Dipping My Toes into Windows Autopilot – Self Deploying Kiosks

Spread the word

So full disclosure, I originally went down this road hoping to use Self-Deploying Autopilot to provision kiosks at my org, but unfortunately the Lenovo ThinkCentre tiny PCs we bought years ago do not support TPM 2.0. Turns out TPM 2.0 is a prereq for the “self-deploying” part of Autopilot (also means you can’t deploy to a virtual machine). So that was a bummer.

I ended up getting this whole flow to work on a laptop as a proof-of-concept, but look over the list of prereqs below to see if this is right for your use case. Even if you don’t do the Autopilot portion of this, you will most likely be able to get the Intune kiosk policies to work.


For this post, I’m mainly going over how to self deploy a single-app kiosk (using the Kiosk Browser from the Microsoft Store for Business) via Autopilot and then showing how to lock down user logins outside of the local account Intune provisions to log in to the kiosk profile.

Autopilot Profile Setup

Alright, let’s start off by configuring the Self-Deploying Autopilot profile:

  •     Head over to https://endpoint.microsoft.com/
  •     Click on Devices
  •     Go to Windows then Windows Enrollment on the next screen
  •     Click Deployment Profiles under the Windows Autopilot Deployment Program header

  •     Hit Create Profile and name it whatever you want > hit Next
    • I’m going to turn the convert all devices to Autopilot to enabled because why not?

  • Click Next
  • Under the Assignments tab, click Select Groups to Include and choose the group you want to use to deploy the profile. For testing you can manually create a static group, but in production you should be using a dynamic membership based group and maybe even look into using “Group Tags” to be even more granular.
  • Click Next > Review the configuration > hit Create

Creating the Intune Kiosk Profile

Now that the Autopilot deployment profile is all setup, we can move onto creating the Kiosk device configuration with Intune. 

  •   Head back to the Home screen in Endpoint Manager
  •   Click on Devices again
  •   Select Configuration Profiles Create Profile
  •   Choose Windows 10 or later from the dropdown
  •   Select the Kiosk profile > click Create

  • Make sure to specify a maintenance window for the kiosk browser to restart itself after potential updates. By default, it’s set to start at midnight. You do not want this to restart during business hours if possible.

Prevent users from signing in

We now need to create a custom profile within Intune to restrict users (outside of a group you specify) from logging in. In this post, we’re going to only allow local users accounts (like kioskuser0) to login.

  • Head back to the Home screen in Endpoint Manager
  • Click on Devices again (again)
  •  Click Configuration Profiles > Create Profile
  • Choose Windows 10 and later
  • Select Custom for the profile > Create
  • Give the profile a name > Next
  • Navigate to the Settings tab
  • Click Add to add an OMA-URI settings row
  • Name the setting AllowLocalLogOn
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
  • Data type: String
  • Value: <![CDATA[Local account]]>

  •  Hit Save > deploy the custom profile out to the same group we’ve been using

Deploying the Kiosk Browser

  •  If you opted to use the kiosk browser that I mentioned before, you can go to the Microsoft Store for Business and search for Kiosk Browser.
  •  Make sure to select Offline and click Get the app

  • You now need to perform a sync with Intune and Microsoft Store for Busines for the app to show up.
  • Head back to Endpoint Manager’s Home > select Tenant Administration

  • Connectors and tokens > hit Sync > wait 5 minutes

  •  After 5 minutes if Kiosk Browser still isn’t available in your tenant, just wait longer

  • Go to Apps > Windows > and select Kiosk Browser (Offline) when available
  •  Go to Properties > go to the Assignments section and hit Edit and deploy to the device group we’ve been using this whole time.
  • After deploying make sure to change the License type to Device

Wrapping Everything Up!

Now that all the hard stuff is finished, we can simply reset a Windows 10 device (Start > search for “Reset”) and it should eventually start Self-Deploying via Autopilot. During the Device Setup phase is when the kiosk profile, AllowLogon custom profile, and the Kiosk Browser (along with any other apps you have deployed as required to this group) will be installed.

After that is all complete, the Kiosk account should auto login and the Kiosk Browser app should automatically start to the URL you specified previously.

If another user tries to login with their AAD account, it’ll show an error message saying “the sign-in method you’re trying to use isn’t allowed.”

As with anything Autopilot related, Michael Niehuas was a huge inspiration for this blog post. Follow him at https://oofhours.com/ or @mniehaus for more info straight from the horse’s mouth.