Share via

Intune Multi App Kiosk with AppLocker

Leo Wang 6 Reputation points
2022-04-14T06:12:49.817+00:00

Hi,

TLDR, can we run Multi-App Kiosk on Win10 without the AppLocker?

When you create a Multi-App Kiosk profile for Win10, the AppLocker automatically turns on and you will need to whitelist all the apps.

We have configured Zoom Rooms with such settings. The problem is, that AppLocker keeps popping up from time to time. It seems like different rooms with different peripherals will trigger different executables due to software/driver.

So apart from allowing the main Zoom Rooms executable, we are keeping adding dozens of executables, god knows what they are. We just grab them from the AppLocker logs.

The problem is it keeps happening, especially after Zoom Rooms app update, Windows Update (which might update peripherals drivers).

Is there a different way of configuring a Zoom Rooms kiosk?
Would it be better to configure it as a Single App kiosk and not to worry about any other software (for Mic, cameras, etc).

I do understand the limitation that when you configure a Zoom Rooms PC, it requires you to have an account with Local Admin.

When I deploy this via Intune, I am using the log-on type "Auto Log-on", not Local Account or AAD Account.
The "Auto Log-on" creates a default local user called KioskUser0 (not an admin).
It came from the Windows Assigned Access era and PC just logs on without any password.

This is also kind of related to an old thread by another user.
But this thread is looking for ways of configuring rules for AppLocker.
I am looking for ways to get rid off AppLocker.

https://social.technet.microsoft.com/Forums/en-US/371a5194-cbc9-446b-a99d-52c516d1072d/intune-kiosk-and-applocker?forum=microsoftintuneprod

Thanks.

Microsoft Security | Intune | Configuration
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lu Dai-MSFT 28,516 Reputation points
    2022-04-15T03:23:51.103+00:00

    @Leo Wang Thanks for posting in our Q&A.

    For this issue, it seems a default behavior. If you want to avoid AppLocker popping up, it is suggested to try to find the background processes that need to be called for the foreground app and then add the background process path to the list allowed by the kiosk profile.

    Step 1: Find the background processes that need to be called for all foreground apps. (Take Adobe for example)
    Install process monitor in kiosk mode, open each foreground app, collect procmon log, and check the corresponding "Access Denied" records in the log. Then add the corresponding paths to the kiosk profile as the Win32 apps. In this way, the blocked processes can be located more accurately.
    193279-image.png

    Step 2: Add allow lists to the kiosk profile.
    We can use the default UI, for example, Adobe needs to call a background process: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe. So, we need to add this path to the allow list as a win32 app.
    193280-image.png

    Honestly, I'm not sure if single app kiosk will get rid off AppLocker. It is suggested to try and check if it works differently with Multi App Kiosk.

    Thanks for your understanding.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Anonymous
    2022-07-06T13:19:59.417+00:00

    Hi @Lu Dai-MSFT  
    How to install process monitor on Kiosk?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.