How to Setup a Multi-App Kiosk Windows Device Including Removable USB Drive Access

Overview

Microsoft Intune supports Kiosk mode devices with auto-logon feature. The process to setup kiosk single or multi-app is documented well by Microsoft and can be found here.

In this article, we will cover the steps to setup a multi-app kiosk with access to USB drives and Windows explorer.

Steps

1. Go to Microsoft Intune > Devices > Windows > Configuration profiles.

2. Click on Create profile, select the settings below then click on the Create button:

   1. Platform: Windows 10 and later

   2. Profile type: Templates

   3. Template name: Custom

3. Under Basics, provide a Name and Description for this policy, then click on the Next button.

4. Under Configuration settings, click on the Add button, an Add row window will pop up on the right side.

5. Enter the information below:

   1. Name: Assigned Access CSP

   2. Description: <optional>

   3. OMA-URI: ./Device/Vendor/MSFT/AssignedAccess/Configuration

   4. Data type: String (XML file)

   5. Custom XML: <.xml file can be downloaded at the bottom of this page or you can copy/paste the below and create a new .xml file>

   6. Click on Save, then Next

   7. Under Scope, click on the Next button

   8. Under Assignments, assign it to your targeted group, then click on the Next button

   9. Click on Next under Applicability Rules, then click on the Create button

XML Code

<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfigurationxmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
    xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config">
    <Profiles>
        <ProfileId="{5B328104-BD89-4863-AB27-4ED6EE355485}">
            <AllAppsList>
                <AllowedApps>
                    <!-- Allows Microsoft Edge access with auto-launch -->
                    <AppDesktopAppPath="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"rs5:AutoLaunch="true"/>
                    <!-- Allows Windows explorer access -->
                    <AppDesktopAppPath="C:\Windows\explorer.exe"/>
                </AllowedApps>
            </AllAppsList>
            <rs5:FileExplorerNamespaceRestrictions>
                <!-- Allows access to the Downloads directory -->
                <rs5:AllowedNamespaceName="Downloads"/>
                <!-- Allows access to USB Drives -->
                <v3:AllowRemovableDrives/>
            </rs5:FileExplorerNamespaceRestrictions>
            <StartLayout><![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> <LayoutOptions StartTileGroupCellWidth="6" /> <DefaultLayoutOverride> <StartLayoutCollection> <defaultlayout:StartLayout GroupCellWidth="6"> <start:Group Name=""> <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="MSEdge" /> <start:DesktopApplicationTile Size="2x2" Column="4" Row="2" DesktopApplicationID="Microsoft.Windows.Explorer" /> </start:Group> </defaultlayout:StartLayout> </StartLayoutCollection> </DefaultLayoutOverride> </LayoutModificationTemplate> ]]></StartLayout>
            <TaskbarShowTaskbar="false"/>
        </Profile>
    </Profiles>
    <Configs>
        <Config>
            <Account>KioskUser</Account>
            <DefaultProfileId="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
        </Config>
        <Config>
            <AutoLogonAccountrs5:DisplayName="KioskUser"/>
            <DefaultProfileId="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
        </Config>
    </Configs>
</AssignedAccessConfiguration>