Windows Autopilot / Intune – Kiosk Mode

IN a post about a year ago, Windows Autopilot Deployment Scenarios I mentioned the Windows Autopilot self-deployment mode. for Kiosks deployments. Let’s explore that in more detail…

Unlocking the Power of Intune Kiosk Mode: Secure, Streamlined, and Purpose-Driven Windows Devices

In today’s fast-paced digital environments, organizations often need to deploy Windows devices for very specific purposes—whether for frontline workers, public information kiosks, digital signage, or secure testing centers. Microsoft Intune’s kiosk mode offers an elegant solution, transforming standard Windows devices into dedicated, single-purpose terminals that restrict access to only the applications and features you specify. This not only enhances security and compliance but also simplifies the user experience, ensuring devices are used exactly as intended.

What Is Intune Kiosk Mode?

Intune kiosk mode is a device configuration feature that allows IT administrators to lock down a Windows device so that it can run only one application (single-app kiosk) or a curated set of applications (multi-app kiosk). This is ideal for scenarios where you want to prevent users from accessing the full Windows desktop, system settings, or unauthorized software. Instead, users interact with a streamlined interface tailored to their specific task—whether that’s checking in at a reception desk, browsing a limited set of information, or running a point-of-sale application.

By leveraging Intune’s cloud-based management capabilities, organizations can deploy, monitor, and update kiosk configurations remotely across multiple locations, ensuring consistent and secure device usage.

Key Use Cases for Kiosk Mode

• Frontline Worker Devices: Empower employees with focused, distraction-free interfaces for their specific roles, such as retail, healthcare, or hospitality.
• Public Kiosks: Deploy devices in lobbies, airports, or event spaces that provide information, wayfinding, or self-service options, while preventing misuse or unauthorized access.
• Digital Signage: Display dynamic content or advertisements in a secure, tamper-proof environment.
• Testing Centers: Ensure students or candidates can only access approved testing applications and websites, maintaining exam integrity and fairness.
• Point-of-Sale (POS) Systems: Limit devices to running only POS software, reducing the risk of tampering or data breaches.

How to Configure Kiosk Mode in Intune

Setting up kiosk mode in Intune is a straightforward process, but it requires careful planning to ensure your devices are both secure and functional for their intended purpose. Here’s a step-by-step guide:

1. Create a Device Group

Begin by creating a new group in Intune to target the devices you want to configure in kiosk mode. This allows you to apply kiosk settings to a specific set of devices, making it easier to manage deployments across different departments or locations.

2. Create a Kiosk Mode Configuration Profile

Navigate to the Intune admin center and go to Devices > Configuration Profiles. Click + Create Profile and select Windows 10 and Later as the platform. For profile type, choose Templates > Kiosk. This will open a wizard to guide you through the configuration process.

3. Choose Single-App or Multi-App Kiosk

Select the type of kiosk mode that best fits your needs:

• Single-App Kiosk: The device runs one application, typically in full-screen mode. This is ideal for highly restricted environments, such as digital signage or public information terminals.
• Multi-App Kiosk: The device runs a limited selection of applications, which are accessible from a customized Start menu. This is useful for scenarios where users need to switch between a few approved apps, such as frontline worker devices or shared workstations.

4. Configure the Profile

Complete the required configuration options based on your chosen kiosk mode:

• Specify the Application(s): Add the application(s) you want to allow. For multi-app kiosks, you can include Store apps, Win32 apps, and even web browsers with a specific homepage.
• Customize the Start Menu: For multi-app kiosks, you can tailor the Start menu to display only the approved apps, removing access to other system features.
• Set Up Restrictions: Configure additional restrictions as needed, such as blocking access to system settings, keyboard shortcuts, or the desktop.

5. Assign the Profile

Assign the kiosk mode configuration profile to the device group you created earlier. Once assigned, the profile will be applied to the targeted devices the next time they check in with Intune.

Key Considerations for Kiosk Mode

Single-App Kiosk

A single-app kiosk is the most restrictive option, locking the device into running one application—usually in full-screen mode. This is perfect for public-facing terminals or situations where you want to ensure users can only perform a specific task.

Multi-App Kiosk

Multi-app kiosks provide more flexibility, allowing users to access a predetermined set of applications. This is ideal for shared devices or environments where users need to switch between a few approved apps, such as a reception desk or a classroom.

Microsoft Edge Kiosk Mode

You can use Microsoft Edge in kiosk mode to create digital signage or public browsing experiences. This allows you to specify a homepage and restrict browsing to only approved websites, providing a secure and controlled web experience.

User Logon and Assigned Access

Intune allows you to configure automatic logon to a specific user account, ensuring the kiosk is always ready for use without requiring manual login. You can also use the Assigned Access feature to manage which applications and features are available to the user, further enhancing security and control.

Compliance and Security

When configuring kiosk mode, it’s essential to align your settings with your organization’s compliance and security policies. This includes ensuring that only authorized users can access the device, that sensitive data is protected, and that devices are regularly updated and monitored.

Benefits of Using Intune Kiosk Mode

• Enhanced Security: Restrict access to only approved applications and features, reducing the risk of malware, unauthorized access, or data breaches.
• Simplified User Experience: Provide users with a streamlined, focused interface that makes it easy to complete their tasks without distractions.
• Centralized Management: Deploy, monitor, and update kiosk configurations remotely across multiple devices and locations.
• Scalability and Flexibility: Easily adjust kiosk settings as your needs change, whether you’re adding new devices, updating applications, or repurposing existing hardware.
• Integration with Microsoft Ecosystem: Seamlessly integrate with Azure AD, Microsoft 365, and other Microsoft services for enhanced security and management capabilities.

Microsoft Intune’s kiosk mode is a powerful tool for organizations looking to deploy secure, purpose-driven Windows devices. By restricting access to only approved applications and features, you can ensure your devices are used exactly as intended—whether for frontline workers, public kiosks, digital signage, or testing centers. With Intune’s centralized management and robust configuration options, setting up and maintaining kiosk mode is easier than ever, helping you protect your data, simplify user experiences, and streamline device management across your organization.

YouTube Video at:

Additional Reading:

• https://learn.microsoft.com/en-us/intune/intune-service/configuration/kiosk-settings
• https://learn.microsoft.com/en-us/intune/intune-service/configuration/kiosk-settings-windows
• https://mobile-jon.com/2025/01/15/deep-dive-into-windows-11-kiosks-part-1-assigned-access/
• https://www.velessoftware.com/set-up-windows-kiosk-mode-with-intune/