If you have to deploy many devices as Digital Signage or in Kiosk Mode where nearly all devices have to show something, I maybe have a solution for you today. When we were in the same situation that we wanted to use the Shell Launcher v2 part of Assigned Access: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11) – Configure Windows | Microsoft Learn
Normally to use Shell Launcher via Intune, you would have to create a separate Policy per use case, which is fine if you have only a handful Apps or URLs to display. In my case i wanted to have a solution to have only one central Policy in Intune for all my Kiosk Devices and this policy gets it’s values from the client itself. After a bit of searching, I had the idea to use environment variables to tell the Shell Launcher what to do.
Since in my use case, i wanted to use AzureAD Joined Clients and use an AzureAD User Account, I decided to use the local Group of “Remote Desktop Users” to declare which Accounts are starting the Kiosk Mode, as I was never able to get it working with an AzureAD User Group.
Intune Policy
Let’s start with the Intune side. We will have to create a custom OMA URI Policy that we can assign the the clients, that should be converted to Kiosk Devices
We use the following OMA-URI:
./Device/Vendor/MSFT/AssignedAccess/ShellLauncherI uploaded the ShellLauncher XML to my GitHub: Scripts/ShellLauncher.xml at main · mmeierm/Scripts (github.com)
Client Side
To make it a little bit easier for me to set the env. variable on each client, I wrote a small PowerShell Tool to set the “Kiosk_URL” variable that is used in the XML above and let me add my service user to the “Remote Desktop Users” Group, as this is not possible via UI for AzureAD joined Clients. You can also find the Script on my GitHub: Scripts/Kiosk.ps1 at main · mmeierm/Scripts (github.com)
You will need to run it with admin rights, as a regular user cannot create / change a system environment variable. In the tool, you have two radio buttons, which will allow you to set a URL that will be presented in Microsoft Edge (Option Edge) or something different (Option General)
With a click on “Set Kiosk Parameter”, the Script will create / modify the “Kiosk_URL” variable
The “Add User to Kiosk Group” Button will open a Input Box that will allow you to easily add a user the the local Group
Result
If you used the “Edge” Option, you will see a Fullscreen Edge Browser showing the URL that you selected.
One cool thing for me is, due to we are using an AzureAD Account as basis of the Kiosk Mode, we can leverage SSO in Edge to for example SharePoint Online Websites:
Leave a Reply