Use shell launcher to create a windows 10 kiosk


  • Windows 10 Kiosk Mode without Intune – Notes from the field
  • Windows 10 1809 kiosk mode with an AD domain account
  • Create a Windows 10 Single-App kiosk device using Intune and AutoPilot
  • Creating a kiosk or digital sign using Windows Autopilot, Intune, and Edge (Chromium)
  • Android 12L deep dive: Every change, thoroughly documented
  • Building lock down device – Part 2 (Shell Launcher)
  • Windows 10 Kiosk Mode without Intune – Notes from the field

    Our kiosk will be displaying a webpage to be used in a public area. Windows 10 Kiosk mode offers 2 different kiosk experiences : Single-app kiosk: Runs a single app UWP in fullscreen on top of the lock screen. Users using the kiosk can see only that app. If the kiosk app is closed, it will automatically restart. If a user disconnect, the log screen can be configured to log back automatically.

    You can also use Shell Launcher to configure a kiosk device that runs a Windows desktop application as the user interface Multi-app kiosk: Runs one or more apps from the desktop. Users using the kiosk see a customized Start Menu that shows only the tiles for the apps that are allowed. Important Info For this post, we use Windows 10 If you encounter any problem or hang during your deployment, make sure to use the latest Windows version as all technology used in this post gets updated in each new Windows build.

    You can read our complete blog post on the subject. Kiosk single app Intune Autopilot — Device Enrollment The first step to creating our Windows 10 kiosk using Intune is to enroll the device in our Tenant. This will name machine randomly using 4 digit. Example : SCD If you set this field to No, your machine will be randomly named.

    Scope tags determine which objects admins can see. The default scope tag feature is similar to the security scopes feature in System Center Configuration Manager.

    On the Assignments tab, select the Group you want to deploy your profile by clicking Select Groups to Include You can also Exclude a Group if needed Click Next Review your settings and click Create Your deployment profile is now created. This profile will be used to enroll our Kiosk machines in Intune. Configure the Kiosk Once the machine is enrolled, we now need to configure the machine to enable the Kiosk.

    This is done by creating a Device Configuration Profile. Our kiosk needs to launch an Edge browser for a specific web page and needs to Autologin.

    We will also configure the kiosk to deny domain users to log on the computer. One for the Kiosk, one to configure Edge and one for the login restriction. For the Kiosk Profile, setup the profiles as the following.

    Windows 10 1809 kiosk mode with an AD domain account

    This is without Intune. So, the plan was to deploy a multi-app kiosk. Multi-app kiosks are allowed from Windows 10 onward, make sure you have at least this version on your device. Windows 10 Home is not supported. Applications can be either Win32 apps or UWP apps. The basics of kiosk mode are that we must create a XML file which will contain a profile or set of profiles which are assigned to configs. The wording from Microsoft is as such: A configuration xml can define multiple profiles.

    Each profile has a unique Id and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout. A configuration xml can have multiple config sections.

    Each config section associates a non-admin user account to a default profile Id. Multiple config sections can be associated to the same profile. For the example here, we are going to keep it simple by creating one profile and one config. Start off by generating a unique GUID which will be used to associate the profile with the config. You can do this online. Now we can start to construct the XML file. Here assigned apps, start menu layout and Taskbar status can be defined.

    So I have defined these in the AllowedApps tags. This is a new feature from Windows 10 , the ability to auto launch an app. Note from the field — take a look at the code in the example from Microsoft and compare with what I have added. They need to update their documentation to reflect this. Maybe I needed a hotfix but nothing is stated. In the end, I pushed out to the endpoint and the code works perfectly.

    What else is happening in the code? There is other functionality which you can add to the XML, such as configuring automatic logon, changing the display name which appears when logging in or allowing access to the Download folder for storage. Then run the PS1 script containing the code. If you get an error you may need to validate your code. As I mentioned earlier, make sure your account exists or can be referenced.

    After creating the account I can inject the PS1 code successfully. You can use the first three lines of the PS1 script to query the AssignedAccess MDM to ensure that the code has been injected OK, or if you update the code and re-inject and need to check your changes have been accepted.

    Now when logging in as the assigned user the lockdowns and assigned access will take effect. If anything fails to run check the AppLocker logon the device for blocks and update your XML file with the correct details.

    The error reports as a block in policy. The problem is also resolved in Windows 10 Not sure why this happened. Be aware. Feel free to comment with your experiences and let me know how you got on with adding in auto logon, folder access and more. Share this:.

    Create a Windows 10 Single-App kiosk device using Intune and AutoPilot

    It's really simple. You could configure it during operating system deployment as well of course or by using a script. I have two different organizational units OUs : one for the kiosk with the local logon and one for computers for the domain account to log onto.

    Creating a kiosk or digital sign using Windows Autopilot, Intune, and Edge (Chromium)

    The autologon registry keys are basically the same; for the kiosk GPO that uses a local user, simply remove the DefaultDomainName registry key. Well, in my lab, I use my own PowerShell front-end, which is not worth mentioning here. You can use collection variables, computer variables, or a front-end where you can select which kiosk you want to deploy.

    You could modify this to run a GPUpdate as well if necessary. Condition for the KioskDomain group Configuring the kiosk mode step that runs the script For the step that moves the computer to the correct OU, I use the script I blogged about here.

    Android 12L deep dive: Every change, thoroughly documented

    We could also use a web service as long as we move the computer to the correct OU. But that is a good starting point to test the behavior of the new browser on a kiosk device.

    In this example I configure a multi app kiosk device using Microsoft Intune which automatically logs on a kiosk user and launches the Edge Chromium browser. For deployment of the device, you can use Windows AutoPilot which I described in this article.

    We need to pre-configure a start layout in tablet mode and export the layout to a xml file, which we can upload in our Intune configuration profile.

    Sign in to a Windows 10 test device on which the Edge Chromium browser is installed and set the device in tablet mode. Remove all currently pinned applications from the start menu and add Edge Chromium. To export the customized start layout open PowerShell.

    Building lock down device – Part 2 (Shell Launcher)

    With that profile we configure the device to run in kiosk mode with auto logon, allow Edge to run, set Edge to auto launch and the customize start layout file. If you add —kiosk, the browser runs in kiosk mode. If you add —start-fullscreen, it will start full screen.


    thoughts on “Use shell launcher to create a windows 10 kiosk

    Leave a Reply

    Your email address will not be published. Required fields are marked *