Bagikan melalui


Kiosk device profile

Microsoft Managed Desktop allows you to configure devices as kiosk devices that restrict Windows to run either:

  • A single application (single-app) that runs full screen.
  • Multiple, pre-defined applications (multi-app) that appear as start screen tiles on the desktop.

Important

Currently, multi-app kiosk is only supported on Windows 10. Multi-app kiosk isn't supported on Windows 11.

Single-app kiosks are ideal for purpose-specific devices such as digital or interactive signage. Multi-app kiosks are appropriate for devices shared by multiple people and with few applications. You can have combinations of multiple single-app and multi-app Kiosk device profiles within your environment.

Kiosk devices are configured using the AssignedAccess CSP configuration service provider. The policies are enforced system-wide when the assigned access kiosk configuration is applied on the device.

Note

You'll need to wipe a device and reassign the device profile to remove all settings before a device is reassigned to a different user and/or assigned a different device profile. For more information, visit Policies enforced on kiosk devices (Windows 10/11).

The following high-level activities must be completed to enable kiosks for device management in Microsoft Managed Desktop. Administrators must:

  1. Create kiosk configuration profiles that meet their operational and user experience needs.
  2. Register or tag devices as kiosks with the service.
  3. Assign devices with the newly created profiles.

Microsoft Managed Desktop and the associated profile and tags will ensure that devices are kept up to date while respecting service windows and the lack of traditional interactive users and identities.

Step 1: Create kiosk configuration profiles in the Microsoft Intune admin center

Microsoft Intune includes a kiosk configuration as a template to help you create and modify these single-app or multi-app kiosk configurations for your business needs. You can configure them with the following steps:

To create the kiosk configuration profiles:

  1. Go to the Microsoft Intune admin center.
  2. Go to Devices > Configuration Profiles > + Create Profile.
    1. For the Platform, select Windows 10 and Later.
    2. For the Profile Type, select Templates and Kiosk.
    3. Select Create.
  3. In the Basic Settings tab, enter the following information:
    1. Name: Provide a suitable profile name
    2. Description: Provide a suitable profile name
  4. Select Next.
  5. Select one of the following options:
    1. Single-app, full-screen kiosk
    2. Multi-app kiosk
  6. Complete the required and desired configuration options based on the kiosk mode selected. For more information, see kiosk settings for Windows 10/11 in Microsoft Intune.
  7. Select Next.
  8. Assign the desired device groups to each configuration profile you created. Your kiosk device(s) registered with Microsoft Managed Desktop must also be a member of one of the device groups for each profile.

Step 2: Register devices as kiosks in Microsoft Managed Desktop

For Microsoft Managed Desktop to fully manage devices, the devices must be registered. Microsoft Managed Desktop supports two device registration methods:

Device profile Autopilot group tag (standard mode)
Kiosk device profile Microsoft365Managed_Kiosk

Microsoft Managed Desktop applies a standardized naming convention format, Kiosk-%RAND:9%, when devices are registered into the service. A self-deploying Autopilot profile is assigned to all kiosk devices. The device will be automatically enrolled into Intune and joined to Microsoft Entra ID as part of the device registration process.

Note

You'll need to wipe a device or reassign the device profile to remove all settings before a device is reassigned to a different user and/or assigned a different device profile. For more information, visit Policies enforced on kiosk devices (Windows 10/11).

Step 3: Assign kiosk configuration profiles to devices or device groups

Once kiosk configuration profiles have been created and devices are assigned with the Kiosk device profile in Microsoft Managed Desktop, the Kiosk device profile must be assigned to devices or device groups.

To reassign the kiosk device profile:

  1. Go to the Microsoft Intune admin center.
  2. Navigate to Devices > Microsoft Managed Desktop > Devices.
  3. Find and select on the desired device(s).
  4. In Devices action, select Device Actions.
  5. For the New device profile, select Kiosk Device Profile.
  6. Select Change Profile, and then select Reset device.

Step 4: Optional. Create local users for Kiosk device profiles

If the user LogonType is Autologon, a local account is automatically created. This applies to each kiosk device where the user account will authenticate or sign into. The following instructions use OMA-URI and the Accounts CSP. Consult your security and IT architecture team for guidance.

Note

Using the OMA-URI to configure a local account will store the password in the Azure portal as plain text.

To create local users for kiosk device profiles:

  1. Go to the Microsoft Intune admin center.
  2. Go to Devices > Configuration Profiles > Create Profile.
  3. For the Platform, select Windows 10 and Later.
  4. For the Profile Type, select Templates and Custom.
  5. Select Create.
  6. In the Basic Settings tab, enter the following information:
    1. Name: Provide a suitable profile name
    2. Description: Provide a suitable profile name
  7. Select Next.
  8. In the Configuration settings tab, select Add. Then, enter the following information:
    1. Name*: Enter your username
    2. Description: Provide a suitable row description
    3. OMA-URI*: ./Device/Vendor/MSFT/Accounts/Users/TestUser/Password. TestUser is your username.
    4. Data Type*: String
    5. Value*: Any valid or preferred password
  9. Select Save.
  10. In the Scope Tags section, select Next.
  11. In the Assignment Tags section, select Next.
  12. In the Applicability Rules section, select Next.
  13. In Review + Create, select Create.

Add apps to the Enrollment Status Page

If there are applications you need for the full kiosk experience, you may add them to the Modern Workplace Kiosk device profile Enrollment Status Page to meet your business needs.

For more information about best practices, see Selecting required apps for your Enrollment Status Page to block only apps that are required for the full kiosk experience.

Important

Don't remove any Microsoft Managed Desktop applications included in the ESP (enrollment status page) configuration.

Known issues

Known issue Description
Multi-app kiosk is only supported on Windows 10 For more information, see Kiosks aren't supported on Windows 11.
Multiple monitors The use of multiple monitors isn't supported for multi-app kiosk mode.
Unable to save the kiosk configuration profile, when the user logon type is Microsoft Entra user or group. This issue occurs when the selected Microsoft Entra user group has multiple users, and the application type is NOT the Microsoft Edge browser. The error Unable to save due to invalid data. Update your data then try again. Single Fullscreen UWP app configuration accepts only one user or type Autologon, local user or Microsoft Entra user is displayed.
The configuration profile will report as "Error" when viewing within the Microsoft Intune admin center When using the Accounts CSP to configure a local account on the device, the configuration profile will report as "Error" when viewing within the Microsoft Intune admin center, even when configured successfully and the account is created on the device.
Single-app kiosk and multi-app profiles may not apply accurately Single-app kiosk and multi-app profiles may not apply accurately, or CSP displays errors when the User Logon Type is Microsoft Entra group, and the Microsoft Entra group has multiple users. As a workaround, add Select Logon type as the Microsoft Entra user or group, and add individual accounts to the list.
Microsoft Office apps don't launch in kiosk mode. This issue occurs when there's a mismatch in the Application Model User ID(AUMID). Use the Add Win 32 apps option to configure apps. For more information on how to find the AUMID, see Find the Application User Model ID of an installed app.

Best practices

To add the latest Microsoft Edge browser to the multi-app kiosk configuration, Microsoft Edge must be included using the Add Win32 app option. Selecting the Add Microsoft Edge button will install the legacy Microsoft Edge browser.

Fix Kiosk mode issues

Issue Workaround and/or information
General tips For more information about general tips, see Troubleshoot kiosk mode issues (Windows 10/11).
Users are automatically signed out or can't sign into Windows 10 computers with the multi-app profile assigned For more information, see Users can't log on to Windows 10 computers with multi-app Kiosk device profile assigned.