Kiosk Laptops and the Configuration of Intune and Azure AD
“Something that sounded pretty simple threw us a few curve balls on the way, so we thought we’d share our experience”
We were recently asked by a customer to set up a kiosk laptop so their employees could sign into a web portal to complete some training activities.
Something that sounded pretty simple threw us a few curve balls on the way, so we thought we’d share our experience in case our learnings are helpful.
What we ended up with was basically a device build with user authentication done at an app level rather than device.
Requirements of the kiosk laptop
For this job, the kiosk laptop needed access to the customer’s HR training portal. Employees would sign into the laptop with their Azure Active Directory (AD) ID and complete training.
The kiosk laptop needed to be locked down – in this case the client required a single app use scenario. They did not want the full capabilities of the laptop to be available.
The first challenge we ran into was that we needed to prevent the kiosk laptop from receiving the users’ regular Intune profiles when they signed in, and vice versa.
What we delivered
We end up deploying Single app mode kiosk with auto sign-in via a local user created by the kiosk profile and blocked all other sign-ins apart from local accounts.
We deployed the Microsoft Legacy Edge browser app in private mode with the browser set to reset automatically after 15 min of inactivity.
We setup Windows 10 Autopilot with self-deploying (no user affinity) for the single app kiosk config.
We blocked Edge from getting updated to Chromium as Microsoft doesn’t support Edge Chromium in kiosk mode – there is no ETA from Microsoft on when this will change.
We also deployed a restrictions profile and compliance policy and time zone policy.
Users signed into the corporate site from the Edge browser and were able to leverage multi-factor authentication (MFA) as they would normally to ensure security.
What we learned
The Single app mode allowed us to deploy the build with no requirement for an Azure AD user account sign-in out of the box and no requirement for an Azure AD user to sign-in to a Windows session.
This build allowed us to push the Edge browser down to the device and at that point an Azure AD user could sign-in to the corporate site using MFA.
We were not able to implement a lock screen on this build. The kiosk laptop was a Windows 10 Pro N (no media player) edition, the lock screen is only deployed with a Windows 10 Enterprise license.
We mitigated the lock screen risk with the browser session inactivity timer. It is also not possible to deploy favorites to the browser due to the private session, so we have deployed the required site via a bookmark.
Multi-app kiosk mode does not support MFA.
HP devices must be wiped / firmware reloaded completely to get upgraded from Pro to Enterprise with MS VLC key via Intune profile
If you are interested in setting up your own kiosk laptop but are unsure what will be required and what is best practice, please reach out.
We are happy to have a one-hour conversation with you for free with no strings attached.
Microsoft Intune is a part of Microsoft Endpoint Manager and provides the cloud infrastructure, the cloud-based mobile device management (MDM), cloud-based mobile application management (MAM), and cloud-based PC management for your company.
Since 2005 I have dedicated my professional capabilities to the advancement of wireless mobile data technologies. During my career I have worked with customers in markets large and small, including financial and government organizations in New Zealand, Europe and the United States.