Multi App Kiosk Mode (With multiple Edge Web Apps)

Modify Date:        13. December 2024
OS:                 Windows 11 24H2 (12B of 24)
Management Tool:    Intune
Author:             Marius Wyss

Synopsis

Setup a locked down desktop for specific users, that are allowed start "allowed" Desktops Apps, UWP and Edge in Kiosk Mode. There should be multiple links in the StartMenu that would open Edge in Kiosk Mode. Access to the File system should be limited to certain locations.

Setup MultiApp Kiosk Mode

Currently the Intune Kiosk Template has not been updated for Win11 (especially the StartMenu section), for the time being it needs to be configured via ./Device/Vendor/MSFT/AssignedAccess/Configuration OMA-URI CSP.

Prepare Start Menu

On a Win11 device log in with a test user, create a replica of a StartMenu by unpinning and pinning apps that you want the Kiosk user to have in their StartMenu.
For Edge Links, open Edge to the desired website that needs to be pinned. In Edge, Goto Edge toolbar (three dot menu) > More tools > Pin to Start.

Once your done with the StartMenu configuration, we need to export it to json. To do so open PowerShell and export the StartMenuLayout.json with the following Cmdlet Export-StartLayout -Path "YOUR\LOCATION\LayoutModification.json"

The LayoutModification.json should look like that.

 {"pinnedList":[
  {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
  {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
  {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\WMI Explorer\\WMI Explorer.lnk"},
  {"secondaryTile":{"tileId":"MSEdge._pin_idmjlhimlffcfdaegpcponhhkb","arguments":" --pin-url=https://www.mywebsite1.com/ --profile-directory=Default --launch-tile","displayName":"WebSite 1","packagedAppId":"Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App","smallIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mbfkklhhpckngkihcgoamfamci/SmallLogo.png","smallIcon": "<base64 encoded image goes here>","largeIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mbfkklhhpckngkihcgoamfamci/Logo.png","largeIcon": "<base64 encoded image goes here>"}},
  {"secondaryTile":{"tileId":"MSEdge._pin_dcajngehbbifdilidbfmhcmiid","arguments":" --pin-url=https://www.mywebsite2.com/ --profile-directory=Default --launch-tile","displayName":"WebSite 2","packagedAppId":"Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App","smallIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mbfkklhhpckngkihcgoamfamci/SmallLogo.png","smallIcon": "<base64 encoded image goes here>","largeIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mbfkklhhpckngkihcgoamfamci/Logo.png","largeIcon": "<base64 encoded image goes here>"}}
]}

Note that for the secondaryTile arguments wouldn't start Edge in kiosk mode rather in PWA mode. We need to change the arguments and replace

--pin-url=https://www.mywebsite1.com/ --profile-directory=Default
to
--kiosk https://www.mywebsite1.com/ --edge-kiosk-type=public-browsing --no-first-run

This section will be later used in the Assigned Access configuration XML.

Prepare Assigned Access configuration XML

See Create an Assigned Access configuration file | Microsoft Learn

Or modify the Win11 Template below:

• Create a new GUID, with e.g. PowerShell New-Guid and replace the one in Profile Id and DefaultProfile Id
• Change AllowedApps
• Copy your Win11 StartMenu layout into the StartPins section. Make sure you have correct indentation.
• Change the account or group in the Config section

<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
  <Profiles>
    <Profile Id="{15691179-23be-45be-a25b-2d37dc9b0048}">
      <AllAppsList>
        <AllowedApps>
          <App DesktopAppPath="C:\Windows\explorer.exe" />
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App" />
          <App DesktopAppPath="C:\Program Files\wmiexplorer\WmiExplorer.exe" />      
        </AllowedApps>
      </AllAppsList>
      <rs5:FileExplorerNamespaceRestrictions>
        <rs5:AllowedNamespace Name="Downloads" />
        <v3:AllowRemovableDrives />
      </rs5:FileExplorerNamespaceRestrictions>
      <v5:StartPins><![CDATA[{
          "pinnedList":[
            {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
            {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
            {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\WMI Explorer\\WMI Explorer.lnk"},
            {"secondaryTile":{"tileId":"MSEdge._pin_idmjlhimlffcfdaegpcponhhkb","arguments":" --pin-url=https://www.mywebsite1.com/ --profile-directory=Default --launch-tile","displayName":"WebSite 1","packagedAppId":"Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App","smallIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mbfkklhhpckngkihcgoamfamci/SmallLogo.png","smallIcon": "<base64 encoded image goes here>","largeIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mbfkklhhpckngkihcgoamfamci/Logo.png","largeIcon": "<base64 encoded image goes here>"}},
            {"secondaryTile":{"tileId":"MSEdge._pin_dcajngehbbifdilidbfmhcmiid","arguments":" --pin-url=https://www.mywebsite2.com/ --profile-directory=Default --launch-tile","displayName":"WebSite 2","packagedAppId":"Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App","smallIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mbfkklhhpckngkihcgoamfamci/SmallLogo.png","smallIcon": "<base64 encoded image goes here>","largeIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mbfkklhhpckngkihcgoamfamci/Logo.png","largeIcon": "<base64 encoded image goes here>"}}
          ]
        }]]></v5:StartPins>
      <Taskbar ShowTaskbar="true" />
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <Account>AzureAD\[email protected]</Account>
      <DefaultProfile Id="{15691179-23be-45be-a25b-2d37dc9b0048}" />
    </Config>
  </Configs>
</AssignedAccessConfiguration>

Create Intune Configuration

In Intune, Goto Devices > Configuration > Create > Windows 10 and later > Templates > Custom.

Name:        e.g. "Kiosk MultiApp Win11 (OMA-URI)"
Description: e.g. "Setup Assigned Access Policy for Multi App Kiosk Mode"

In Configuration settings click add, to create a custom CSP

Name: e.g. "Kiosk MultiApp Win11 (OMA-URI)"
Description: e.g. "Sets Multi App Kiosk Mode with Pinned Apps for a specific User"
OMA-URI: ./Device/Vendor/MSFT/AssignedAccess/Configuration
Data type: String (XML file)

Upload the prepared Assigned Access configuration XML.

Assign this to configuration to your Kiosk Devices

Appendix

Locking down folder access

There is currently a known issue with the locked down access feature <rs5:FileExplorerNamespaceRestrictions>. It is recommended to use setallowedfolderlocations CSP for the time being.

In Intune, Goto Devices > Configuration > Create > Windows 10 and later > Templates > Custom.

Name:        e.g. "Kiosk MultiApp Win11 Explorer Supplement (OMA-URI)"
Description: e.g. "Setup Assigned Access Policy for Multi App Kiosk Mode"

In Configuration settings click add, to create a custom CSP

Name: e.g. "SetAllowedFolderLocations"
Description: 
OMA-URI: ./User/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedFolderLocations or ./device/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedFolderLocations
Data type: Integer
Value: e.g. 17

Dec	Bin	Folder
0	0000000	Access to all
1	0000001	Documents
2	0000010	Desktop
4	0000100	Pictures
8	0001000	Downloads
16	0010000	Network
32	0100000	This PC

Assign this to configuration to your Kiosk Users or Kiosk Devices

Disable Edge background processes

To make sure Edge is always started with the Kiosk mode, we need to make sure no background processes are running. In oder do so, we can set Configuration from the settings catalog. In Intune, Goto Devices > Configuration > Create > Windows 10 and later > Settings catalog > create.

Name:        e.g. "Kiosk MultiApp Win11 (OMA-URI)"
Description: e.g. "Setup Assigned Access Policy for Multi App Kiosk Mode"

+Add settings > search Continue running background apps after Microsoft Edge closes (User) and Enable startup boost (User) make sure both are disabled. There are also device settings for these two settings available.

Assign this to configuration to your Kiosk Users

Disable specific Edge Keyboard Shortcuts

To disable specific Keyboard Shortcuts such as Ctrl + J to open Downloads. There is a control called; Configure the list of commands for which to disable keyboard shortcuts (User) or device.

In Intune, Goto Devices > Configuration > Create > Windows 10 and later > Settings catalog > create.

Name:        e.g. "Kiosk Win11 disable Edge Keyboard Shortcuts"
Description: e.g. "Disables specific keyboard shortcuts in Edge"

+Add settings > search Configure the list of commands for which to disable keyboard shortcuts. Enable this setting, this allows to set a list in json format of shortcuts that can be disable. Find the full list here; Configurable Microsoft Edge commands | Microsoft Learn

A vaild json file would look like so:

{"disabled":["caret_browsing_toggle","clear_browsing_data","close_find_or_stop","close_tab","close_window","collections","dev_tools","dev_tools_console","dev_tools_elements","dev_tools_toggle","downloads","duplicate_tab","favorite_all_tabs","favorite_this_tab","favorites","focus_address_bar","focus_app_toolbar","focus_favorites","focus_inactive_notification","focus_next_pane","focus_previous_pane","focus_reading_bar","focus_search","focus_settings_and_more","focus_web_pane","help_page","history","immersive_reader_toggle","new_application_guard_window","new_inprivate_window","new_tab","new_window","open_file","paste_and_go","print","profile","read_aloud_toggle","reopen_tab","save_page","select_last_tab","select_next_tab","select_previous_tab","select_tab_0","send_feedback","settings_and_more_menu","show_favorites_bar_toggle","sidebar_search_selected_text","system_print","task_manager","vertical_tabs_toggle","view_source","web_capture","web_select"]}

Assign this to configuration to your Kiosk Users

Disable Edge mini menu

The control to disable the mini menu that pops up when selecting text in Edge is called; Enables Microsoft Edge mini menu (User) or device.

In Intune, Goto Devices > Configuration > Create > Windows 10 and later > Settings catalog > create.

Name:        e.g. "Kiosk Win11 disable Edge Mini Menu"
Description: e.g. "Disables Edge mini menu when selecting text on websites"

+Add settings > search Enables Microsoft Edge mini menu (User). Make sure the switch is on disabled.

Assign this to configuration to your Kiosk Users

Allow only certain urls

To only allow only certain websites there are two controls required Block access to a list of URLs (User) and Define a list of allowed URLs (User) or Device. You can block all sites with * and only allow specific sites using this notation:

contoso.com
https://ssl.server.com
hosting.com/good_path
https://server:8080/path
.exact.hostname.com

Virtual Desktop

TODO