Setup an Edge Chromium based Kiosk device with Microsoft Intune

This week Microsoft released the new Edge browser, based on the Chromium project. If you have Windows 10 kiosk devices in your organization running the current Edge browser, it might be a good idea to investigate the possibilities with the new Edge Chromium browser.

As the Edge Chromium browser is only available for a couple of days, we are not (yet) able to create a single app kiosk device. We need to create a multi app kiosk device, like I showed in a previous blog. But that is a good starting point to test the behavior of the new browser on a kiosk device.

In this example I configure a multi app kiosk device using Microsoft Intune which automatically logs on a kiosk user and launches the Edge Chromium browser. For deployment of the device, you can use Windows AutoPilot which I described in this article.
The steps I will show in this article are:

  • Create a customized start layout
  • Get the AppUserModeId (AUMID)
  • Configure the Kiosk multi app Configuration Profile
  • Create an Administrative Templates profile
  • Create an Microsoft Edge baseline profile (Optional)
  • Deploy the Edge browser
  • End-user experience

Create a customized start layout

Because the kiosk device runs in multi app mode, we need to create a customized start layout with the Edge browser pinned. We need to pre-configure a start layout in tablet mode and export the layout to a xml file, which we can upload in our Intune configuration profile.

Sign in to a Windows 10 (test) device on which the Edge Chromium browser is installed and set the device in tablet mode.

Remove all currently pinned applications from the start menu and add Edge Chromium.

To export the customized start layout open PowerShell. Use the Export-StartLayout command to export the start layout like in the screen below:
Export-StartLayout -Path C:\Temp\InTheCloud247Kiosk.xml
In a next step we upload the xml file to Intune.

Get the AppUserModeId (AUMID)

Because we need to add Edge as a Win32 app to the kiosk configration, we need the Application ID (AppUserModeId or AUMID). There are several ways to retrieve the AUMID like using a PowerShell script, but I will show how to retrieve it using file explorer.
Open the RUN dialog (WIN + R), Enter shell:AppsFolder and hit Enter.

Hit F10, click View and Choose details…

Check AppUserModeId and click OK

Make sure Folder view is set to Details.
Search for Microsoft Edge and note the AppUserModeId, MSEdge.

Configure the Kiosk multi app Configuration Profile

The next step is to create a Configuration profile in the Microsoft Endpoint Manager (Intune) admin center. With that profile we configure the device to run in kiosk mode with auto logon, allow Edge to run, set Edge to auto launch and the customize start layout file.

  • Sign-in to the Endpoint Manager Portal
  • Browse to Devices Windows Configuration profiles
  • Click Create Profile
  • Give the policy a Name
  • Fill in the Description (optional)
  • Choose Windows 10 and later as Platform
  • Choose Kiosk as Profile type
  • Click the Settings tab
  • On the settings tab, choose Multi app kiosk as Kiosk mode
  • Choose No for the Windows 10 in S mode
  • Choose Auto logon
  • Click Add Win32 app

On the Add Win32 app tab, fill in this information for Edge and click OK:
Application name: Microsoft Edge
Local path to executable: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
AUMID: MSEdge

If you want to run the Edge browser in Kiosk mode or Full Screen, you should not point to the msedge.exe but to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk

Than you need to make sure that you add an argument in the Target field of the msedge.lnk file like below.
If you add –kiosk, the browser runs in kiosk mode.
If you add –start-fullscreen, it will start full screen.

You can edit the .lnk file for example with PowerShell and deploy the PowerShell script with Intune. I used this script as starting point for my small script.

  • Back at the settings tab check Autolaunch.
  • At Use alternative Start layout choose Yes
  • Click the Folder icon
  • Browse to the previously created xml file and select the file
  • Choose the other options which you want to set
  • Click OK and click Create to create the profile
  • Don`t forget to assign the policy to a group.

Create an Administrative Templates profile

To control settings for the new Edge browser, Microsoft made an Administrative Templates available in Intune. With this template we can control settings which we could also control with the Device restrictions policy, but the template contains a lot more settings.
Settings which you might want to control for a kiosk device are the startup behavior, home page URL and maybe even a URL block/ allow list.

  • Sign-in to the Endpoint Manager Portal
  • Browse to Devices Windows Configuration profiles
  • Click Create Profile
  • Give the profile a Name
  • Fill in the Description (optional)
  • Choose Windows 10 and later as Platform
  • Choose Administrative Templates as Profile type
  • Click Create
  • Open the settings tab
  • Select Edge version 77 and later from the drop-down list
  • Search for the setting you want to configure like Action to take on startup
  • Click the setting of choice to open the options
  • Select your preferred option and click OK

Below is an overview of the policies which I configured during my first round of testing.

Don`t forget to assign the profile to a security group.

Create an Microsoft Edge baseline profile (Optional)

If you want to further lock down the Edge browser, or maybe the Windows device itself, you can make use of Security Baselines which are also available in Intune. A Security baseline contains a few (for Windows a lot) security settings Microsoft recommends to apply to the browser.
In this example I show how to create a profile with a Security baseline for Edge.

  • In the Endpoint Manager portal browse to Devices
  • Browse to WindowsSecurity baselines
  • Click Microsoft Edge baseline
  • Browse to Profiles
  • Click Create profile
  • Give the profile a Name
  • Give the profile a Description (Optional)
  • Take note of the Platform and Baseline version (at this moment only one is available)
  • Click Next
  • Leave everything as default or make your choices on the settings
  • Click Next
  • If needed at a Scope tag on the next tab and click Next
  • Assign the policy to a security group
  • click Next
  • Review the policy and click Create

Deploy the Edge browser

As the new Edge browser isn`t part (yet) from Windows, we need to deploy the browser to the Windows 10 kiosk devices.
Microsoft made it very easy to deploy the browser with Intune, as they made the browser available direct in the portal.

  • In the Endpoint Manager portal browse to Devices
  • Browse to AppsWindows
  • Click Add
  • From the drop-down list choose Windows 10 under Microsoft Edge
  • On the App information tab give the app a Name and Description
  • Click OK
  • Select the Channel you want to deploy
  • Click OK
  • Click Add

Don`t forget to assign the app to a security group which contains your Kiosk devices.

End-user Experience

When the device is enrolled to Azure AD and Intune (via AutoPilot), the configuration profiles and Edge browser are deployed.
If you chose Auto logon in the configuration, a Kiosk user is automatically logged on to the device.

Unfortunately, despite all the stuff I blocked, the Welcome to Edge page is still shown at the first start of the Browser.
In a later release of the new Edge browser we should be able to block the Welcome Edge page/ first experience wizard.

The browser is automatically launched and the URL which I configured in the Administrative Template is shown.

If you configured the browser to start full screen, it should look like this.

And this is how it looks like in a video:
Auto login with a Kiosk user, after login, the Edge browser is started in full screen with the pre-configured homepage URL.

With this configuration, we are already able to create a working kiosk browser and start our testing.
I expect the Edge Chromium browser to become available in the single app kiosk configuration later this year, than we don`t have to edit the msedge.lnk anymore.

Happy testing! And if you know a way to block the Welcome screen, please let me know in the comments.




3 Comments

  1. Hi Peter,

    Thanks for sharing this example. Great step by step breakdown. I’m looking forward to your write up on the single app kiosk mode functionality, once available. Have a happy new year

Leave a Reply

Your email address will not be published.


*