Single App, Full Screen Kiosk Setup with Intune

Photo of author
Jatin Makhija
0

In this post, I will demonstrate single app, full screen kiosk setup with Intune. Kiosk Mode on Windows 11 locks a device to run only a specific app (single-app kiosk) or a selected set of apps (multi-app kiosk). It is ideal for shared, task-focused devices like reception desks, point-of-sale, digital signage, exam stations, or self-service terminals.

This post is focused on single app, full screen kiosk mode. A single-app kiosk uses Windows Assigned Access to launch only one app in full screen mode and keep the user locked to that app. If a user exit out of the app, it will restart automatically. You can use either a single Universal Windows Platform (UWP) application or Microsoft Edge browser with this mode.

Prerequisites

  • App type: For single-app via the Intune Kiosk template, you can select either Microsoft Edge or a Store/UWP app. If you need a classic Win32 app as the shell, that’s a Shell Launcher scenario, not Assigned Access.
  • Windows editions: Windows 10/11 Pro, Enterprise (incl. LTSC), Education, or IoT Enterprise.
  • User account control must be enabled and sign-in must be at the local console. Assigned Access is not supported over Remote Desktop.
  • Device management: Windows device enrolled in Intune.
  • Account type you’ll use for the kiosk session: Auto-logon local account, a specified local standard account, or a Microsoft Entra user/group.

Single App, Full Screen Kiosk Setup

Follow below steps to setup singe app, full screen kiosk mode setup using Intune.

  • Sign in to the Intune admin center > Devices > Configuration > + Create > New Policy.
  • Platform: Windows 10 and later, Profile type: Templates, Template name: Kiosk.
Single App, Full Screen Kiosk Setup
  • Basics tab: Provide a name and description for the profile and click Next.

Configuration settings

Configuration settings tab is where you will configure the kiosk mode settings. This incudes selecting a kiosk mode, user logon type, Application type, kiosk mode URL and other related configuration. Let’s explore each of the settings and configure it for a single app kiosk mode.

  • Select a kiosk mode: Select either Single app, full screen kiosk or Multi app kiosk mode for this option. As I am focused on single app full screen mode in this post, I will select this option.
  • User logon type: Choose from any of the below options:
    • Autologon: Use this when you don’t want users to manually sign in to the kiosk device. A standard local user account named kioskUser0 will be automatically created and used for autologon process.
    • Local user account: Provide the name of the local user account which will be used to sign in to the kiosk device. It’s recommended to use a standard local user account which has least privileges.
    • Microsoft Entra user or group: Choose Entra ID user or group who will be allowed to sign in to the device in kiosk mode. You can add multiple users or groups here.
  • Application type: Below options are available for application type drop-down. You can choose the option as per your business requirement.
    • Add Microsoft Edge browser
    • Add Microsoft Edge legacy browser
    • Add Kiosk browser
    • Add store app
  • Edge kiosk URL: Enter the default URL which will open when edge browser will start.
  • Microsoft Edge kiosk mode type: Edge browser can operate in one of the below two modes in kiosk mode. Select the option as per your reuquirement:
    • Digital/Interactive Signage (InPrivate): When you choose this option, kiosk mode is configured to open a URL in full-screen mode by default. The URL you specify in the Edge Kiosk URL field while creating the single-app, full-screen profile will automatically launch when the kiosk session starts.
    • Public Browsing (InPrivate): When you use this option, it launches a limited multi-tab version of Microsoft Edge. Unlike the Digital/Interactive Signage option, this mode allows users to browse other public websites. If the browser is closed, it will automatically restart and load the URL specified in the Edge Kiosk URL field.
  • Refresh browser after idle time: Browser will reload automatically after the idle time specified in this field. You can enter a value from 0-1440 minutes. I have added a value of 30 which means if there is no activity on the device for 30 minutes, browser will automatically refresh.
  • Specify Maintenance Window for App Restarts: Specify the maintenance window for app updates.
    • Maintenance Window Start Time: Provide the date and time to check for app updates that require restart. If you do not configure maintenance window, then app will restart at a random time 3 days after the app update is installed.
    • Maintenance Window Recurrence: Select when you want to check for app updates. Microsoft recommends keeping this option set to Daily.
Single App, Full Screen Kiosk Intune configuration settings
  • Scope tags (optional): A scope tag in Intune is an RBAC label you add to resources (policies, apps, devices) to limit which admins can see and manage them. For more Information, read: How to use Scope tags in Intune.
  • Assignments: Assign the policy to Entra security group that contains the kiosk Windows devices. As a best practice, pilot with a small set first; once validated, roll it out more broadly. For guidance on assignment strategy, see Intune assignments: User groups vs. Device groups.
  • Applicability Rules (optional): Add the rules for applying this policy. For example: Assign this profile only if the OS edition is Windows 11 Enterprise. Intune will only apply the profile to devices that meet the combined criteria of these rules.
  • Review + create: Review the deployment summary and click Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

End User Experience

After the policy has been applied successfully, you will find a standard local user account called kioskUser0 created on the target computer. To check and confirm, launch Computer Management > Local Users and Groups > Users and check if the account exists.

kioskUser0 user account

We have configured an Autologon type of kiosk profile, which automatically signs in to the computer using the kioskUser0 account. The automatic sign-in will occur every time the computer restarts. Below screenshots show both types of single-app Microsoft Edge experiences: Digital/Interactive Signage (InPrivate) and Public Browsing (InPrivate).

  • Digital/Interactive Signage (InPrivate): When you choose this option, kiosk mode is configured to open a URL in full-screen mode by default. The URL you specify in the Edge Kiosk URL field while creating the single-app, full-screen profile will automatically launch when the kiosk session starts.
  • Public Browsing (InPrivate): When you use this option, it launches a limited multi-tab version of Microsoft Edge. Unlike the Digital/Interactive Signage option, this mode allows users to browse other public websites. If the browser is closed, it will automatically restart and load the URL specified in the Edge Kiosk URL field.
Digital/Interactive Signage (InPrivate) vs Public Browsing (InPrivate)

Users can click End Session button located in the top-right corner of the browser. When you click End Session, a pop-up message appears indicating that ending the session will clear all browsing data (including history, cookies, and downloads) and restart Microsoft Edge. If the device remains idle for more than 30 seconds, the browsing data will be cleared automatically.

End Session button in Edge kiosk mode

Difference between Digital Signage and Public browsing

Below table lists the difference between digital signage and public browsing option.

You can configure Edge policies listed in the table #support-policies-for-kiosk-mode to enhance the kiosk experience for the Microsoft Edge kiosk mode.

FeatureDigital SignagePublic Browsing
InPrivate Navigation
Reset on inactivity
Read-only address bar (policy)
Delete downloads on exit (policy)
F11 blocked (enter/exit full-screen)
F12 blocked (launch Developer Tools)
Multi tab support
Allow URL support (policy)
Block URL support (policy)
Show home button (policy)
Manage favourites (policy)
Enable printer (policy)
Configure the new tab page URL (policy)
End session button (only available in single-app scenario)
All internal Microsoft Edge URLs are blocked, except for edge://downloads and edge://print
CTRL+N blocked (open a new window) – (only available in single-app scenario)
CTRL+T blocked (open new tab)
“Settings and more (…)” will display only the required options
Restrict the launch of other applications from the browser
UI print settings lockdown
Set the new tab page as the home page (policy)

Leave a Comment

Step-by-Step Guides: Setup /Troubleshooting/Configuring Solutions for Intune, Microsoft 365, Windows 365, PowerShell, Windows, Azure, and other Cloud Technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Enter your email address to subscribe to this blog and receive notifications of new posts by email.