1. Home
  2. Docs
  3. Topics
  4. Windows 10 Kiosk mode with intune

Windows 10 Kiosk mode with intune

This blog describes how to configure a windows 10 kiosk client which is managed and set up by intune.
The kiosk mode in this blog is designed to:
– Allow users to browse the web with Edge
– Allow users to open and work in a citrix vdi session

Requirements:
– A tenant with an intune licence
– A self deployment autopilot profile

So with everything covered let’s dive into the actual kiosk configuration

Kiosk profile:
So first we need to create the actual kiosk profile.
You can do this with the kiosk template out of the configuration profiles
The settings in the profile i configured like this:

Select a kiosk mode: Multi app kiosk
Target devices running…..: No
User logon type: Auto logon
Browsers and Applications:
I don’t know if all of the citrix apps are required for the correct function but i added them anyway.

Name: Microsoft Edge
Type: Win32 App
Settings:
AUMID/PATH: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
DesktopApplicationId: MSEdge
Autolaunch: Yes

Name: Citrix CDViewer
Type: Win32 App
Settings:
AUMID/PATH: C:\Program Files (x86)\Citrix\ICA Client\CDViewer.exe
DesktopApplicationId: 7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E
Autolaunch: No

Name: Citrix wfica32.exe
Type: Win32 App
Settings:
AUMID/PATH: C:\Program Files (x86)\Citrix\ICA Client\wfica32.exe
DesktopApplicationId: 7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E
Autolaunch: No

Name: Citrix wfcrun32.exe
Type: Win32 App
Settings:
AUMID/PATH: C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
DesktopApplicationId: 7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E
Autolaunch: No

Use alternative start layout: Yes
My startlayout xml:

<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1"
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout">
    <LayoutOptions StartTileGroupCellWidth="6" />
    <DefaultLayoutOverride>
        <StartLayoutCollection>
            <defaultlayout:StartLayout GroupCellWidth="6">
                <start:Group Name="Kiosk Browser">
                    <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
                </start:Group>
            </defaultlayout:StartLayout>
        </StartLayoutCollection>
    </DefaultLayoutOverride>
</LayoutModificationTemplate>

Windows Taskbar: Show
Allow access to downloads folder: Yes
Specify maintenance….: Not configured

File Association
This policy is to set the citrix workspace as app for opening the ica files.
Profile Type: Templates
Category: Custom
Name: Something reasonable
OMA-URI:
./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration
Data type: String
Value:
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPERlZmF1bHRBc3NvY2lhdGlvbnM+CiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Ii5jciIgUHJvZ0lkPSJBcHBYNGN0czdmdHBqdnl4NnhmMWdjOGo5MHMyMWZiZ2FnYXgiIEFwcGxpY2F0aW9uTmFtZT0iQ2l0cml4IFdvcmtzcGFjZSIgLz4KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmljYSIgUHJvZ0lkPSJBcHBYM2R0eGNrZmY1NXhkZmZhNDFnMnI0OHo4emJ6cTJnYzIiIEFwcGxpY2F0aW9uTmFtZT0iQ2l0cml4IFdvcmtzcGFjZSIgLz4KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iY2l0cml4cmN2c3NwIiBQcm9nSWQ9IkFwcFhmdnNyNGJrdjF2NjU5YWJzajhjNmt6NGd4Mjl4czhncCIgQXBwbGljYXRpb25OYW1lPSJDaXRyaXggV29ya3NwYWNlIiAvPgo8L0RlZmF1bHRBc3NvY2lhdGlvbnM+

The value is actually an xml file wich is encoded with base64, which you can do on this site:
https://www.base64decode.org/
However my xml looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations>
  <Association Identifier=".cr" ProgId="AppX4cts7ftpjvyx6xf1gc8j90s21fbgagax" ApplicationName="Citrix Workspace" />
  <Association Identifier=".ica" ProgId="AppX3dtxckff55xdffa41g2r48z8zbzq2gc2" ApplicationName="Citrix Workspace" />
  <Association Identifier="citrixrcvssp" ProgId="AppXfvsr4bkv1v659absj8c6kz4gx29xs8gp" ApplicationName="Citrix Workspace" />
</DefaultAssociations>

Edge Settings
Profile Type: Templates
Category: Administrative templates
Configuration settings:
Sites to open when the browser starts: your desired site / storefront
Action to take on startup: Enabled – Open a list of URL’s
URLs where AutoOpenFileTypes can apply: your desired site / storefront
Configure the home page URL: your desired site / storefront
Configure the home page URL: your desired site / storefront
List of file types that should be automatically opened on download: ica (only ica without «.»)
Hide the First-run experience and splash screen: Enabled

Block User Logins
Since my kiosk device should not be used with personal users because among other things it could destroy the kiosk policy and make the device unusable, so i created a restriction for users to login.

Profile Type: Templates
Category: Custom
Name: Something reasonable
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
Data type: String
Value: defaultuser0kioskUser0


The defaultuser0 i added because if i didn’t during the setup of the device it would fail otherwise.
The special caracter to separate the usernames is very important. The best way is to copy it from the following site, which i also did:
https://jannikreinhard.com/2021/09/24/how-to-restrict-the-login-to-dedicated-users-with-intune/

Power Settings
Since i don’t wanted that my kiosk devices fall asleep / turn screen saver on i created the following policy.

Profile Type: Settings catalog
Category: Administrative Template
Path: System -> Power Management -> Video and Display Settings
Values:
When plugged in, turn display off after (seconds): 0
On battery power, turn display off after (seconds): 0

Scripts:
I added a script for allowing the download of .ica files in the browser of the kiosk device.
My script looks like this:

#Define registry key and intended value
$RegKey = "REGISTRY::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations"
$Ext = '.ica'
#Get current settings for that registry value
$CurrentSettings = Get-ItemProperty $RegKey
#If no values were found, abort
if ($null -eq $CurrentSettings){
    Write-Host "Key Not found, Exiting - $RegKey"
    Exit 0
}
#Iterate through each value found
foreach ($Setting in $CurrentSettings){
#If the setting does not match the intended value
if ($Setting.LowRiskFileTypes -ne $ext){
        #Update registry value
        Write-Host "Updating extensions for - $($Setting.PSPath)"
        Set-ItemProperty $Setting.PSPath LowRiskFileTypes $Ext
    }
}

Apps:
For the citrix workspace app i created a win32 app.
This with help of the intunewinapputil.exe which you can find here:
https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool

Optional Settings:
I also added a policy for bitlocker encription, windows update and compliance policy.
For the windows update ring i needed to try with different settings. With some parameters my kiosk device would transform to a shared device. Or at least the autologon didn’t work anymore and a loginscreen for username & pw was displayed instead.

Anyway, these are the settings from my windows update ring:

Microsoft product updates: Allow
Windows drivers: Allow
Quality update deferral period (days): 7
Feature update deferral period (days): 14
Upgrade Windows 10 devices to Latest Windows 11 release: No
Set feature update uninstall period (2 – 60 days): 10
Servicing channel: General Availability channel

Automatic update behavior: Auto install at maintenance time
Active hours start: 8 AM
Active hours end: 5 PM
Restart checks: Allow
Option to pause Windows updates: Disable
Option to check for Windows updates: Disable
Change notification update level: Turn off all notifications, including restart warnings
Use deadline settings: Not configured

Afterword
I strongly recommend to also implement a security baseline and antivirus policy.
In this scenario i didn’t do it since i was using a third party antiviurs software which also comes in form of a custom win32 app and gets assigned to the kiosk devices.