Issue with Adjusting Volume in Windows 11 Multi App Kiosk
Hi, I am trying to configure windows 11 Multi App Kiosk mode for 24H2 OS Build 26100.4946 I’ve successfully configured the Multi App Kiosk on Windows 11 24H2, but I can't adjust the volume, unlike in Windows 10.The device does allow me to configure the volume via the function keys in the keyboard but it doesn't allow me to configure it via the option available in the taskbar As a workaround, I have to allow settings in my environment as app and open the volume mixer by right clicking the taskbar Is there a way to enable volume control through the taskbar in this setup?From the frontlines: Managing common kiosk scenarios in your business
By: Saurabh Sarkar – Product Manager 2 | Microsoft Intune I'm Saurabh Sarkar and I've had the opportunity to collaborate with several customers on effectively managing their Windows kiosk devices to enhance productivity with Microsoft Intune. This post covers some of my experience, recommendations, and additional takeaways from these collaborations. It’s a continuation of our From the frontlines series which focuses on frontline worker scenarios. In this post, we’ll explore how to effectively utilize Intune to enhance the productivity of frontline workers in two example sectors: the airline industry and the food and beverage sector (restaurants). Background Kiosk devices are integral to modern business operations, particularly in retail, manufacturing, and the airline industry. These devices serve as dedicated terminals for specific tasks, enhancing efficiency and productivity. In retail, kiosks are commonly used for customer service functions such as self-checkout, product information, and order placement. They provide a seamless and interactive experience for customers, reducing wait times and improving satisfaction. In manufacturing and factory settings, kiosk devices are utilized for various operational purposes including inventory management, allowing workers to quickly check stock levels and update records in real-time. Additionally, kiosks facilitate employee check-ins, shift scheduling, and access to important safety information, ensuring smooth and safe operations on the factory floor. From a technological standpoint, managing these kiosk devices is crucial to maintaining their functionality and security. As shared in the introduction to this series, Intune allows organizations to centrally control and manage their kiosk devices. With Intune, administrators can centrally manage and remotely configure settings, deploy applications, and enforce security policies, reducing the risk of data breaches and unauthorized access. Moreover, this centralized management approach using Intune not only enhances the reliability of kiosk devices but also ensures compliance with organizational policies and industry regulations. Self-service kiosks in airports and restaurants Self-service kiosks at airports offer numerous advantages that improve passenger experience and operational efficiency. They help reduce wait times by allowing passengers to check in, select seats, and print boarding passes quickly and conveniently which is especially beneficial during peak travel times. For airlines, self-service kiosks reduce the reliance on staffing resources and ticket agents resulting in cost savings and allowing airlines to reallocate staff to other critical areas, such as customer service and baggage handling. These kiosks can be activated as needed during busy periods, eliminating the need for temporary staffing solutions. Passengers benefit from the user-friendly interfaces of these kiosks, which are designed to be accessible to people of all ages and tech-savviness. Multilingual support further enhances accessibility for international travelers. Similarly self-ordering kiosks in restaurants reduces wait times and speeds up the ordering process. They also improve order accuracy, as customers input their selections directly, minimizing errors that can occur with verbal communication. The interface allows customers to browse the menu at their own pace, customize their orders, and make payments easily, leading to a more satisfying dining experience. Additionally, kiosks help restaurants save on labor costs by reducing the need for cashiers, allowing staff to focus on food preparation and customer service. Kiosk device provisioning scenario using Windows Autopilot Imagine a busy pizza delivery restaurant that strives to deliver a seamless ordering experience for its customers while streamlining staff operations. The restaurant equips its tables and waiting area with userless Windows devices, each configured to meet the below requirements: These devices are userless, eliminating the need for individual user logins before placing an order. They are configured to display the restaurant's website exclusively, with restrictions on accessing any other URLs or opening any other browser tabs or applications. If the device remains inactive during a session, the browser should automatically refresh and redirect to the homepage, ensuring it’s prepared for the next customer. The IT team leverages Windows Autopilot’s self-deploying mode to transform standard Windows hardware into dedicated ordering terminals. As soon as a device powers on and connects to the internet, it automatically joins Microsoft Entra ID, enrolls in Intune, and configures itself for kiosk use. Microsoft Edge launches in full-screen kiosk mode, locking the device to the restaurant’s website and preventing access to other URLs, tabs, or system applications. The kiosk profile set by Intune ensures that customers only see what they need for ordering, with no distractions or risk of tampering. The restaurant’s digital signage hides unnecessary browser controls, such as the home button, and disables features that could allow customers to exit the ordering environment. If a session remains inactive for 15 minutes, the browser refreshes and returns to the homepage, erasing any previous selections and preparing the device for the next guest. Meanwhile, secure Wi-Fi configurations - automatically deployed via Intune and authenticated using robust device-based certificates - keep each device connected to the network, regardless of user or shift changes. With this setup, the restaurant empowers customers to order efficiently and autonomously, eliminates the need for staff to manage devices, and ensures every kiosk remains secure and ready for use throughout the day. This scenario highlights how Windows Autopilot, Intune, and Microsoft Edge kiosk mode work together to support innovative ordering solutions in the food service industry. Considering the above scenario and requirements, you can deploy a Kiosk type device configuration policy to managed Windows devices as shown in Fig. 1 below. Fig. 1 – Setting up Kiosk configuration profile for Windows. The figure below illustrates the configuration settings that need to be applied in the kiosk profile to fulfill the specified requirements. This is the second page of the Kiosk device configuration profile wizard that is shown after the admin initiates the creation of the profile. Fig. 2 – Configuring settings in Single app Kiosk mode profile for Windows. The following are key points about the configuration: With the logon type set to “Auto logon”, users don’t need to manually sign in to use the device. Note: The auto logon process uses KioskUser0 account and cannot be changed. By configuring digital/interactive signage, you ensure that the home button isn’t visible and prevents users from opening additional tabs in the browser. By configuring the browser's idle time, you ensure that after 15 minutes of inactivity, the browser restarts and redirects to the restaurant's homepage. This process prepares the device for the next user and clears any cached data in the browser. You can also deploy a Wi-Fi profile from Intune that automatically connects the device to allowed SSIDs. You can further automate this connection by deploying and utilizing a device-based certificate using an organization provided PKI and the Certificate Connector for Microsoft Intune or using Microsoft Cloud PKI for Microsoft Intune. The below screenshot shows the user experience in a Windows device running with the Single app Kiosk mode. As we can see, the user doesn't have the home button visible in the browser and is restricted from opening any additional tabs. Fig. 3 – User experience in a Windows device configured with Single app mode Kiosk mode. This is one example of how Intune assists in the management of kiosk devices in various industries. Other examples include the use of kiosk devices in movie theatres for ticketing and information distribution or retail shops for self-checkout and gathering product information. Please refer to the documentation Microsoft Edge Browser Policy Documentation for additional settings that can be configured in Microsoft Edge when using Kiosk mode. This post is part of the “From the frontlines” series which aims to guide customers by exploring recommended practices for deploying, managing, and securing frontline devices using Intune and Windows Autopilot. We’ll publish additional posts on other healthcare scenarios and industries, such as retail and airlines, in the upcoming months so stay tuned and check back frequently! Resources: Please refer to the documentation here for more guidance: To learn about how to get started with kiosk device setup for Windows refer to Frontline worker for Windows devices in Microsoft Intune To learn about the various settings available in the kiosk profile for Windows in Intune refer to Windows 10/11 and newer device settings to run as a kiosk in Intune To learn about all the Windows kiosks configuration options, refer to aka.ms/kiosk To learn about the advances that have been made over the past 12 months for kiosk scenarios with Windows 11 please check our recording from technical Takeoff session Windows 11 kiosks: Cloud management for the win - Microsoft Technical Takeoff We’d love to hear how you're leveraging Intune in your frontline worker scenarios! Feel free to share your experiences or ask questions by leaving a comment below, or by reaching out to us on X (@IntuneSuppTeam or @MSIntune). You can also connect with us on LinkedIn.
Android Enrollment - Corportate-owned Dedicated Devices can't see all the Policies created
Good morning everyone, Last week, I noticed that none of the new enrollment profiles I created are appearing on the page, and some old ones that I need to use are also "invisible." Is anyone else experiencing this issue, or is it just me? To ensure the profiles weren't deleted, I made an export and can see them all. Only 4 are appearing on the console, and on the report i have 13... Thank you.iOS Update Installation Failure - Status -2016330697
Dear Forum Members, I have an iPad configured in Kiosk mode and locked in with single app Edge browser. I also configured an iOS update policy to update the iOS from 12.4.6 to 13.0.0. I didn't work and received an installation failure status -2016330697 (It is a minus sign, not a hyphen). The error is from Intune - Software Updates - Installation failures for iOS devices. Can anyone tell me what is this error mean and direct me where to troubleshoot next? Thank you all so much!
Managed Home Screen Woes
Setting up a Company Owned Dedicated (kiosk) Android device can be a bit challenging to get just right. After several hours of reading Reddit, Microsoft, and Personally owned blogs and threads, I figured I would consolidate everything I have found to hopefully have this show up on someone else's Google results. (Main link for Managed Home Screen Configuration: https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-managed-home-screen-app ) Calling issues with Managed Home Screen The Issue: Devices were able to receive phone calls, but the only notification was in the default system's notification tray; this was while the device was locked and unlocked. This posed an issue as we would like to 1) disable the default system tray and 2) We need at least the phone to light up when it was locked to let the users know they're getting a call. The Solution: After researching it is my assumption that the underlying issue is that while the phone is managed, and enrolled as a Company Owned Dedicated Device, for some reason the UI elements are NOT identified as managed items. So the administrator must deploy the following applications as Android Enterprise System Apps and set them as required installs: com.samsung.android.incallui --- I named this Call UI, Publisher Android com.android.server.telecom --- I named this Telecom (1 of 2 Req for Phone App), Publisher Android com.samsung.android.app.telephonyui --- I named this Telephony UI (2 of 2 Req for Phone App), Publisher Android (Yes, these are probably not the "Android Designated Application Name" but that's what they're staying as in my tenant.) That's it. Done. Phone was able to receive calls with the normal quarter of the top screen notification, as well as a full screen notification if the device was locked. However, some previous research also let me to these other items that may help someone else from googling: The Android Phone App Package ID / Android Phone App Bundle ID / Samsung Phone App is: com.samsung.android.dialer --- I named this Phone, Publisher Samsung (unsure for Google, Motorola, etc phones, this works for Samsung) This needs to be set as required as well, and assumedly placed on the managed home screen for the user to make calls (unsure if it is needed to receive calls only... if you have some type of use case for that?). Most predominant links relating to the issue: Article 1: https://www.reddit.com/r/Intune/comments/t427kv/shared_android_phonecalls_from_kiosk_mode/ Article 2: https://www.reddit.com/r/Intune/comments/vxw8xn/comment/ifylsaz/?utm_source=share&utm_medium=web2x&context=3 Managed Home Screen Conflicts App Configuration Policies currently don’t really show you any information as to why or what a conflict is; just that it’s conflicting (thanks, Microsoft). Some common issues I’ve seen around is that while some configurations are available in both the Device Configuration Profile and the App Configuration Policy; you should not apply these settings in both places (see the tables of configurations on the Microsoft doc for Managed Home Screen at the top of this article). Personally, I like having the configurations setup as: Managed Home Screen App Config Policy: Configuration Key Value Type Configuration Value Exit lock task mode password string 123456 MAX time outside MHS integer 600 MAX inactive time outside MHS integer 180 Enable MAX time outside MHS bool TRUE Enable MAX inactive time outside MHS bool TRUE Enable easy access of debug menu bool TRUE Define Theme Color string light Applications in folder are ordered by name bool TRUE Application order enabled bool TRUE Device's serial number choice {{SerialNumber}} Show device name bool TRUE Show Device Info setting bool TRUE Show Volume setting bool TRUE Show Flashlight setting bool TRUE Show Bluetooth setting bool TRUE Show Managed Setting bool TRUE Show Wi-Fi setting bool TRUE Battery and Signal Strength indicator bar bool TRUE Set device wall paper string https://i.imgur.com/OPlCeFG.jpg Lock Home Screen bool TRUE Enable notifications badge bool TRUE (Exiting Kiosk mode is then within the Device Managed Settings > i > Exit Kiosk Mode with the ‘Exit lock task mode password’ pin.) Dedicated Device Configuration Policy: (In my experience, this is an overview of the settings that should / shouldn’t be set with Managed Home Screen. This is not all the settings, that’s a lot of typing. But this will give you a good start. I am sure not all of these affect the Managed Home Screen as well, but at least the ones under Device Experience do.) General: Permission Policy – Default Date and Time – Block Factory Reset, Status Bar – Blocked Skip first hints – Enable Power Button Menu – Block System Error Warnings – Allow Enabled System Navigation Features – Home and overview buttons System Notifications and Information – Show both Device Experience: Enrollment Type – Dedicated Device Kiosk Mode – Multi-App Custom Layout – Enable (Note: all of these apps need to be deployed and set as required) App Notification Badges – Enable Virtual Home Button thru Wi-Fi Configuration– ALL Not Configured (as these are configured within the App Configuration Policy!) Bluetooth, Flashlight, Media, Quick access to device info – Enabled Managed Home Screen Background I found that the best place to configure this is only within the App Configuration Policy. The main issue everyone seems to face is that the image URL must end with a ‘.jpg’. This is very easily overcome; find an image on Google, Download it, Go to Imgur, Upload it (watch your ad), Right click it afterwards, then click Copy Image Link. Boom imgur.com/somerandomletters.jpg Finding the Android App Identifier Honestly, this is a lot more complicated than it needs to be. Note: Adding the Managed Home Screen app to the Home Screen shows up as Managed Settings and works great. Here’s a list of the common ones: App Name Store URL App Identifier Calendar https://play.google.com/store/apps/details?id=com.samsung.android.calendar com.samsung.android.calendar Camera https://play.google.com/store/apps/details?id=com.sec.android.app.camera com.sec.android.app.camera Clock https://play.google.com/store/apps/details?id=com.google.android.deskclock&hl=en-US com.google.android.deskclock Gallery https://play.google.com/store/apps/details?id=com.sec.android.gallery3d com.sec.android.gallery3d Google Play Store com.android.vending Microsoft Intune https://play.google.com/store/apps/details?id=com.microsoft.intune&hl=en-US com.microsoft.intune Managed Home Screen https://play.google.com/store/apps/details?id=com.microsoft.launcher.enterprise&hl=en-US com.microsoft.launcher.enterprise Microsoft OneDrive https://play.google.com/store/apps/details?id=com.microsoft.skydrive&hl=en-US com.microsoft.skydrive Microsoft Outlook https://play.google.com/store/apps/details?id=com.microsoft.office.outlook&hl=en-US com.microsoft.office.outlook Microsoft Teams https://play.google.com/store/apps/details?id=com.microsoft.teams&hl=en-US com.microsoft.teams Phone https://play.google.com/store/apps/details?id=com.samsung.android.dialer com.samsung.android.dialer Samsung Notes https://play.google.com/store/apps/details?id=com.samsung.android.app.notes&hl=en-US com.samsung.android.app.notes Settings https://play.google.com/store/apps/details?id=com.android.settings com.android.settings There were a LOT of articles and treads I read about these issues and I cannot possibly find them all again to post here. But here are a few to try and give credit: https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-managed-home-screen-app https://www.reddit.com/r/Intune/comments/t427kv/shared_android_phonecalls_from_kiosk_mode/ https://www.reddit.com/r/Intune/comments/vxw8xn/comment/ifylsaz/?utm_source=share&utm_medium=web2x&context=3 https://github.com/petarov/google-android-app-ids (Some of these are incorrect for my use cases (needed Android apps not Google Apps)) https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-android-for-work?WT.mc_id=Portal-Microsoft_Intune_DeviceSettings https://learn.microsoft.com/en-us/mem/intune/apps/apps-ae-system#enable-a-system-app-in-intune
Kiosk Mode not logging in - "kioskUser0 the user name or password is incorrect"
I am working with creating a Device Configuration Profile for Kiosk Mode. The device is Windows 10 1809 and is Azure AD joined only and is syncing and receiving policies, updates, and software. When the device is restarted the Kiosk policy attempts to force the Auto-login option but fails. It is showing User "kioskUser0" and giving the generic message of "username/password is incorrect". I wait a minute or 2 and the timeout for attempting the login with the kiosk user occurs, then I am able to then login with any azure ad user I attempt. When the policy is applied is it creating kioskUser0 as a local account on the device? Other than restarting, is there any way for the device to attempt to log back into the kiosk section? (logging in and signing out does not seem to trigger this)Kiosk XML - Whitelist apps in %userprofile%
Hi all, I have a problem with my multi app kiosk config (Assigned Access XML in Intune -> ./Device/Vendor/MSFT/AssignedAccess/Configuration). I want my users have the choice whether to use Teams, Starleaf, Zoom etc. - but, just StarLeaf isn't working. Die Ausführung von %PROGRAMFILES%\STARLEAF\STARLEAF\STARLEAF.EXE wurde zugelassen. (fine) Die Ausführung von %PROGRAMFILES%\STARLEAF\STARLEAF\MISC\STARLEAFINSTALLER.EXE wurde zugelassen. (fine) Die Ausführung von %OSDRIVE%\USERS\063690\APPDATA\LOCAL\STARLEAF\STARLEAF\1\STARLEAF.EXE wurde verhindert. (blocked) Is there any way to whitelist apps installing in the userprofile directory? <?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" > <Profiles> <Profile Id="{a4457869-7414-4c11-bb0b-50fdff39d54a}"> <AllAppsList> <AllowedApps> <App AppUserModelId="StarLeaf.Breeze2.Windows.2" /> <App DesktopAppPath="%USERPROFILE%\AppData\Local\StarLeaf\StarLeaf\1\StarLeaf.exe" /> <App DesktopAppPath="C:\PROGRAM FILES (x86)\StarLeaf\StarLeaf\StarLeaf.exe" /> <App DesktopAppPath="C:\PROGRAM FILES (x86)\StarLeaf\StarLeaf\MISC\StarLeafInstaller.exe" /> </AllowedApps> </AllAppsList> <StartLayout> <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> <LayoutOptions StartTileGroupCellWidth="6" /> <DefaultLayoutOverride> <StartLayoutCollection> <defaultlayout:StartLayout GroupCellWidth="6"> <start:Group Name="Conferencing"> <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="StarLeaf.Breeze2.Windows.2" /> </start:Group> </defaultlayout:StartLayout> </StartLayoutCollection> </DefaultLayoutOverride> </LayoutModificationTemplate> ]]> </StartLayout> <Taskbar ShowTaskbar="true"/> </Profile> </Profiles> <Configs> <Config> <UserGroup Type="AzureActiveDirectoryGroup" Name="057b819d-453c-4c25-8358-141e207d8076" /> <DefaultProfile Id="{a4457869-7414-4c11-bb0b-50fdff39d54a}"/> </Config> </Configs> </AssignedAccessConfiguration> Thanks in advance!
