Setup an Edge Chromium based Kiosk device with Microsoft Intune

This week Microsoft released the new Edge browser, based on the Chromium project. If you have Windows 10 kiosk devices in your organization running the current Edge browser, it might be a good idea to investigate the possibilities with the new Edge Chromium browser.

As the Edge Chromium browser is only available for a couple of days, we are not (yet) able to create a single app kiosk device. We need to create a multi app kiosk device, like I showed in a previous blog. But that is a good starting point to test the behavior of the new browser on a kiosk device.

In this example I configure a multi app kiosk device using Microsoft Intune which automatically logs on a kiosk user and launches the Edge Chromium browser. For deployment of the device, you can use Windows AutoPilot which I described in this article.
The steps I will show in this article are:

  • Create a customized start layout
  • Get the AppUserModeId (AUMID)
  • Create a Kiosk multi app Configuration Profile
  • Create a Device Restrictions profile
  • Create an Administrative Templates profile
  • Create an Microsoft Edge baseline profile (Optional)
  • Deploy the Edge browser
  • End-user experience

Create a customized start layout

Because the kiosk device runs in multi app mode, we need to create a customized start layout with the Edge browser pinned. We need to pre-configure a start layout in tablet mode and export the layout to a xml file, which we can upload in our Intune configuration profile.

Sign in to a Windows 10 (test) device on which the Edge Chromium browser is installed and set the device in tablet mode.

Remove all currently pinned applications from the start menu and add Edge Chromium.

To export the customized start layout open PowerShell. Use the Export-StartLayout command to export the start layout like in the screen below:
Export-StartLayout -Path C:\Temp\InTheCloud247Kiosk.xml
In a next step we upload the xml file to Intune.

Get the AppUserModeId (AUMID)

Because we need to add Edge as a Win32 app to the kiosk configration, we need the Application ID (AppUserModeId or AUMID). There are several ways to retrieve the AUMID like using a PowerShell script, but I will show how to retrieve it using file explorer.
Open the RUN dialog (WIN + R), Enter shell:AppsFolder and hit Enter.

Hit F10, click View and Choose details…

Check AppUserModeId and click OK

Make sure Folder view is set to Details.
Search for Microsoft Edge and note the AppUserModeId, MSEdge.

Create a Kiosk multi app Configuration Profile

The next step is to create a Configuration profile in the Microsoft Endpoint Manager (Intune) admin center. With that profile we configure the device to run in kiosk mode with auto logon, allow Edge to run, set Edge to auto launch and the customize start layout file.

  • Sign-in to the Endpoint Manager Portal
  • Browse to Devices Windows Configuration profiles
  • Click Create Profile
  • Give the policy a Name
  • Fill in the Description (optional)
  • Choose Windows 10 and later as Platform
  • Choose Kiosk as Profile type
  • Click the Settings tab
  • On the settings tab, choose Multi app kiosk as Kiosk mode
  • Choose No for the Windows 10 in S mode
  • Choose Auto logon
  • Click Add Win32 app

On the Add Win32 app tab, fill in this information for Edge and click OK:
Application name: Microsoft Edge
Local path to executable: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
AUMID: MSEdge

If you want to run the Edge browser in Kiosk mode or Full Screen, you should not point to the msedge.exe but to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk

Than you need to make sure that you add an argument in the Target field of the msedge.lnk file like below.
If you add –kiosk, the browser runs in kiosk mode.
If you add –start-fullscreen, it will start full screen.

You can edit the .lnk file for example with PowerShell and deploy the PowerShell script with Intune. I used this script as a starting point for my small script, which you can find on my GitHub.

  • Back at the settings tab check Autolaunch.
  • At Use alternative Start layout choose Yes
  • Click the Folder icon
  • Browse to the previously created xml file and select the file
  • Choose the other options which you want to set
  • Click OK and click Create to create the profile
  • Don`t forget to assign the policy to a group.

Create a Device Restrictions profile

In this example I only set one setting, that`s to remove the apps list from Start. If you don`t set this setting, the app list is available for the end-user, although these apps can`t be started.

  • Open the Endpoint Manager Portal
  • Browse to Devices Windows Configuration profiles
  • Click Create Profile
  • Choose Windows 10 and later as Platform
  • Choose Device restrictions as Profile type
  • Click Create

I

  • Give the profile a Name
  • Fill in the Description (optional)
  • Click Next
  • Browse to the Start section
  • Choose Remove and Disable Settings App at App list
  • Click Next
  • Assign the policy to a group and finish creating the profile

Create an Administrative Templates profile

To control settings for the new Edge browser, Microsoft made an Administrative Templates available in Intune. With this Administrative templates profile we can control settings which we could also control with the Device restrictions policy for the legacy Edge browser, but this profile contains a lot more settings.
Settings which you might want to control for a kiosk device are the startup behavior, home page URL and maybe even a URL block/ allow list.

  • open the Endpoint Manager Portal
  • Browse to Devices Windows Configuration profiles
  • Click Create Profile
  • Give the profile a Name
  • Fill in the Description (optional)
  • Choose Windows 10 and later as Platform
  • Choose Administrative Templates as Profile type
  • Click Create
  • Open the settings tab
  • Select Edge version 77 and later from the drop-down list
  • Search for the setting you want to configure like Action to take on startup
  • Click the setting of choice to open the options
  • Select your preferred option and click OK

Below is an overview of the policies which I configured during my first round of testing.

Don`t forget to assign the profile to a security group.

Create an Microsoft Edge baseline profile (Optional)

If you want to further lock down the Edge browser, or maybe the Windows device itself, you can make use of Security Baselines which are also available in Intune. A Security baseline contains a few (for Windows a lot) security settings Microsoft recommends to apply to the browser.
In this example I show how to create a profile with a Security baseline for Edge.

  • In the Endpoint Manager portal browse to Devices
  • Browse to WindowsSecurity baselines
  • Click Microsoft Edge baseline
  • Browse to Profiles
  • Click Create profile
  • Give the profile a Name
  • Give the profile a Description (Optional)
  • Take note of the Platform and Baseline version (at this moment only one is available)
  • Click Next
  • Leave everything as default or make your choices on the settings
  • Click Next
  • If needed at a Scope tag on the next tab and click Next
  • Assign the policy to a security group
  • click Next
  • Review the policy and click Create

Deploy the Edge browser

As the new Edge browser isn`t part (yet) from Windows, we need to deploy the browser to the Windows 10 kiosk devices.
Microsoft made it very easy to deploy the browser with Intune, as they made the browser available direct in the portal.

  • In the Endpoint Manager portal browse to Devices
  • Browse to AppsWindows
  • Click Add
  • From the drop-down list choose Windows 10 under Microsoft Edge
  • On the App information tab give the app a Name and Description
  • Click OK
  • Select the Channel you want to deploy
  • Click OK
  • Click Add

Don`t forget to assign the app to a security group which contains your Kiosk devices.

End-user Experience

When the device is enrolled to Azure AD and Intune (via AutoPilot), the configuration profiles and Edge browser are deployed.
If you chose Auto logon in the configuration, a Kiosk user is automatically logged on to the device.

The browser is automatically launched and the URL which I configured in the Administrative Template is shown.

If you configured the browser to start full screen, it should look like this.

And this is how it looks like in a video:
Auto login with a Kiosk user, after login, the Edge browser is started in full screen with the pre-configured homepage URL.

With this configuration, we are already able to create a working kiosk browser and start our testing.
I expect the Edge Chromium browser to become available in the single app kiosk configuration later this year, than we don`t have to edit the msedge.lnk anymore.

Happy testing! And if you know a way to block the Welcome screen, please let me know in the comments.

14 Comments

  1. Hi Peter,

    Thanks for sharing this example. Great step by step breakdown. I’m looking forward to your write up on the single app kiosk mode functionality, once available. Have a happy new year

  2. hi, Peter. thanks for your publish.
    i have a question. In my test lab, have kiosk with multiple apps, with intune profile configuration. the edge open specific page, in kiosk mode full screen, but when a user type a ctrl+n, browser open a new tab, and can search anyone page. it’s possible do that’s new tab open in fullscreen, or any option to hide address bar?

  3. Hi Peter,

    Nice article. I tried to follow your article for my usecase to configure multiapp kiosk, run chrome in kiosk mode and Microsoft Teams. Tried the same solution by copying chrome lnk instead of edge lnk path. For some reason. When I login as kiosk user and run chrome,it pops up saying, this app is blocked by your system administrator. Teams runs fine. Even I tried steps for edge in kiosk with lnk. Edge runs fine in kiosk mode. Observed that third party software like chrome and Firefox is getting blocked when I put Google Chrome.lnk path. Some UAC is blocking from opening I think. Not sure what setting required in intune to allow chrome to run. Appreciate your help. Thanks in advance.

    • Hi Dilip,

      Give it a try with the Chrome.exe file instead of the .lnk file.
      Otherwise during the test phase, allow C:\WINDOWS\System32\mmc.exe and C:\Windows\system32\eventvwr.msc to run (and add it to the startmenu) so you have access to the App Locker event logs via event viewer, to see what is exactly blocked.
      AppId/ AUMID for these are Microsoft.AutoGenerated.{BB044BFD-25B7-2FAA-22A8-6371A93E0456} and {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mmc.exe.
      This helped me in finding out why is sometimes received a message from blocked apps (an Xbox app was running in the background)

      Regards,

      Peter

  4. Hi Peter,

    Giving Chrome.exe works fine and launches chrome but the usecase is to open chrome in kiosk mode so gave the lnk path and kiosk as parameter as your did for edge. Will try to find the reason you mentioned, just thought of checking with you if any we need to configure anything in intune setting to unlock the chrome app

    • Hi Dilip,

      Than allow both, the lnk and chrome.exe, but make the lnk file the one which auto starts (if required) and the one shown in the startmenu.
      Must say when I discussed the kiosk setup with an MS employee and told him the Edge.lnk did work he was pretty surprised 😀

      Regards,

      Peter

  5. Now that new Edge are available under Single App Kiosk mode, how do we manage the Favorite bar and add it to?
    The single app looks pretty secure and restrict and looks like we can’t do to much with Edge settings.
    Did you have any idea on how to customize Edge in Single App Kiosk mode?

  6. Hi Peter,
    first time I tried to set up a Kiosk and it worked without problems. Thank you!
    But… I have one Question , hope you dont mind. I try to change the monitor orientation to potrait after deployment. I used a PS Script, deployed that , tried again to pack it as Win32 App but without sucess. Any ideas?

    Thanks

  7. have been playing a lot around this lately and there is one major issue i still encounter. and thats with custom shortcuts like google.lnk with custom icon like google.ico and pointing to “”C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe” –kiosk https://www.google.com/ –edge-kiosk-type=public-browsing –kiosk-idle-timeout-minutes=1 –no-first-run” the problem is no matter jow much i try to tweak something the pinned start shortcut will either no be displayed, or not displying the custom ico, or displaying a blank icon or even just display the default edge icon… as a workwound i also tried with with pinning edge secondary tiles pointing to custom secondary tile asset icon pointing to etc and this works for normal user but when in kiosk mode the icon will be blank… i start to think that either something is broken or there is a limitation with kiosk mode or maybe its just “applocker” but cant find anything that helps. any sugestions? thanks

  8. also i keep having some popups regarding the “C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.86\identity_helper.exe” or runtimebroker.exe or standalone updater… whats going on?

    • I also have this issue. Identity_helper.exe causes ‘this app has been blocked by the administrator’ error.
      It looks as though identity helper is something to do with edge, how can we whitelist this to allow it to run/not be blocked?
      Unfortunately our configuration requires Edge added as multi app kiosk, as we have a need for it not to run in private/kiosk mode. Any suggestions from anyone?

Leave a Reply

Your email address will not be published.


*