A few months ago I wrote this article about setting up a Windows 10 kiosk device using Microsoft Intune and Windows AutoPilot. In that article I used the kiosk single app mode, to restrict the device to run one single app. In Intune we also have the option to setup a kiosk device using the kiosk multi app mode. In multi app mode the logged on user is allowed to run multiple apps, but still runs as a kiosk device. Access to other apps and for example file explorer is still prevented.
In multiple apps mode we are also able to configure the device to AutoLogon with a (local) kiosk account, but we also have the option to allow Azure AD users to logon to the device and work on the kiosk device with the AAD account. This could be handy when you want to provide a single-sign on experience to applications which are connected to Azure AD.
In this blog post I won`t show you how to setup Windows AutoPilot in self-deploying mode to automatically enroll a Windows 10 device in Azure AD and Intune, for those steps you can read my previous article. The steps I will show in this article are:
- Create a customized start layout
- Get the AppUserModeId (AUMID)
- Configure the Kiosk multi app Configuration Profile
- Configure the Device Restrictions Profile (Optional)
- End-user experience
Create a customized start layout
Because the kiosk device is running multiple apps, we need to present these apps to the end-user in a nice way. In my opinion the way to do that is with a customized Start layout.
Sign in to a Windows 10 (test) device and set the device in tablet mode.
Configure the start menu as you like it, containing the applications the kiosk device will be running.
To export the customized start layout open PowerShell. Use the Export-StartLayout command to export the start layout like in the screen below:
Export-StartLayout -Path C:\Temp\InTheCloud247Kiosk.xml
In a next step we upload the xml file to Intune.
Get the AppUserModeId (AUMID)
For every application we make available on the kiosk device, we need the Application ID (AppUserModeId or AUMID). There are several ways to retrieve the AUMID like using a PowerShell script, but I will show how to retrieve it using file explorer.
Open the RUN dialog (WIN + R), Enter shell:AppsFolder and hit Enter.
Hit F10, click View and Choose details…
Check AppUserModeId and click OK
Make sure Folder view is set to Details.
Search for the applications you want to publish to the kiosk device and note the AppUserModeId.
Configure the Kiosk multi app Configuration Profile
We have created the customized start layout file and collected the AppUserModeId`s, time to create the configuration policy with this information.
- Sign-in to the Device Management Portal
- Browse to Device Configuration – Profiles
- Click Create Profile
- Give the policy a Name
- Fill in the Description (optional)
- Choose Windows 10 and later as Platform
- Choose Kiosk as Profile type
- Click the Settings tab
- Choose Multi app kiosk as Kiosk mode
- Choose No for the Windows 10 in S mode
- Choose the Logon type of your choice (you can choose Autologon, but also select an Azure AD user or Group)
Here you can also add the various types of applications; Store apps, Win32 apps or apps by AUMID.
If you want a default browser, just click Add Microsoft Edge or click Add Kiosk Browser.
Below is an example how to add a Win32 app;
Application name: Google Chrome
Local path to executable: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
AUMID: Chrome
Back at the Settings tab we set the Start Layout.
- At Use alternative Start layout choose Yes
- Click the Folder icon
- Browse to the previously created xml file and select the file
- Choose the other options which you want to set
- Click OK and click Create to create the profile
Don`t forget to assign the policy to a group.
Configure the Device Restrictions Profile (Optional)
Creating a Device Restrictions profile is optional. In this example I used it to further configure the Edge browser and to set a custom background.
- Browse Device Configuration – Profiles
- Click Create Profile
- Give the policy a Name
- Fill in the Description (optional)
- Choose Windows 10 and later as Platform
- Choose Device Restrictions as Profile type
- Click the Settings tab
- Click the Microsoft Edge browser tab
- Choose Normal mode (multi-app kiosk)
Configure the required settings on the several tabs, like setting the Start page.
- If you want to set a custom background browse to the Personalization tab
- Fill in the url to the background image
- Click OK.
- Click Create to create the profile
Don`t forget to assign the profile to a security group.
End-user Experience
After enrolling the device to Azure AD and Intune and the confiuration profiles are set, you`re kiosk multi app device is ready. Depending on the choice you made for the User logon type the kiosk user is logged on automatically or a user needs to logon manually.
I have set the Edge browser to Autolaunch, so the Edge browser is started directly after loggin on to the device.
If you close the application, you are presented the customized Start menu and see the custom background.
9 Comments
Hi,
Thanks for this post. Did you run into an issue of the “Kiosk” keeps signing out when trying to login.
I have this issue when using kiosk in multi mode.
Regards
Denzel
On hardware have no issues. When first testing Kiosk mode using VMs I had issues like the device isn`t locked as Kiosk machine and the auto logon didn`t work. But no issue that signs me out.
Hi Denzel,
I know this issue. There is a timing issue in applying the policy and getting the device ready. Be sure to use the latest 1903 build, add some more store apps to your kiosk policy (to get more “time”, e.g. Maps, OneNote..) and try it again.
BR
André
Hi Peter, Thanks for this but I am running into some issues, when I go onto the device I have logged in with my AAD account I cant seem to open the apps which I have allowed I get the error: We cant open (then location address) Your school has blocked it. How do I allow this to open and work correctly! Any ideas?
You might want to start with reviewing the AppLocker events as the lockdown of the device is based on AppLocker. One of these events might show you what process is started and blocked.
Nice
Hi,
How is possible to start a simple exe as a custom application (without AMUID)
Thanks,
I would love to know the answer to this too. I have an app from a supplier which has no installation process, just copying files, then running the EXE. The app is delivered via Intune/Powershell script wrapped into a Win32 app. Can this app be run in Kiosk mode?
I had a similar issue, I packaged the exe as a Win32 app that copied it to a known folder. for the multiapp kiosk policy I set the ‘AUMID\PATH’ and ‘DesktopApplicationId/AUMID for the Win32 app’ as the path to the exe. logging in ran the app