Thx for sharing this topic and great work in general. I would like to add few things regarding this topic.If you want to really setup kiosk machine than you also have to build deployment profile. You can only use self-deploying mode with Standard user account type.I think it's also good practice to use groups with dynamic rules (with Group Tags) so you can easily differentiate and sort PC's/laptops/kiosk/etc. There is also lot of things regarding win32 apps (propper config, switches), little things that can go wrong. Thank you again for great work!
This is what I am doing and what I was suggesting in a prior video. Another great video guys and I was able to figure out most of the parts I had issues with.The tricky part is making sure the application you are attempting to use for kiosk is registered with shell:AppFolder and view the AMUID via adding a column. One of my apps was calling chrome_proxy.exe which is not registered with an amuid there for it was being blocked. Additionally, I may look at using the Azure AD account login kiosk to for Student print labs and maybe we can move away from deepfreeze. Thanks again. Looking forward to the next video.
I dunno if you've heard about the bug in tasksched where when you've got tasks set to run between 12 AM - 1 AM, they will break when transitioning into (or out of) Daylight Savings Time. I've encountered this once on a Win2k12R2 RDS server on Azure. Who knows what other scenarios can fall victim to that bug. So you're right to be superstitious about that Steve. Great job on the videos guys. Thanks very much for the nice content.
Something important to note here. If the device you want to apply the kiosk policy to is co-managed, ensure that your co-management settings allow configuration policies to be applied from InTune. Or, if you're in a Co-Management POC state, ensure the device is in the Pilot collection. Also I read elsewhere that to use Auto-Logon the device has to be purely Azure AD joined and not a hybrid device. That is not true, I was able to successfully use auto-logon with a hybrid device that was On-Prem AD Joined and Azure AD registered.
Note that AAD logon for the Multi-App Kiosks configuration doesn't work with MFA enabled on those AAD accounts. Oh, and you may have to setup a power settings configuration profile for devices that need to remain on display (signage).
Is there maybe a way to make a kiosk / thin client workstation with intune ? Because you can only add applications and your mstsc rdp file is not a application, so im stuck.
Great vid. Hey, If I wanted to turn a pc into kiosk mode, what user account should I initially log Windows into? Should I make a user named "kiosk" and sign in with that? Does that user account need any type of license?
How do I enforce tablet mode for Kiosk devices? I am unable to access regedit or start menu etc and can not see the settings in a configuration profile.
Hi, pls is there a way to make this policy work in Kiosk Mode? I have tried with Google Chrome & Microsoft Edge web app policies. it works okay in Standard user mode, but once I switch to kiosk mode, the app I created a desktop icon for is nowhere to be found. Is there a way around this?
Hi, Kiosk mode is device based policy or can be a user base policy? Can it be only apply to particular user? Device is multi-user device. Ony particular user get kiosk mode? possible? Thanks.
Can I also ask if you need to deploy the company portal in this configuration? Your device seems to be registered in Intune whereas when I am doing this the device is installed in Azure AD. I therefore do not get the option to sync the device either from Intune or from the device itself. My device is azure ad joined. The device is in a security group created in azure. This group is assigned to the Kiosk policy. Noting is happening. Am I missing a step?
Is there a way to allow users access to USB storage while in Kiosk mode. I'm trying to configure some public terminals to allow customers to upload files to a website but I can't get access to the USB storage.
Great video. Just wondering whether you can break down User logon type a little bit more. If you select Auto logon, it says it will automatically sign in a guest account. Do you need to define this service account somewhere? Also if you select this Auto logon option, can you log out of Kiosk computer and log in as AAD user or local account if need to. On the other hand, if you select Local Account, it gives you a space below to define user logon name. But where do you create the password for the local account? Thank you very much!
Auto logon creates a local account (think called kiosk) and then auto logs on with that. When you log on with another account, kiosk mode won't apply. Don't think there is a password for the local account it creates - think it leaves it blank.
Hi Need a little help here. It looks like Intune defaults to the browser being Edge. What if i wanted to create a single app kiosk with the default browser that opens as Chrome? What is the best configuration setup to do this if it is possible. Thanks!
I've created a kiosk config profile and now it prompts me to change the password for the useraccount "Kiosk". I can't leave this field blank, because it needs a password it says. How to avoid this?
Here is a question for you. My company created a Kiosk system to deploy. Well the issue that seems that no one can figure out is why on some computers Kiosk will deploy nice and smoothly but on other computers Kiosk never finishes deploying after putting the computer into the group. Can you please give me some guidance on where the trouble might be
Is it possible to deploy kiosk mode configurations via InTune to Windows machines not on AD? Or is manually through settings the only way unless added to AD?
Intune can apply the settings to Hybrid Azure AD joined and Azure AD joined machines. So if your device is managed by Intune you can apply settings to it.
Hi can you guys advise if the computer has to be purely Azure AD joined or if it can be a device synced from on prem AD(Hybrid)? There seems to be conflicting info online about this.
Great show as always - have many scenarios in the company where this would be a game-changer once implemented. If it would only work .. that'd be great. :}
I have everything working for the multi app kiosk profile, except for the autologin. I cannot get it to autologin with a domain account I setup. Anyone have any luck with this?
Thank you for this great video! Is the 'Add Microsoft Edge browser' Application Type using the 'old' Edge? On a pc with the Edge Chromium this did not work in my Lab.
Great video. Problem I'm experiencing is that the Kiosk profile does not auto login. I would also like to download content from the web via Edge Browser but I'm not able to. Any suggestions greatly appreciated.
I tried this before, and tried today following this video, but my computers don't boot into kiosk, they just prompting for user login??? I configuration policy does take, I've also removed other policies, and the Kiosk browser app is deploying. Also, when I start the Kiosk browser it opens the webpage I've configured.... I'm not runing on a WM. The OS is W10 Pro 1909.
I tried Multi-App kiosk using Assigned Access on WCD but it fails everytime. And I'm trying to make MS Teams and Zoom the kiosk main apps. 😅 fails like hell.
I finally got enrollment and Intune management running and was able to reset a PC remotely. I can see apps in Company Portal etc. However my Kiosk profile isn't working at all. I have to login as the kiosk user, but still nothing runs automatically. Followed your guys lead to the letter.
Hello, thx a lot for the videos! I really enjoy them. :) I do have a problem with updating my Win32 apps in the kiosk profile. We want to bulk update our devices with a new version of an Win32 app. This works fine when logging in as admin on the device. However, it does not work with the logged-on kiosk profile. Is there any option to update apps them without logging in into the administrative profile of Windows?
We have a workstation set up for Kiosk mode and each time the workstation goes in Kiosk mode on boot up, within 5 minutes and 44 seconds into it being in Kiosk mode, it reboots and no longer goes in Kiosk mode and it removes the autologin credentials. Any thoughts?
My kiosk mode works absolutely fine. Its been running for a month now. It was time to test more on it. So, I used autopilot reset command from Intune portal, it starts resetting, but it doesn't bring the device back into kiosk mode, instead its asking for credentials. No associated user to device. Can anyone help?
Anyone have issues downloading files from the internet using multip-app assigned access? It seems like an inability to scan files and thus blocking them, but I haven't been able to identify what exe to allow list or what GPO to change
hey Steve and Adam, really appreciate your initiative in training us INTUNE. Just wanted to ask if you can also add some small videos on how to configure and add VPN connections within MDM(ios\android), searched through most forums still not finding any . hope u can sort this one quick.,
We don't have the infrastructure in our lab to demo this. However, here are the Microsoft docs on the topic. docs.microsoft.com/en-us/intune/configuration/vpn-settings-configure
I have never seen Kiosk mode working, EVER. I have never seen anyone from Microsoft actually demonstrate the technology working, but I have struggled with it so long that I have it working reliably myself using shell launcher. The 'newer' stuff simply does not work.
What specifically are you looking for? Have you checked out setting up NDES? We don't have an on-prem infrastructure in our lab to test that we could demo this on. This post looks like it covers it pretty well. techcommunity.microsoft.com/t5/intune-customer-success/support-tip-how-to-configure-ndes-for-scep-certificate/ba-p/455125
Guys, have you been successful getting Citrix Store app (Offline) working in Multi-App Kiosk mode? Though it is installed fine for me, ICA doesn't launch. There are no error messages at all
Great video - got multi app kiosk mode running for an AAD account (needs to be able to browse sharepoint), but has anyone got any idea of how to auto logon the PC with an AAD account - is it even possible? Tried the reg changes (autoadminlogon, defaultusername/password), but that made no difference. Nor did Autologon from sysinternals unfortunately. Appreciate probably by design given the security risks, but need it in our scenario. thanks all
I did some more testing after the video and found that I had mis-configured the policy, though I can't recall what exactly the issue was with it. If I get back to it I'll let you know.
Two-part solution: Make sure your configuration profile installed the proper apps (like Edge) when it enrolled Intune. If the device doesn't have the app it can't run the profile. I ran a system reset and the apps installed. Then I got to the Edge browser, but no kiosk. The next answer is written in the info tips in Intune, but it's not obvious. You have to create another profile for Edge. Set the Profile Type to "Device restrictions". Set the settings for Edge browser, save, and assign the profile to the same groups/users as the Kiosk profiles. Without this part you'll either get a blue screen or a white screen with some info about Microsoft's browser policy.
Adam: "The rest of the world has this one down..." ME: So... AM is like after midday, and PM is like past midnight, or is it after midnight and past midday... I'll just Bing that... You're just getting on board with the metric system, why not do a propper 24 hour clock as well...
Hello welcome to Steve and Adam show, Best show on youtube
Thx for sharing this topic and great work in general. I would like to add few things regarding this topic.If you want to really setup kiosk machine than you also have to build deployment profile. You can only use self-deploying mode with Standard user account type.I think it's also good practice to use groups with dynamic rules (with Group Tags) so you can easily differentiate and sort PC's/laptops/kiosk/etc. There is also lot of things regarding win32 apps (propper config, switches), little things that can go wrong. Thank you again for great work!
This is what I am doing and what I was suggesting in a prior video. Another great video guys and I was able to figure out most of the parts I had issues with.The tricky part is making sure the application you are attempting to use for kiosk is registered with shell:AppFolder and view the AMUID via adding a column. One of my apps was calling chrome_proxy.exe which is not registered with an amuid there for it was being blocked. Additionally, I may look at using the Azure AD account login kiosk to for Student print labs and maybe we can move away from deepfreeze. Thanks again. Looking forward to the next video.
Also for anyone who is looking to use kiosk, the default profile name is C:\Users\kioskUser0. this helped a lot with PS scripting :)
Gents. Thanks for staying true to the reality of IT process.
Thanks for the video, sound is awsome now
Thanks! Steve finally figured out what he was doing wrong! :-)
I dunno if you've heard about the bug in tasksched where when you've got tasks set to run between 12 AM - 1 AM, they will break when transitioning into (or out of) Daylight Savings Time. I've encountered this once on a Win2k12R2 RDS server on Azure. Who knows what other scenarios can fall victim to that bug. So you're right to be superstitious about that Steve.
Great job on the videos guys. Thanks very much for the nice content.
I would go with Steve on that one, 12:00 am or pm always confused me as a french guy, thanks for clarifiyng that :D
Something important to note here. If the device you want to apply the kiosk policy to is co-managed, ensure that your co-management settings allow configuration policies to be applied from InTune. Or, if you're in a Co-Management POC state, ensure the device is in the Pilot collection. Also I read elsewhere that to use Auto-Logon the device has to be purely Azure AD joined and not a hybrid device. That is not true, I was able to successfully use auto-logon with a hybrid device that was On-Prem AD Joined and Azure AD registered.
Note that AAD logon for the Multi-App Kiosks configuration doesn't work with MFA enabled on those AAD accounts. Oh, and you may have to setup a power settings configuration profile for devices that need to remain on display (signage).
for multi app kiosk mode, the Add Microsoft Edge option is not there anymore in Intune Kiosk mode policy. any reason why that would be?
Is there maybe a way to make a kiosk / thin client workstation with intune ? Because you can only add applications and your mstsc rdp file is not a application, so im stuck.
Great vid. Hey, If I wanted to turn a pc into kiosk mode, what user account should I initially log Windows into? Should I make a user named "kiosk" and sign in with that? Does that user account need any type of license?
How do I enforce tablet mode for Kiosk devices? I am unable to access regedit or start menu etc and can not see the settings in a configuration profile.
Hi, pls is there a way to make this policy work in Kiosk Mode? I have tried with Google Chrome & Microsoft Edge web app policies. it works okay in Standard user mode, but once I switch to kiosk mode, the app I created a desktop icon for is nowhere to be found. Is there a way around this?
Hi, Kiosk mode is device based policy or can be a user base policy? Can it be only apply to particular user? Device is multi-user device. Ony particular user get kiosk mode? possible? Thanks.
Hi, I cannot understand why kiosk mode need Autopilot.
Can you explain why?
Is it possible to have kiosk mode without Autopilot and PC reset?
Thanks
Can I also ask if you need to deploy the company portal in this configuration? Your device seems to be registered in Intune whereas when I am doing this the device is installed in Azure AD. I therefore do not get the option to sync the device either from Intune or from the device itself. My device is azure ad joined. The device is in a security group created in azure. This group is assigned to the Kiosk policy. Noting is happening. Am I missing a step?
Is there a way to allow users access to USB storage while in Kiosk mode. I'm trying to configure some public terminals to allow customers to upload files to a website but I can't get access to the USB storage.
Great video. Just wondering whether you can break down User logon type a little bit more. If you select Auto logon, it says it will automatically sign in a guest account. Do you need to define this service account somewhere? Also if you select this Auto logon option, can you log out of Kiosk computer and log in as AAD user or local account if need to. On the other hand, if you select Local Account, it gives you a space below to define user logon name. But where do you create the password for the local account? Thank you very much!
Auto logon creates a local account (think called kiosk) and then auto logs on with that. When you log on with another account, kiosk mode won't apply. Don't think there is a password for the local account it creates - think it leaves it blank.
That problem at 8:50 ! How do you fix it?
Hi Need a little help here. It looks like Intune defaults to the browser being Edge. What if i wanted to create a single app kiosk with the default browser that opens as Chrome? What is the best configuration setup to do this if it is possible. Thanks!
Ho do you auto update kiosk zoom rooms in intune?
I've created a kiosk config profile and now it prompts me to change the password for the useraccount "Kiosk". I can't leave this field blank, because it needs a password it says. How to avoid this?
Here is a question for you. My company created a Kiosk system to deploy. Well the issue that seems that no one can figure out is why on some computers Kiosk will deploy nice and smoothly but on other computers Kiosk never finishes deploying after putting the computer into the group. Can you please give me some guidance on where the trouble might be
Is it possible to deploy kiosk mode configurations via InTune to Windows machines not on AD? Or is manually through settings the only way unless added to AD?
Intune can apply the settings to Hybrid Azure AD joined and Azure AD joined machines. So if your device is managed by Intune you can apply settings to it.
What do you do if nothing here works? Shows the configuration policy applied to device. Reboot and sits waiting for me to login
Hi can you guys advise if the computer has to be purely Azure AD joined or if it can be a device synced from on prem AD(Hybrid)? There seems to be conflicting info online about this.
Great show as always - have many scenarios in the company where this would be a game-changer once implemented. If it would only work .. that'd be great. :}
I have everything working for the multi app kiosk profile, except for the autologin. I cannot get it to autologin with a domain account I setup. Anyone have any luck with this?
Thank you for this great video! Is the 'Add Microsoft Edge browser' Application Type using the 'old' Edge? On a pc with the Edge Chromium this did not work in my Lab.
May I know the minimum prerequisites to become a device as KIOSK device?
Great video. Problem I'm experiencing is that the Kiosk profile does not auto login. I would also like to download content from the web via Edge Browser but I'm not able to. Any suggestions greatly appreciated.
I tried this before, and tried today following this video, but my computers don't boot into kiosk, they just prompting for user login???
I configuration policy does take, I've also removed other policies, and the Kiosk browser app is deploying. Also, when I start the Kiosk browser it opens the webpage I've configured....
I'm not runing on a WM. The OS is W10 Pro 1909.
I tried Multi-App kiosk using Assigned Access on WCD but it fails everytime. And I'm trying to make MS Teams and Zoom the kiosk main apps. 😅 fails like hell.
I finally got enrollment and Intune management running and was able to reset a PC remotely. I can see apps in Company Portal etc.
However my Kiosk profile isn't working at all. I have to login as the kiosk user, but still nothing runs automatically.
Followed your guys lead to the letter.
do you still need help with Kiosk mode?
@@ArcusLabProjects I do
@@CruzGaming7o3 you need self deployed profile, tpm 2 and kiosk configuration. I can work with you on this more, if you wanna share your contact info
Hello,
thx a lot for the videos! I really enjoy them. :)
I do have a problem with updating my Win32 apps in the kiosk profile. We want to bulk update our devices with a new version of an Win32 app. This works fine when logging in as admin on the device. However, it does not work with the logged-on kiosk profile. Is there any option to update apps them without logging in into the administrative profile of Windows?
We have a workstation set up for Kiosk mode and each time the workstation goes in Kiosk mode on boot up, within 5 minutes and 44 seconds into it being in Kiosk mode, it reboots and no longer goes in Kiosk mode and it removes the autologin credentials. Any thoughts?
I would check so ensure that no other policies are being applied to the device and overriding the Kiosk settings.
Is there a way that i could set the kiosk as a domain user and make it auto login?
Yes. That’s an option in the Kiosk policy.
My kiosk mode works absolutely fine. Its been running for a month now. It was time to test more on it. So, I used autopilot reset command from Intune portal, it starts resetting, but it doesn't bring the device back into kiosk mode, instead its asking for credentials. No associated user to device. Can anyone help?
Anyone have issues downloading files from the internet using multip-app assigned access? It seems like an inability to scan files and thus blocking them, but I haven't been able to identify what exe to allow list or what GPO to change
Hello need help to setup multi app kiosk mode for teamviewer and edge browser from intune with steps
Please help us this making profile from intune
hey Steve and Adam, really appreciate your initiative in training us INTUNE. Just wanted to ask if you can also add some small videos on how to configure and add VPN connections within MDM(ios\android), searched through most forums still not finding any . hope u can sort this one quick.,
We don't have the infrastructure in our lab to demo this. However, here are the Microsoft docs on the topic.
docs.microsoft.com/en-us/intune/configuration/vpn-settings-configure
I have never seen Kiosk mode working, EVER. I have never seen anyone from Microsoft actually demonstrate the technology working, but I have struggled with it so long that I have it working reliably myself using shell launcher. The 'newer' stuff simply does not work.
Thanks for great guides, could you do one about deploying computer certs from an onprem AD CA?
What specifically are you looking for? Have you checked out setting up NDES? We don't have an on-prem infrastructure in our lab to test that we could demo this on. This post looks like it covers it pretty well.
techcommunity.microsoft.com/t5/intune-customer-success/support-tip-how-to-configure-ndes-for-scep-certificate/ba-p/455125
Guys, have you been successful getting Citrix Store app (Offline) working in Multi-App Kiosk mode? Though it is installed fine for me, ICA doesn't launch. There are no error messages at all
Have you tried adding ICA to allowed app list?
Great video - got multi app kiosk mode running for an AAD account (needs to be able to browse sharepoint), but has anyone got any idea of how to auto logon the PC with an AAD account - is it even possible? Tried the reg changes (autoadminlogon, defaultusername/password), but that made no difference. Nor did Autologon from sysinternals unfortunately. Appreciate probably by design given the security risks, but need it in our scenario. thanks all
Hello and thnx for video, but i have stuck on BLUE screen after KIOSK user logs in (Same as on yours Video). Need some tips 😊 thnx in advance
I did some more testing after the video and found that I had mis-configured the policy, though I can't recall what exactly the issue was with it. If I get back to it I'll let you know.
Two-part solution:
Make sure your configuration profile installed the proper apps (like Edge) when it enrolled Intune. If the device doesn't have the app it can't run the profile.
I ran a system reset and the apps installed. Then I got to the Edge browser, but no kiosk.
The next answer is written in the info tips in Intune, but it's not obvious.
You have to create another profile for Edge. Set the Profile Type to "Device restrictions". Set the settings for Edge browser, save, and assign the profile to the same groups/users as the Kiosk profiles.
Without this part you'll either get a blue screen or a white screen with some info about Microsoft's browser policy.
Adam: "The rest of the world has this one down..."
ME: So... AM is like after midday, and PM is like past midnight, or is it after midnight and past midday... I'll just Bing that... You're just getting on board with the metric system, why not do a propper 24 hour clock as well...
07:46min the rest of the world uses 24H clock,,, and its damn annoying that you can't change intune clock to 24H.
11am is not midnight, that's literally almost noon.