Questions on Intune - Autopilot

Brass Contributor

Hi Community,

 

Our customer is looking to set up a AVD environment but they want to control how people connect to the Virtual Desktop and prevent work on local machine / saving anything locally.

 

Initially they looked at Chromebooks, which were pretty much familiar except that they could not get the smart card reader to work correctly via the MS Chrome RD App.

 

Then they looked at Intune / Autopilot to effectively do the same and turn a laptop into a kiosk with pretty much just the remote desktop client on it, (maybe a browser) and apply polices to prevent local saving etc. So far they have Autopilot working but not the kiosk.

 

Question:

 

Is there any viable solution to resolve this?

 

Any guidance would be of great help! Many thanks in advance.

3 Replies
Hi, Maybe instead of looking at the device itself, if you prevent copy-paste/ mount your local drives in the avd environment you would also be done?

Just use an autopilot windows device, make sure the user don't get admin permissions.. so you will end up with a nice clean windows 10 with only a rdp icon on the desktop.. And they could install anything on it.. Maybe restricting access to the c: drive ?

But that's my opinion :)
Hi Rudy,

Thank you for your response. We can add more clarity about this request:

Our customer is looking to set up a AVD environment but they want to control how people connect to the Virtual Desktop and prevent work on local machine / saving anything locally. They are aware of how to control through AVD policies (preventing copy paste etc). However they also wish to control the PC used to connect to the AVD Session.

Company laptops have been issued and configured using Autopilot, they would like to restrict these laptops to only running RDS Client so the laptop can be used for nothing else. Kiosk mode seems to be the answer but this might need to be multi App mode as AVD offloads Teams back to the client plus the client uses Smartcard readers which again is plugged into the laptop.

They'd like to know more about how Kiosk mode works from a technical prospective,

e.g. There is Single App and Multi Apps. In the above scenario they only need one app or do they?
Is the offloaded Teams element an App?
Is the Smartcard element an Apps or a Driver?

Any pointers would be of great help.

Many thanks in advance!
You might want to look at the Shared Device option in Intune for managing these devices, that gives you some different options as far as maintaining the profiles on the laptops (so you could have them deleted when the user logs off), as far as the single-app vs. multi-app kiosk options I'm diving into that now, essentially the difference is with single-app that one application is the ones that opens automatically and is the only one available, with multi-app you can have more than one app available (and one of them can be set to auto-launch) but you just get a start screen with just your apps you set as available to run.
In our instance we use the desktop app for AVD access (https://docs.microsoft.com/en-us/azure/virtual-desktop/user-documentation/connect-windows-7-10), right now the users have to go and download it themselves (we're moving to deploying it with ConfigMan), I think in you're instance you'd want to add this app as part of your AutoPilot deployment and have it as one of the apps available, along with a browser etc as you've listed.