Fix & Deploy Windows Kiosk Mode the Right Way (Intune + Assigned Access)

-

 

🚀 Secure Windows Kiosk Deployment with Assigned Access & Intune

This configuration demonstrates how to build a secure and controlled Windows kiosk environment using Assigned Access (Kiosk Mode) together with modern deployment tools like Windows Autopilot and Microsoft Intune.

⚠️ Prerequisite – Required Before Assigned Access

Before applying the Assigned Access XML, you must run the following PowerShell script.

This step creates the required Start Menu shortcut used in the configuration. If skipped, Assigned Access may fail or not apply correctly.

PowerShell – Create File Explorer Shortcut 

$pinFolder = "$env:PROGRAMDATA\Microsoft\Windows\Start Menu\Programs\Kiosk"
New-Item -Path $pinFolder -ItemType Directory -Force | Out-Null

$lnkPath = Join-Path $pinFolder "FileExplorer.lnk"
$target  = "$env:WINDIR\explorer.exe"

$ws = New-Object -ComObject WScript.Shell
$sc = $ws.CreateShortcut($lnkPath)
$sc.TargetPath = $target
$sc.IconLocation = "$env:WINDIR\explorer.exe,0"
$sc.Description = "File Explorer"
$sc.Save()

Write-Host "Created: $lnkPath"

🔒 Kiosk Configuration (Assigned Access)

The XML below defines a locked-down device experience where users can only access a limited set of approved applications.

  • Restricted Apps: Only Chrome, File Explorer, Photos, Media Viewer, WordPad, and Word are allowed
  • Limited File Access: Access is restricted to Downloads and removable drives (USB)
  • Custom Start Menu: Only essential apps are pinned
  • Taskbar Enabled: Visible but within a controlled environment
  • Auto Logon: Automatically signs in with a dedicated kiosk account

📄 Assigned Access XML

XML Configuration 

<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration
    xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
    xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
    xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">

  <Profiles>
    <Profile Id="{7b089ffa-f670-4861-a8b4-0e0e8d45b437}">

      <AllAppsList>
        <AllowedApps>

          <App DesktopAppPath="%ProgramFiles%\Google\Chrome\Application\chrome.exe"/>
          <App DesktopAppPath="%windir%\explorer.exe"/>
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App"/>
          <App AppUserModelId="Microsoft.Windows.MediaViewer_8wekyb3d8bbwe!App"/>
          <App DesktopAppPath="%ProgramFiles%\Windows NT\Accessories\wordpad.exe"/>
          <App AppUserModelId="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word"/>

        </AllowedApps>
      </AllAppsList>

      <rs5:FileExplorerNamespaceRestrictions>
        <rs5:AllowedNamespace Name="Downloads"/>
        <v3:AllowRemovableDrives/>
      </rs5:FileExplorerNamespaceRestrictions>

      <v5:StartPins><![CDATA[
      {
        "pinnedList": [
          {
            "desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Google Chrome.lnk"
          },
          {
            "desktopAppLink": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Kiosk\\FileExplorer.lnk"
          }
        ]
      }
      ]]></v5:StartPins>

      <Taskbar ShowTaskbar="true"/>

    </Profile>
  </Profiles>

  <Configs>
    <Config>
      <AutoLogonAccount rs5:DisplayName="Kiosk"/>
      <DefaultProfile Id="{7b089ffa-f670-4861-a8b4-0e0e8d45b437}"/>
    </Config>
  </Configs>

</AssignedAccessConfiguration>

 

Kommentarer

Skicka en kommentar

Populära inlägg i den här bloggen

🚀 Force Reinstallation of an Intune App

-
Bild
  – When Intune refuses to reinstall a program you’ve already removed Sometimes an application deployed through Microsoft Intune won’t reinstall even after you’ve manually uninstalled it. That’s because Intune tracks installation status using both registry entries and detection rules to decide whether an app is already present. Here’s how to fully reset that state and force a reinstallation — step by step. 💡 Why Intune won’t reinstall the app When a Win32 app is deployed via Intune, the Intune Management Extension stores app metadata in the Windows registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps This registry data tells Intune which apps are installed, when, and by which user. On every policy sync, Intune checks the detection rule defined for the app. If the detection rule still reports the app as “installed” — even though you removed it — Intune will skip reinstallation . 🔧 Step-by-Step Guide 1️⃣ Uninstall the App F...
Read more »

🔵Troubleshooting Intune Device Enrollments: Understanding GUIDs, Registry Paths, and EnterpriseMgmt Tasks

-
Bild
This guide explains how to diagnose Intune MDM issues on a Windows device by using two key locations: Task Scheduler → EnterpriseMgmt Registry → HKLM\SOFTWARE\Microsoft\Enrollments These two locations always contain matching GUID folders , and together they show the full state of the device’s MDM enrollment. 📌 Introduction: Why do these GUID folders exist? When a Windows device enrolls into Intune (MDM) , Windows generates a unique GUID folder for that enrollment. That GUID is used in two places: 🔹 1. Task Scheduler Task Scheduler → Microsoft → Windows → EnterpriseMgmt → {GUID} This folder contains scheduled jobs that handle: MDM sync certificate renewal policy retrieval push notification handling 🔹 2. Registry HKLM\SOFTWARE\Microsoft\Enrollments\{GUID} This folder contains detailed information: tenant ID enrollment type certificate thumbprints renewal status MDM server URLs device identity 👉 Both folders describe the same en...
Read more »

🚀 Windows Autopilot Self-Deploying Mode — Zero-Touch Setup That Feels Like Magic

-
Bild
Just imagine this: You unwrap a brand-new PC or reinstall Windows 11 from scratch… and before you even touch the keyboard, the device automatically: ✅ Joins Microsoft Entra ID (Azure AD) ✅ Syncs all Intune apps, settings, and policies ✅ Lands straight on the sign-in screen — ready for the user No technician. No clicks. No wasted time. That’s Windows Autopilot Self-Deploying Mode — effortless, hands-free provisioning that just works. The only prerequisite? Register the device’s Hardware Hash (HWID) in Intune first. Here’s the cleanest 10-minute setup guide to make it happen — perfect for brand-new or freshly reinstalled devices. ⚡ Step-by-Step: Configure Windows Autopilot Self-Deploying Mode in Under 10 Minutes 1️⃣ Start Fresh Use a new PC or perform a clean Windows 11 installation (OOBE stage). 2️⃣ Insert a USB Drive 3️⃣ Identify the Drive Letter Press Shift + F10 , open PowerShell, and run: Get-Volume Find your USB drive letter (e.g., E:). 4️⃣ Run the Script Execute: .\auto...
Read more »