How to create a Web-App Kiosk for Windows 11 devices using Assigned Access within Microsoft Intune

When it comes to implementing kiosk systems on Windows devices, Microsoft offers a powerful feature known as Assigned Access. Assigned Access, also referred to as kiosk mode, is a built-in functionality in Windows operating systems that allows administrators to restrict user access to a single application or a set of applications, effectively transforming a standard Windows device into a dedicated kiosk.

With this post I want to show you how to simply implement assigned access from Microsoft Intune to create a single-app windows experience that is deployable through Windows Autopilot for that „Zero-touch-deployment“ experience. Such a web-kiosk can be handy when you for example have a public browsing computer or a shift-display where workers see their work-shifts on an web app.

Previous posts

In my last two posts we talked on single-app- and multi-app-kiosk systems. Definitely check them out to learn about the underlying assigned access feature from Windows that we will use for our kiosk systems.

Setup a Web-kiosk device

As always firstly we need a fresh Entra ID group that will contain our devices and to reduce tasks we will make it a dynamic device group that automatically adds devices with a specific Windows Autopilot grouptag.

Here we create a new group in Entra ID and assign it a dynamic membership rule that collects all devices using the “WindowsWebKiosk” grouptag in Autopilot:

Next create a new Windows Autopilot profile that configures devices with our “WindowsWebKiosk” grouptag. To do so open “Deployment profiles” in the “Windows enrollment” section in Intune:

Create a new profile for “Windows PC”:

Give it a name, I will use the same as my Grouptag to identify it more simply later on:

Make the profile “Self-Deploying” so that we do not have to do something manually for the enrollment and if you like define a naming template as “KIOSK-%SERIAL%”:

Now we have prepared the device onboarding. All that’s left is to configure the device into assigned access (aka kiosk mode). Therefore wen need to create a new configuration profile from the “Kiosk” type:

In this kind of kiosk system we want a „Single app, full-screen kiosk“ experience that uses Autologon and the Microsoft Edge browser. Then we define our website for the Edge browser and the mode that it should act in. Digital/Interactive Signage enables users to use the device as a public browser for (in this example) my blog website. When there is no user activity for 2 minutes as configured here then the browser will refresh and kill all user sessions/data.

Next it is required to add a maintenance window to update the edge app. This all will be done automatically but we can define when the update window starts. Here we will use 8PM for our demo on a daily schedule.

Assign the profile and an Windows Update configuration (or Windows Autopatch) to the device group and you’re done. Now we have configured everything needed for a device to enroll and start assigned access mode with a specified app. Once a device is enrolled with this grouptag it will auto logon as “KIOSK” and start Microsoft Edge with the defined url in full-screen mode.

Conclusion

In conclusion, Windows Assigned Access serves as a valuable tool for creating secure and efficient kiosk systems. By harnessing the power of Assigned Access, businesses and organizations can deploy kiosk systems with less effort and a zero-touch-deployment. In my last two posts we learned how to configure single- and multi-app and in this post web kiosk systems using assigned access. This enables us to simply deploy task-focused devices which only can be used for specific apps – no matter if this is one app, a few apps or some web-apps.