show.
When finished click OK twice and click Create.

Your here

On the Assignments tab add the previously created security group and click Save.

Get the Kiosk browser app

Because I choose to use the Kiosk Browser app, I need to get the app from the Microsoft Store for Business. I assume you have already setup the sync between Intune and the store and set Intune in the store as management tool.
In the store search for Kiosk Browser, click Get the app and click Close.

  1. In the Device Management portal click Client appsApps
  2. Click the Kiosk Browser app

  1. Click the Assignments tab
  2. Click Add group
  3. Select Required as assignment type
  4. On the Include tab search for the security group previously created and select the group
  5. Click OK twice and click Save

Enroll a Windows 10 device as kiosk device

Now everything is set, turn on the Windows 10 device. When the device is connected to the internet it performs an online check to determine if it is registered as Windows AutoPilot device at a tenant. When that`s the case the Deployment profile is downloaded to the device and the device is prepared for enrollment.

After a few minutes the Enrollment Status Page is shown. During the first phase the device is prepared for enrollment to Azure AD and Intune. During the second and third phase configurations policies are applied and apps are installed.

After the enrollment phases the sign-in page is shown and when Auto Logon is set in the configuration profile an auto logon is performed.

After logging on, the Kiosk Browser app is automatically started.

Depending on the choices you made for the navigation buttons in the configuration profile, the Kiosk Browser app is shown full screen, with or without navigation buttons.

If you restricted access to specific websites and visit another site, that site is blocked with a message like below.

Share This!


  1. Great article Peter. When I make any edits to the .csv file I keep getting a ‘each row must have a minimum of 3 columns’ error which prevents upload.

    • Thanks James!
      If I for example export the AutoPilot information using Michael Niehaus his script, I get a csv file with three columns. These are the three columns:
      Device Serial Number,Windows Product ID,Hardware Hash

      And I add a fourth:
      Device Serial Number,Windows Product ID,Hardware Hash,OrderID

      Usually on the second row you have the serialnumber and hardwarehash of your device filled in and the Windows Product ID column is empty.

      How does your csv looks like?

      • Hi Peter

        It looks exactly like you describe. I’ve tried uploading the unmodified version and it passes validation however if I add the extra column header and/or make any other changes it comes up with the validation error.

        • Hi James,
          If you`d like You can send me an email and I send you my example csv file so you can try to modify that one with your own serial, hardware hash and orderid?

  2. Edge itself has Kiosk style policies (Public browsing InPrivate) – been using it with other Edge polices for a MultiApp Selfdeploying solution.

Leave a Reply

Your email address will not be published.