Intune has the ability to provision Kiosk mode on Windows devices. There are 2 available modes; single app or multi-app. This post will focus on single app mode, but the logic applies for both.
Kiosk mode was something I’ve previously done using provisioning package. Downside of using provisioning packages comes into play when something needs to be changed. With Intune, however, you can configure changes from the portal and sync them down.
Something else that is a plus with a Intune is Autopilot, more importantly for Kiosks, self-deploying Autopilot. Thats right. You can take a Windows device out the box, power it up with an network connection, and it will automatically enroll itself and apply its configuration.
To begin I will assume you are familar with Autopilot and have devices registered. These devices will require TPM 2.0 in order for Self-Deploying mode to function.
- Create a self-deploying Autopilot deployment profile and deploy it to your machines you want to be kiosk.
2. In Configuration Profile, create a Kiosk profile type from Templates. This basically will set what your kiosk displays, e.g. website. If you want to display a Win32App or multiple apps, you must use Multi app kiosk mode, but mine will be displaying a webpage. Deploy this profile to your Kiosk group.
Word to the wise: The options are pretty self-explanatory, but User Logon Type “Auto Logon” can be sensitive. This creates a user named “KioskUser0” with a blank password. The auto logon function can be broken by different policies. I’ve learned to keep the number of policies and profiles applied to Kiosk machines to a minimum. My kiosks only receive the configurations seen on this page along with; LAPS, our Root CA cert, and Wi-Fi. By all means apply what you need, but I suggest KISS (Keep it stupid simple). - Create another Configuration Profile that will contain several settings from the Settings catalog. These settings will deal with power settings and such. I expected some of these to be configured by the Kiosk template, but I also understand why the separated it out. Lets start by configuring the System > Power Management settings in Administrative Templates:
- Under Hard Disk Settings,
- Enable “Turn off the Hard Disk” for both plugged in and battery. Set the values to 0.
- Under Sleep Settings
- Enable “Specify the system hibernate timeout” for both plugged in and battery. Set the values to 0.
- Enable “Specify the system sleep timeout” for both plugged in and battery. Set the values to 0.
- Disable “Require a password when a computer wakes” for both plugged in and battery.
- Under Video and Display Settings
- Enable “Turn off the display” for both plugged in and battery. Set the values to 0.
- Lets navigate out of Administrative Templates to Power.
-
- “Lid Close Action” for both plugged in and battery to Take No Action.
- Set “Select Power Button” action to Take No Action.
- Set “Select Sleep Button” action to Take No Action.
Extra pre-caution. Some kiosk devices may be used by end users who AAD credentials. To prevent them from logging I add an additional settings.
- Under User Rights
- Select Allow Local Log On. Add the follow SID: *S-1-5-113
This will only allow local accounts to log in. Use a LAPS account or create another local user if needed.
- Under Task Manager
- Select and Block “Allow End Task”.
Save this profile and deploy it to your Kiosk devices.
4. Create a simple powershell one-liner to disable the KioskUser0 from being able to change its password. Upload the powershell script and deploy it in system context to your Kiosk devices.

5. Power up your Windows devices that you’ve assigned the self deploying profile. Make sure they have a network connection, and make sure you’ve deployed a wireless profile if the device will use a wireless connection in the field.