This guide shows you how to configure a Windows 10 PC as a kiosk for running Windows App, which is now generally available on Windows, macOS, iOS, iPadOS, web, and in public preview for Android. This will give users an experience similar to Windows 365 Boot, where the sole purpose is to connect users to their primary device: a Cloud PC.
As more organizations use Windows 365 Cloud PCs as their primary Windows desktop experience, they want to reduce the complexity of configuring the client device, the physical endpoint. To address that, we introduced Windows 365 Boot, which became generally available last year. This feature is often used to repurpose the devices customers already have, but Windows 365 Boot is built to work exclusively on Windows 11.
In December 2023, we announced that Extended Security Updates (ESUs) will be included with Windows 365 subscriptions for Windows 10 devices that access Windows 365 at no additional cost. Although support for Windows 10 will end on October 14, 2025, devices with ESU will continue to receive security updates for up to three years. We strongly recommend migrating to a new Windows 11 PC with all the great security features turned on by default to keep your organization protected and productive. However, there may be circumstances that prevent replacing devices that are ineligible for Windows 11 before the end-of-support date. If you cannot upgrade to Windows 11 using Windows Autopatch or Microsoft Intune, you might consider using Windows 11 on a Cloud PC.
A Cloud PC lets your workers securely access applications and documents from anywhere in the world, but they need to connect from a client device. Using a Windows device just to open Windows App to then sign in to a Cloud PC can be an awkward and time-consuming effort, and the user may be tempted to work from the client instead of the Cloud PC. That creates the opportunity to configure the Windows 10 device as a kiosk, so it is easy and quick for the user to sign in to their Windows 365 Cloud PC directly from that kiosk device.
Cloud PC kiosk configuration
To configure a Cloud PC kiosk with Windows 10 Pro or Enterprise, you will need:
- Windows App – installed from the Microsoft Store or via MSIX
- Microsoft Edge WebView2 – installed via PowerShell or Win32 package
- AssignedAccess – a CSP to configure the kiosk
Here, we’ll use Microsoft Intune to install and configure these to give you a working kiosk as a starting point. You can then modify the configuration to meet your needs.
We’ll also use a new Microsoft Entra security group called Cloud PC kiosks throughout this example. Members of the group should be the Windows 10 devices that are to be configured as a kiosk.
While it’s out of scope for this guide, it is best to provision these as Microsoft Entra joined devices using Windows Autopilot. You could use a user-driven or self-deploying mode, whichever you prefer.
Install Windows App
You’ll need to install Windows App on the device in system context that allows any user to run the application. The easiest way to do this is by adding it from the Microsoft Store. You could also download the MSIX package from the What’s new in Windows App page. To use the line-of-business application, you’ll need the VCLibs.140.00 it depends on.
Search for and select Windows App and select the UWP published by Microsoft Corp. Then set Install behavior to System.
Finally, assign the app to the Cloud PC Kiosks group as a Required installation.
Install WebView2
Windows App requires WebView2 which is not preinstalled on Windows 10. Since the kiosk configuration prevents the dynamic install of WebView2, we'll use a PowerShell script to download and install WebView2, also in the system context, using the Evergreen Standalone Installer. This will always get the latest version of WebView2, and it will update automatically. If you prefer, you could create a Win32 package for the installer.
Download the Get-UpdatedWebView2.ps1 script from GitHub, and be sure it is encoded using UTF-8. If you copied the raw text into Notepad, use Save as to set the encoding type.
In the Intune admin center, go to Devices | Windows > Windows | Scripts and remediations. Then from the Platform scripts tab, select Add. Name it something like Cloud PC Kiosk - Install WebView2 and select the script you just saved. Set Run this script using the logged on credentials to No, Enforce script signature check to No, and Run in 64 bit PowerShell Host to Yes.
Then, assign the script to the same Cloud PC Kiosks group and finish adding the script.
Create custom kiosk policy
Use a custom profile to create the kiosk configuration. This gives you the most flexibility in how your kiosk works and is defined entirely in XML. From Intune, create a new Policy, for Platform select Windows 10 and later, for Profile type select Templates, then select Custom.
When prompted for a name use something like Cloud PC Kiosk Dedicated Mode and when prompted for configuration settings, select Add to provide details for the Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings as described in the table below.
Name |
Kiosk for Each User |
Description |
Each user will get the Kiosk experience with Windows App and Settings |
./Vendor/MSFT/AssignedAccess/Configuration |
|
Type |
String |
Value |
<?xml version="1.0" encoding="utf-8"?> <AssignedAccessConfiguration xmlns:xs="http://www.w3.org/2001/XMLSchema " xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config " xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config " xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config " xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config "> <Profiles> <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> <AllAppsList> <AllowedApps> <App AppUserModelId="MicrosoftCorporationII.Windows365_8wekyb3d8bbwe!Windows365" rs5:AutoLaunch="true" /> <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /> </AllowedApps> </AllAppsList> <StartLayout><![CDATA[ <LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout " xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout " Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification "> <LayoutOptions StartTileGroupCellWidth="6" /> <DefaultLayoutOverride> <StartLayoutCollection> <defaultlayout:StartLayout GroupCellWidth="6"> <start:Group Name=""> <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="MicrosoftCorporationII.Windows365_8wekyb3d8bbwe!Windows365" /> <start:Tile Size="2x2" Column="0" Row="5" AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /> </start:Group> </defaultlayout:StartLayout> </StartLayoutCollection> </DefaultLayoutOverride> </LayoutModificationTemplate> ]]></StartLayout> <Taskbar ShowTaskbar="false" /> </Profile> </Profiles> <Configs> <v3:GlobalProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> </Configs> </AssignedAccessConfiguration> |
This will use the Windows 10 AssignedAccess CSP, which automatically configures a variety of things for your kiosk, including some AppLocker settings that will lock down the kiosk to only allow running the applications that are defined in the AllowedApps section. In this example, only two applications are allowed:
- Windows App – used to connect to Windows 365 Cloud PCs, Microsoft Dev Box machines, and Azure Virtual Desktop session hosts. It’s also set to start automatically when the user signs into the kiosk.
- Settings – used to access Network/Wi-Fi settings, Bluetooth pairing, system information, and more.
There are endless variations you can adjust to your preferences, but to wrap up this example, assign this policy to the Cloud PC Kiosks group. Once the policy is applied and you sign in, your kiosk should look like this:
Later you can revise this XML to add other applications. Just be sure to add them to the AllowedApps so they can run, and to the StartLayoutCollection so users can see them.
For example, if you wanted to add the Edge browser, add these two lines in their respective sections:
<AllowedApps> |
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" /> |
<start:Group Name=""> |
<start:DesktopApplicationTile Size="2x2" Column="2" Row="5" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk" /> |
And the kiosk will now look like this:
You can also control the parts of Settings that users can access with the PageVisibilityList policy.
Additional kiosk settings
Although they aren’t required, here are some additional modifications that may yield a better experience. These examples use a custom CSP, but you can find most of them in the settings catalog as well.
Name |
Enable Kiosk Status for MDM |
Description |
Enables Intune to query status of the Kiosk App |
./Vendor/MSFT/AssignedAccess/StatusConfiguration |
|
Type |
String |
Value |
<StatusConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration "> <StatusEnabled>OnWithAlerts</StatusEnabled> </StatusConfiguration> |
Name |
Disable First Sign-in Animation |
Description |
Expedites logon times of new users |
./Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation |
|
Type |
Integer |
Value |
0 |
Name |
Disable User ESP |
Description |
Expedites provisioning and logon times by not waiting for user assignments |
./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage |
|
Type |
Boolean |
Value |
True |
Name |
Show Local Users on Lock Screen |
Description |
Show the Kiosk User on the lock screen to switch between User and Kiosk accounts |
./Vendor/MSFT/Policy/Config/WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers |
|
Type |
String |
Value |
<enabled /> |
Name |
Display Network Selection UI on Lock Screen |
Description |
Shows the Network Connection menu on the logon screen |
./Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI |
|
Type |
String |
Value |
<disabled /> |
Of course, there are countless settings you might consider such as setting an image on the lock screen or the wallpaper or other suggestions for boot devices.
Troubleshooting
To test the kiosk configuration, add a Windows 10 device that is Microsoft Entra ID joined to the group where the configurations have been assigned. Then restart, or if you’re using Windows Autopilot, wipe it to go through provisioning. Once the policies are applied and installations are complete, you’ll be prompted to sign in. After doing so, you should see the kiosk springboard, Windows App should load, and you’ll be ready to connect to your Cloud PC.
Look in the logs
If something isn’t working, you can use Intune to collect diagnostics and review the log files and event logs to investigate errors that need to be addressed.
Some helpful areas to look at include those in the table below:
Event log |
Microsoft/Windows/AppLocker/EXE_and_DLL |
Event log |
Microsoft/Windows/AssignedAccess/Operational |
Registry |
HKLM\Software\Microsoft\Windows\AssignedAccessConfiguration |
Registry |
HKLM\Software\Microsoft\Windows\AssignedAccessCsp |
Log files |
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs |
You can also review the kiosk mode troubleshooting guide.
If WebView2 is not installed
Windows 10 does not have WebView2 installed by default. When running Windows App, users may be prompted to install WebView2, which they will not be able to do on an AssignedAccess kiosk.
To resolve this, use Intune to install WebView2 in the system context. Earlier in this guide, we described how to do that using a PowerShell script.
If Windows Defender Firewall blocks Microsoft Teams
When Teams runs on the Cloud PC and uses media optimizations, an attempt is made to create an Allow rule in Windows Defender Firewall on the local kiosk. Since the user is not an admin on the kiosk, they are unable to allow this action and perpetually get prompted for credentials.
To resolve this, use Intune to preconfigure a firewall rule that will allow Windows App to accept the incoming Teams media for all users on the kiosk, so they are not prompted.
Create a new Template profile using the Endpoint protection type and name it something like Cloud PC Kiosk Firewall Settings. Find Windows Firewall, add a new rule to allow inbound connections for the Teams app using these settings.
Name |
Allow Teams App Inbound |
Direction |
Inbound |
Action |
Allow |
Network Type |
Domain, Private and Public |
Application |
File Path |
File path |
%USERPROFILE%\AppData\Local\Microsoft\Teams\current\teams.exe |
Then, assign it to the Cloud PC Kiosks group and finish creating the policy.
Wrapping up
We hope you find this guide helpful for your transition to Windows 11 and Windows 365! Learn more about ESUs and how Windows 365 users can get them at no additional cost in this episode of Windows in the Cloud with Mark Florida and Michael Raschko.
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.