Windows 10 and later device settings to run as a kiosk in Intune

On Windows 10 and later devices, you can configure these devices to run in single-app kiosk mode, or multi-app kiosk mode.

This article lists and describes the different settings you can control on Windows 10 and later devices. As part of your mobile device management (MDM) solution, use these settings to configure your Windows 10 and later devices to run in kiosk mode.

As an Intune administrator, you can create and assign these settings to your devices.

To learn more about the Windows kiosk feature in Intune, see configure kiosk settings.

Before you begin

Important

Be sure to assign this kiosk profile to the same devices as your Microsoft Edge profile.

Single full-screen app kiosks

Runs only one app on the device.

  • Select a kiosk mode: Choose single app, full-screen kiosk.

  • User logon type: The apps you add run as the user account you enter. Your options:

    • Auto logon (Windows 10 version 1803 and later): Use on kiosks in public-facing environments that don't require the user to sign in, similar to a guest account. This setting uses the AssignedAccess CSP.
    • Local user account: Enter the local (to the device) user account. The account you enter signs in to the kiosk.
  • Application type: Select the application type. Your options:

    • Add Microsoft Edge browser: Select Microsoft Edge browser, and choose the Edge kiosk mode type:

      • Digital/Interactive signage: Opens a URL full screen, and only shows the content on that website. Set up digital signs provides more information on this feature.
      • Public browsing (InPrivate): Runs a limited multi-tab version of Microsoft Edge. Users can browse publically or end their browsing session.

      For more information on these options, see Deploy Microsoft Edge kiosk mode.

      Note

      This setting enables the Microsoft Edge browser on the device. To configure Microsoft Edge-specific settings, create a device configuration profile (Device Configuration > Profiles > Create profile > Windows 10 for platform > Device Restrictions > Microsoft Edge Browser). Microsoft Edge browser lists and describes the available settings.

    • Add Kiosk browser: Select Kiosk browser settings. These settings control a web browser app on the kiosk. Be sure you get the Kiosk browser app from the Store, add it to Intune as a Client App. Then, assign the app to the kiosk devices.

      Enter the following settings:

      • Default home page URL: Enter the default URL shown when the kiosk browser opens or when the browser restarts. For example, enter http://bing.com or http://www.contoso.com.

      • Home button: Show or hide the kiosk browser's home button. By default, the button isn't shown.

      • Navigation buttons: Show or hide the forward and back buttons. By default, the navigation buttons aren't shown.

      • End session button: Show or hide the end session button. When shown, the user selects the button, and the app prompts to end the session. When confirmed, the browser clears all browsing data (cookies, cache, and so on), and then opens the default URL. By default, the button isn't shown.

      • Refresh browser after idle time: Enter the amount of idle time (1-1440 minutes) until the kiosk browser restarts in a fresh state. Idle time is the number of minutes since the user’s last interaction. By default, the value is empty or blank, which means there isn't any idle timeout.

      • Allowed websites: Use this setting to allow specific websites to open. In other words, use this feature to restrict or prevent websites on the device. For example, you can allow all websites at http://contoso.com* to open. By default, all websites are allowed.

        To allow specific websites, upload a file that includes a list of the allowed websites on separate lines. If you don't add a file, all websites are allowed. Intune supports * (asterisk) as a wild card.

        Your sample file should look similar to the following list:

        http://bing.com
        https://bing.com
        http://contoso.com/*
        https://contoso.com/*

      Note

      Windows 10 Kiosks with Autologon enabled using Microsoft Kiosk Browser must use an offline license from the Microsoft Store for Business. This requirement is because Autologon uses a local user account with no Azure Active Directory (AD) credentials. So, online licenses can't be evaluated. For more information, see Distribute offline apps.

    • Add Store app: Select Add a store app, and choose an app from the list.

      Don't have any apps listed? Add some using the steps at Client Apps.

  • Specify Maintenance Window for App Restarts: Default is "Not Configured," select "Require" to check for apps that require a restart to complete installation.

    If using Kiosk browser or other Microsoft Store for business app, decide how often to check for app updates that require restart in order to complete the application install. If not configured, Microsoft Store for Business apps will restart at an unscheduled time 3 days after an app update is installed.

    • Maintenance Window Start Time: Select the date and time of day to begin checking clients for any app updates that require restart. The default start time is midnight, or zero minutes.

    • Maintenance Window Recurrence: Default is daily. Set how often Maintenance windows for app updates will take place. Recommendation is daily to avoid unscheduled app restarts.

ApplicationManagement/ScheduleForceRestartForUpdateFailures CSP

Multi-app kiosks

Apps in this mode are available on the start menu. These apps are the only apps the user can open. If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both "C:\Program Files\internet explorer\iexplore.exe" and “C:\Program Files (x86)\Internet Explorer\iexplore.exe”.

  • Select a kiosk mode: Choose Multi app kiosk.

  • Target Windows 10 in S mode devices:

    • Yes: Allows store apps and AUMID apps (excludes Win32 apps) in the kiosk profile.
    • No: Allows store apps, Win32 apps, and AUMID apps in the kiosk profile. This kiosk profile isn't deployed to S-mode devices.
  • User logon type: The apps you add run as the user account you enter. Your options:

    • Auto logon (Windows 10 version 1803 and later): Use on kiosks in public-facing environments that don't require the user to sign in, similar to a guest account. This setting uses the AssignedAccess CSP.
    • Local user account: Add the local (to the device) user account. The account you enter signs in to the kiosk.
    • Azure AD user or group (Windows 10 version 1803 and later): Select Add, and choose Azure AD users or groups from the list. You can select multiple users and groups. Choose Select to save your changes.
    • HoloLens visitor: The visitor account is a guest account that doesn't require any user credentials or authentication, as described in shared PC mode concepts.
  • Browser and Applications: Add the apps to run on the kiosk device. Remember, you can add several apps.

    • Browsers

      • Add Microsoft Edge: Microsoft Edge is added to the app grid, and all applications can run on this kiosk. Choose the Microsoft Edge kiosk mode type:

        • Normal mode (full version of Microsoft Edge): Runs a full-version of Microsoft Edge with all browsing features. User data and state are saved between sessions.
        • Public browsing (InPrivate): Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that run in full-screen mode.

        For more information on these options, see Deploy Microsoft Edge kiosk mode.

        Note

        This setting enables the Microsoft Edge browser on the device. To configure Microsoft Edge-specific settings, create a device configuration profile (Device Configuration > Profiles > Create profile > Windows 10 for platform > Device Restrictions > Microsoft Edge Browser). Microsoft Edge browser lists and describes the available settings.

      • Add Kiosk browser: These settings control a web browser app on the kiosk. Be sure you deploy a web browser app to the kiosk devices using Client Apps.

        Enter the following settings:

        • Default home page URL: Enter the default URL shown when the kiosk browser opens or when the browser restarts. For example, enter http://bing.com or http://www.contoso.com.

        • Home button: Show or hide the kiosk browser's home button. By default, the button isn't shown.

        • Navigation buttons: Show or hide the forward and back buttons. By default, the navigation buttons aren't shown.

        • End session button: Show or hide the end session button. When shown, the user selects the button, and the app prompts to end the session. When confirmed, the browser clears all browsing data (cookies, cache, and so on), and then opens the default URL. By default, the button isn't shown.

        • Refresh browser after idle time: Enter the amount of idle time (1-1440 minutes) until the kiosk browser restarts in a fresh state. Idle time is the number of minutes since the user’s last interaction. By default, the value is empty or blank, which means there isn't any idle timeout.

        • Allowed websites: Use this setting to allow specific websites to open. In other words, use this feature to restrict or prevent websites on the device. For example, you can allow all websites at contoso.com* to open. By default, all websites are allowed.

          To allow specific websites, upload a .csv file that includes a list of the allowed websites. If you don't add a .csv file, all websites are allowed.

        Note

        Windows 10 Kiosks with Autologon enabled using Microsoft Kiosk Browser must use an offline license from the Microsoft Store for Business. This requirement is because Autologon uses a local user account with no Azure Active Directory (AD) credentials. So, online licenses can't be evaluated. For more information, see Distribute offline apps.

    • Applications

      • Add store app: Add an app from the Microsoft Store for Business. If you don't have any apps listed, then you can get apps, and add them to Intune. For example, you can add Kiosk Browser, Excel, OneNote, and more.

      • Add Win32 App: A Win32 app is a traditional desktop app, such as Visual Studio Code or Google Chrome. Enter the following properties:

        • Application name: Required. Enter a name for the application.
        • Local path: Required. Enter the path to the executable, such as C:\Program Files (x86)\Microsoft VS Code\Code.exe or C:\Program Files (x86)\Google\Chrome\Application\chrome.exe.
        • Application user model ID (AUMID): Enter the Application user model ID (AUMID) of the Win32 app. This setting determines the start layout of the tile on the desktop. To get this ID, see Get-StartApps.
      • Add by AUMID: Use this option to add inbox Windows apps, such as Notepad or Calculator. Enter the following properties:

      • AutoLaunch: Optional. Choose an application to AutoLaunch when the user signs in. Only a single app can be AutoLaunched.

      • Tile size: Required. Choose a Small, Medium, Wide, or Large app tile size.

    Tip

    After you add all the apps, you can change the display order by clicking-and-dragging the apps in the list.

  • Use alternative Start layout: Choose Yes to enter an XML file that describes how the apps appear on the start menu, including the order of the apps. Use this option if you require more customization in your start menu. Customize and export Start layout provides some guidance, and sample XML.

  • Windows Taskbar: Choose to Show or hide the taskbar. By default, the taskbar isn't shown. Icons, such as the Wi-Fi icon, are shown, but the settings can't be changed by end users.

  • Allow Access to Downloads Folder: Choose Yes to allow users to access the Downloads folder in Windows Explorer. By default, access to the Downloads folder is disabled. This feature is commonly used for end users to access items downloaded from a browser.

Next steps

Assign the profile and monitor its status.

You can also create kiosk profiles for Android, Android Enterprise, and Windows Holographic for Business devices.