Build a Fully Automated Windows Kiosk Using Autopilot & Intune (Single‑App Edge Kiosk)

Scenario

A retail organisation wants to deploy customer‑facing kiosk machines across multiple stores. These devices must be secure, locked down, and require zero IT touch during setup. The business already uses Microsoft 365 and Intune, so the solution must integrate natively with existing licensing and management tools.

Your task is to build a single‑app kiosk that launches Microsoft Edge in full‑screen mode and only allows access to the company website. The device must deploy automatically using Autopilot self‑deploying mode, join Entra ID, auto‑enrol into Intune, and apply all kiosk restrictions without any user interaction.

Lab Objectives

By the end of this lab, you will be able to:

• Capture a device hardware hash and import it into Windows Autopilot.
• Create a dynamic device group for kiosk devices.
• Configure an Autopilot self‑deploying profile.
• Create an Intune kiosk profile for single‑app Edge mode.
• Configure URL allow/block policies for Microsoft Edge.
• Reset and deploy a Windows 10 device into kiosk mode automatically.

Prerequisites

• A Microsoft 365 tenant (trial or existing)
• Entra ID P2 license
• Intune license assigned to test users
• Windows 10 device with:
  • TPM 2.0
  • TPM attestation support
  • Pre‑installed Windows partition (required for Autopilot reset)
• Global Administrator permissions (for lab purposes)
• Wired internet connection for the test device

Export the Device Hardware Hash

Autopilot requires a unique hardware hash to identify the device during deployment.

1. On the Windows 10 test device, open Settings → Accounts → Access work or school.
2. Select Export your management log files.
3. A ZIP file will be generated containing a CSV file with the hardware hash.
4. Extract the CSV and copy it to a USB drive for upload.

Verification
You should have a CSV file containing the device hardware hash ready for import into Autopilot.

Import the Device into Autopilot

Register the device so Autopilot can manage its deployment.

1. Go to Intune Admin Center → Devices → Windows → Windows Enrollment → Devices.
2. Select Import.
3. Upload the hardware hash CSV file.
4. Wait a few minutes for processing.

Verification
The device appears in the Autopilot devices list with its serial number.

Assign a Group Tag to the Device

Group tags allow Autopilot devices to be targeted dynamically.

1. Select the imported device.
2. Add a Group Tag such as:
   kiosk-devices
3. Save the change.

Verification
The device now shows the group tag under its Autopilot properties.

Create a Dynamic Device Group

This group will automatically include all devices with the kiosk group tag.

1. Go to Groups → New Group.
2. Set:
   • Type: Security
   • Membership: Dynamic Device
3. Save the group.

Add a dynamic rule using the group tag:

(device.devicePhysicalIds -any (_ -eq "[OrderID]:kiosk-devices"))

Verification
After a few minutes, the Autopilot device should appear in the group.

Create the Autopilot Self‑Deploying Profile

This profile ensures the device deploys automatically with no user interaction.

1. Go to Devices → Windows → Windows Enrollment → Deployment Profiles.
2. Create a new Windows PC Autopilot Profile.
3. Select Self‑Deploying Mode.
4. Configure:
   • Language: United Kingdom (or your region)
   • Name Template: e.g., PC-%RAND:4%
5. Assign the profile to the dynamic kiosk group.

Verification
The profile shows as Assigned to the kiosk device group.

Create the Intune Kiosk Profile

Configure the device to run Microsoft Edge in single‑app full‑screen mode.

1. Go to Devices → Configuration Profiles → Create Profile.
2. Platform: Windows 10 and later
3. Template: Kiosk
4. Select Single App, Full Screen.
5. Configure:
   • App type: Microsoft Edge
   • Auto‑login: Enabled
   • Kiosk URL: Your company website
   • Idle timeout: 5 minutes
6. Assign the profile to the kiosk device group.

Verification
The kiosk profile appears under assigned policies for the group.

Configure URL Allow/Block Policies

Ensure only the company website is accessible.

Create a new Configuration Profile using:

• Platform: Windows 10 and later
• Template: Administrative Templates
1. Navigate to Microsoft Edge settings.
2. Configure:
   • Block access to a list of URLs → Enable → Add * (block all)
   • Allow list of URLs → Enable → Add only the company website
3. Assign the policy to the kiosk device group.

Verification
The policy shows as successfully assigned.

Reset the Test Device

Prepare the device for Autopilot deployment.

1. On the Windows 10 device, go to Settings → Update & Security → Recovery.
2. Select Reset this PC → Remove everything.
3. Allow the device to reboot and begin Autopilot deployment.

Verification
The device should display:

• Company branding
• Enrollment Status Page
• Automatic Entra join
• Automatic Intune enrollment
• Automatic application of kiosk profiles

Validate the Kiosk Experience

Confirm the device is fully locked down.

1. Allow the device to complete setup and reboot.
2. The device should:
   • Auto‑login without user input
   • Launch Microsoft Edge in full‑screen mode
   • Display only the company website
3. Test blocked sites such as:
   • google.com
   • bbc.co.uk

Verification
Blocked sites should show an access‑denied message and only the allowed website should load.

Conclusion

In this lab, you successfully built a fully automated Windows kiosk using Autopilot and Intune. The device deployed with zero user interaction, joined Entra ID, auto‑enrolled into Intune and applied kiosk restrictions seamlessly.

This solution is cost‑effective, centrally managed, easy to scale, and ideal for customer‑facing environments such as retail, hospitality, and public spaces.

Lab Video