Configuring a Single-App Kiosk for Windows 11 devices using Assigned Access within Microsoft Intune

When it comes to implementing kiosk systems on Windows devices, Microsoft offers a powerful feature known as Assigned Access. Assigned Access, also referred to as kiosk mode, is a built-in functionality in Windows operating systems that allows administrators to restrict user access to a single application or a set of applications, effectively transforming a standard Windows device into a dedicated kiosk.

With this post I want to show you how to simply implement assigned access from Microsoft Intune to create a single-app windows experience that is deployable through Windows Autopilot for that „Zero-touch-deployment“ experience. A single app kiosk can be used for frontline workers which need a device for only one specific task or for big-displays that should show information for users.

What is Assigned Access?

Assigned Access enables administrators to create a locked-down environment where users can interact only with designated applications, preventing them from accessing the desktop, Start menu, or any other system settings. This feature is particularly useful in scenarios where devices need to serve a specific purpose, such as displaying product information, facilitating self-checkout processes, or providing informational services.

The Difference from Normal Windows

The primary distinction between a Windows device operating in Assigned Access mode and a typical Windows environment lies in the level of control and customization. Unlike a standard Windows session where users have unrestricted access to the operating system and its features, Assigned Access imposes limitations, ensuring that users interact solely with predetermined applications. This restriction minimizes the risk of unauthorized access, accidental modifications, or misuse of the device.

Furthermore, Assigned Access provides administrators with granular control over user sessions, allowing them to customize the user experience according to specific requirements. From selecting the designated application(s) to configuring session timeouts and access permissions, administrators have the flexibility to tailor the kiosk environment to suit their unique needs.

Setup a Single-App device

So to start of course we need an Entra ID group that will contain our devices and to reduce tasks we will make it a dynamic device group that automatically adds devices with a specific Windows Autopilot grouptag.

Lets create a new group in Entra ID and assign it a dynamic membership rule that for example collects all devices using the „WindowsSingleAppKiosk“ grouptag in Autopilot:

Next lets create a new Windows Autopilot profile that configures devices with that „WindowsSingleAppKiosk“ grouptag. To do so open „Deployment profiles“ in the „Windows enrollment“ section in Intune:

Create a new profile for „Windows PC“:

Give it a name, I will use the same as my Grouptag to identify it more simply later on:

Make the profile „Self-Deploying“ so that we do not have to do something manually for the enrollment and if you like define a naming template as „KIOSK-%SERIAL%“:

Now we have prepared the device onboarding. All that’s left is to configure the device into assigned access (aka kiosk mode). Therefore wen need to create a new configuration profile from the „Kiosk“ type:

Select „Single app, full-screen kiosk“ for the kiosk mode and „Auto logon“ for the user logon type as we dont want to use any specific user here. This kios should only display one app in full-screen mode. Then define „Store app“ as our kiosk app – currently here are only store apps and the Edge or Kiosk browser supported – no Win32 apps yet:

Select a app from the Microsoft store, the app needs to be added upfront in Apps from Intune and be assigned to your device group:

Now you will see that our app is added to the list:

Next it is required to add a maintenance window to update the app. This all will be done automatically but we can define when the update window starts. Here we will use 8PM for our demo on a daily schedule.

Assign the profile and an Windows Update configuration (or Windows Autopatch) to the device group and you’re done. Now we have configured everything needed for a device to enroll and start assigned access mode with a specified app. Once a device is enrolled with this grouptag it will auto logon as „KIOSK“ and start the Teams app in full-screen mode.

Conclusion

In conclusion, Windows Assigned Access serves as a valuable tool for creating secure and efficient kiosk systems. By harnessing the power of Assigned Access, businesses and organizations can deploy kiosk systems with less effort and a zero-touch-deployment. In the next post we will see how you can define and deploy kiosk systems using assigned access to display multiple apps without a full Windows desktop experience – stay tuned to check that out.