Microsoft Intune Multi-User Kiosk for Windows 11 with Windows App

Microsoft Intune offers powerful capabilities for managing Windows devices, including the multi-user kiosk mode for Windows 11. This is an ideal solution for shared devices, such as those in call centers, libraries, or educational institutions. While the concept sounds simple, there are some crucial considerations, especially if you want to use the new Windows App from the Microsoft Store.

In this blog, I will take you through a real-life scenario where an organization wants to implement a multi-user kiosk to provide access to Windows 365 Cloud PC or Azure Virtual Desktop (AVD). While Microsoft Intune offers many standard configurations, this specific use case presents some interesting challenges. For example, properly configuring the kiosk settings within Microsoft Intune.

Standard solution for Kiosk within Microsoft Intune

Microsoft Intune offers various standard configurations for setting up kiosk mode on Windows 11 devices. Through Device Configuration Profiles, we can use both the Kiosk (templates) and the Settings Catalog, allowing a wide range of settings to be customized. This makes it possible to configure a single-app or multi-app kiosk, where users have access only to pre-defined applications.

While these options may seem like a solid solution on paper, I quickly noticed in my scenario that the standard configurations did not fully align with the specific customer requirements.

Use Case

In a specific project, the customer had a clear request: several Windows 11 desktops needed to be deployed as Thin Clients for accessing an Azure Virtual Desktop (AVD) environment. The key requirements were:

• The user should only need to sign in to Windows 11 (24H2) and then automatically be presented with the Windows App (from the Microsoft Store).

• No access to the full Windows 11 desktop environment, but limited access to system settings, such as adjusting display settings.

• A stable and reliable solution without any manual interaction after logging in.

Although Intune kiosk configurations initially seemed suitable for this setup, it turned out to be a challenge to make it work reliably in a standardized way. The combination with the Windows App from the Microsoft Store introduced some unexpected obstacles.

Configuring Intune

During my search for a suitable solution for configuring the multi-user kiosk in Microsoft Intune, I quickly came across several valuable resources that helped guide me further:

1. Peter van der Woude (blogpost)

   • An interesting blog about setting up a multi-app kiosk for Windows 11, with clear explanations and practical examples.

2. Microsoft Learn

   • Microsoft's officiële documentatie about using an XML configuration file for Assigned Access on Windows 11.

3. 10Zig YouTube

   • A video from 10Zig explaining how kiosk configurations work and how to implement them in a Windows 11 environment (Bekijk de video)

The power (and challenge) of XML

What immediately stood out in all of these resources is that the recommended method for a multi-user kiosk is not based on the standard templates or Settings Catalog settings within Microsoft Intune. Instead, an XML configuration file is used to implement the correct configuration.

It then seemed logical to follow this method. However, despite closely following the documentation and blogs, my specific scenario still didn't work as expected. This led to a new search: where was the problem?

The unexpected hurdles

After extensive testing and experimentation, I discovered that the problem wasn't with the XML method itself, but with the way the XML structure needed to be built. What surprised me the most was that even the official Microsoft documentation didn't explicitly mention certain crucial details about this XML configuration. This explained why previous attempts to correctly apply the kiosk policy had failed.

In the next chapter, I will discuss the exact adjustments needed to make the configuration work and how to achieve a stable multi-user kiosk with the Windows App within Microsoft Intune.

Windows 11 24h2 Kiosk XML configuration

Although Microsoft explains in their official documentation (Microsoft Learn) how an Assigned Access XML configuration should be structured, the key to a successful implementation lies in the ALIAS.

The documentation uses ALIAS v5, which is associated with Windows 11 22H2. However, at the time of writing, we are on the Windows 11 24H2 release. To ensure that the XML configuration functions correctly on Windows 11 24H2, the ALIAS must be adjusted to "win11".

Key elements in the XML

The following XML configuration was successfully applied to a Windows 11 24H2 kiosk. Several crucial points can be identified within it:

1. Standard Kiosk Profile ID

   • Although not actively used in this scenario, it is still required within the configuration.

     
     

2. Applications

   • Windows App: Automatically starts as soon as the user logs in.

   • Control Panel (Settings): Allows the user to adjust settings, such as display configurations.

     
     

3. Startmenu restrictions

   • Only two allowed applications are displayed in the Start menu.

     
     

4. Access Management via Entra ID Security Group

   • Only users who are members of a specific Entra ID Security Group are allowed to use this kiosk mode. The Object ID of this group is included in the XML.

   
   

XML Configuration

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration 
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" 
xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}">       
      <AllAppsList>
        <AllowedApps> 
          <App AppUserModelId="MicrosoftCorporationII.Windows365_8wekyb3d8bbwe!Windows365" rs5:AutoLaunch="true"/> 
          <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"/> 
        </AllowedApps> 
      </AllAppsList>

      <win11:StartPins>
      <![CDATA[  
          { "pinnedList":[
            {"packagedAppId":"MicrosoftCorporationII.Windows365_8wekyb3d8bbwe!Windows365"},
	        {"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"}
          ] }
        ]]>
      </win11:StartPins>
      <Taskbar ShowTaskbar="true"/>
    </Profile> 
  </Profiles>
  <Configs>
    <Config>
      <UserGroup Type="AzureActiveDirectoryGroup" Name="45b5caf5-ac21-482d-b878-128d504dc22a"/>
      <DefaultProfile Id="{OBJECT ID ENTRA SEC GROUP}"/>
    </Config>
  </Configs>
</AssignedAccessConfiguration>

Implementation via Microsoft Intune Custom Profile

Once the XML configuration is complete, it can be easily deployed through Microsoft Intune using a Custom Profile. This ensures that the multi-user kiosk mode is automatically applied to the Windows 11 devices.

Configuration via the Custom Profile in Intune

1. Go to the Microsoft Intune portal

   • Open Microsoft Intune.

   • Navigate to Devices → Configuration profiles → Create profile.

2. Select the correct profile type:

   • Platform: Windows 10 and later

   • Profile type: Templates → Custom

3. Fill in the settings:

Conclusion

By leveraging a custom XML configuration, you can avoid relying on the standard kiosk templates within Microsoft Intune. However, a successful implementation requires more than just setting the correct kiosk mode. There are several important additional configurations that contribute to an optimal user experience and manageability:

• Multi-user configuration – Since multiple users will use the device, it needs to be correctly configured as a multi-user kiosk. For this, I used Autopilot Self-Deploying and the Shared PC settings in the Intune Settings Catalog.

  
  

• Automatic cleanup via Storage Sense – To prevent the device from filling up with temporary files and user data, Storage Sense is enabled via the Intune Settings Catalog. This helps keep the system clean and responsive.

  
  

• Preventing unwanted shutdowns – By configuring the appropriate Power Settings in Intune, the device remains on and prevents it from going to sleep, ensuring users don’t need to log in repeatedly.
  

• Ensure that the Windows App is deployed to the target devices prior to user access, so the app is installed automatically during the Windows Autopilot deployment process.

Sources

• Create an Assigned Access configuration file | Microsoft Learn

• All about Microsoft Intune | Configuring multi-app kiosk mode on Windows 11