Organizations use Windows kiosks to provide secure, dedicated access to specific applications or services. Kiosks are essential for self-service terminals, digital signage, customer check-ins, and restricted work environments. They enhance security, prevent unauthorized access, and ensure a controlled user experience, improving efficiency and compliance in various industries.
Microsoft Intune provides a very simple way to manage Windows kiosk devices, allowing organizations to lock down devices into a single-app or multi-app mode.
In this article from IntuneBytes, We’ll explain a very simple way to Setup Single-App Kiosk on Windows 10 and 11 for all kind of Apps (Win32-App, New Store App and Edge as well).
Table of Contents
Limitation in Native KIOSK Profile
Microsoft Intune’s native Kiosk Profile can enforce Single-App Mode on targeted Windows 10 and 11 devices, making it an ideal solution when kiosk requirements are limited to a browser-only experience (Edge or Kiosk Browser).
The challenge appears when Microsoft replaced the Windows Store for Business with the new Microsoft Store, making it difficult to set up a Single-App Kiosk using a Store app.
Below Screenshot shows that Native KIOSK Profile don’t return New Microsoft Store Apps added to the Tenant.
Alternative Method
There’s very simple and easy way to send Single-App KIOSK to Windows 10 and 11 via Intune which is OMA-URI or Custom Profile. With this method you can unblock all limitations of Native KIOSK Profile and have a single App KIOSK for Edge App, Win32 App and any New Microsoft Store Application.
How-To?!
Below steps are applicable to Windows 10 and 11 for Single-App KIOSK setup.
1. OMA-URI Profile
To create the KIOSK Profile this way, you need to open Intune Portal > Devices > Windows > Configuration > Create (Windows 10 and Later, Templates) and select Custom Profile.
Click on add new OMA-URI Settings, give it a name and set OMA-URI as “./Device/Vendor/MSFT/AssignedAccess/ShellLauncher“. Select Type to be as String
in below section we’ll explain many examples for content of “Value” (No. 5)
2. Single-App KIOSK for Edge App
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration" xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="%SystemRoot%\explorer.exe"/>
</DefaultProfile>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}">
<Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe --kiosk https://www.intunebytes.com --edge-kiosk-type=public-browsing --kiosk-idle-timeout-minutes=5" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
<DefaultAction Action="RestartShell"/>
</Shell>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"/>
</Config>
</Configs>
</ShellLauncherConfiguration>Explanation of XML Structure:
- KIOSK is configured via Shell-Launcher, this is why XML starts with calling configuration for shell-launcher schemas 2018,2019 files
- KIOSK is calling one Application (Edge) as Full Screen.
- –kiosk https://www.intunebytes.com >> this is where you set the website which opens in Edge Browser in KIOSK Mode.
- –edge-kiosk-type=public-browsing >> you can choose between 2 modes for Edge in KIOSK Mode “public-browsing” or “fullscreen”
Below is an example for “Public-Browsing” Experience
And this is how the “FullScreen” looks like for Edge
- –kiosk-idle-timeout-minutes=5 >> timeout value is not mandatory but can be configure it to auto-refresh browser if there’s no intervention from end-user side
- DefaultAction Action=”DoNothing” >> this action is used when KIOSK App is closed, and it can be:
- RestartShell >> Recommended Value for Configuration
- RestartDevice
- ShutdownDevice
- DoNothing
3. Single-App KIOSK for Win32-App
Example used here is AnyDesk App.
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration" xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="%SystemRoot%\explorer.exe"/>
</DefaultProfile>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}">
<Shell Shell="C:\Program Files (x86)\AnyDeskMSI\AnyDeskMSI.exe" V2:AllAppsFullScreen="true">
<DefaultAction Action="RestartShell"/>
</Shell>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"/>
</Config>
</Configs>
</ShellLauncherConfiguration>4. Single-App KIOSK for New Microsoft Store App
Example used here is Windows Calculator
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration" xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="%SystemRoot%\explorer.exe"/>
</DefaultProfile>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}">
<Shell Shell="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" V2:AppType="UWP" V2:AllAppsFullScreen="true">
<DefaultAction Action="RestartShell"/>
</Shell>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"/>
</Config>
</Configs>
</ShellLauncherConfiguration>but to use any other Store App you must get AUMID for installed App via Get-StartApps Command
5. Kiosk Accounts
Below Section in all XMLs is dedicated to accounts that can access KIOSK Device.
<Configs>
<Config>
<AutoLogonAccount/>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"/>
</Config>
</Configs>Accounts that can access KIOSK can be one of below types:
1- Configured to use “auto-logon” which automatically creates local account named “Kiosk” with “no password” and automatically login with this account every time device start.
And you can give it a Custom Name if needed but XML need to be modified like
<Profiles>
<DefaultProfile>
<Shell Shell="%SystemRoot%\explorer.exe"/>
</DefaultProfile>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}" Name="SharedDevice Account">
<Shell Shell="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" V2:AppType="UWP" V2:AllAppsFullScreen="true">
<DefaultAction Action="RestartShell"/>
</Shell>
</Profile>
</Profiles>2- Configured to use Local-Domain Accounts (for Hybrid Devices) to access KIOSK Devices
<Config>
<Account Name="domain\user"/>
<Profile Id="{GUID}"/>
</Config>3- Configured to use Entra Accounts to access KIOSK Devices
<Config>
<Account Name="azuread\user@domain.com"/>
<Profile Id="{GUID}"/>
</Config>4- Configured to use Local Accounts accessing KIOSK Devices
<Config>
<Account Name="KIOSK Account Name"/>
<Profile Id="{GUID}"/>
</Config>Conclusion
Setting up a Windows 10/11 single-app kiosk using Shell Launcher via Microsoft Intune provides a streamlined, secure, and customizable experience for dedicated-use devices. By leveraging OMA-URI policies, IT administrators can precisely control which application runs at startup, restrict access to unnecessary system features, and maintain a locked-down environment tailored to specific business needs.
This method ensures flexibility while keeping management centralized within Intune, reducing the need for manual configurations. Whether deploying kiosks in retail, healthcare, or education, Shell Launcher offers a powerful alternative to Assigned Access, enabling seamless user experiences with enhanced security.
By following the steps outlined in this guide, you can successfully implement and maintain a Windows kiosk solution that meets your organization’s requirements. Stay updated with Microsoft’s evolving Intune capabilities to optimize and refine your kiosk deployment further.
Leave a Reply