Auto Logon & Intune Kiosk Policy Deployment Guide

Author: Ofir Gavish and Eitan Talmi

Introduction

This guide walks you through the process of configuring a Windows 10/11 device to automatically log in and operate in kiosk mode using Microsoft Intune. Kiosk mode is ideal for scenarios where you want to lock down a device to a single app experience (e.g., Edge browser or a line-of-business app). We’ll utilize Sysinternals Autologon, a custom XML policy for Assigned Access, and optional settings for better kiosk hardening and automation. Each section includes deep technical context to ensure you know exactly what’s happening under the hood.

Step 1: Configure Auto Logon

1. Download the Autologon Tool.
2. Run Autologon:
   • Launch Autologon.exe as Administrator.
   • Username: The user you want to auto log in as
   • Domain: Your domain name (or computer name for local accounts)
   • Password: The user password
   
   • Technical Insight: This utility writes the credentials to the registry in a secure manner under

     HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

     , enabling seamless user login on boot.

Step 2: Prepare Assigned Access XML for Intune

1. Generate a GUID using PowerShell:
Copy Code

New-GUID

2. Update the XML Template from this Gist.
   • Replace placeholders in Line 4, 19, and 20 with:
   • Your generated GUID
   • Your account name (same as used in autologon)
   • Technical Insight: AssignedAccess XML defines the kiosk app, shell, and user context. The GUID ties the experience to the user. Make sure your XML is schema-compliant; otherwise, Intune will silently fail to apply the configuration.

Step 3: Deploy XML in Intune

1. Go to Microsoft Intune
2. Navigate to Devices → Configuration Profiles
3. Click + Create Profile
4. Choose:
• Platform: Windows 10 and later
• Profile type: Templates
• Template name: Custom
5. Click Create
6. Provide a name (e.g., Assigned Access Kiosk Policy) and click Next
7. Under Configuration settings, click Add:
• Name: AssignedAccessConfig
• OMA-URI:

  ./Device/Vendor/MSFT/AssignedAccess/Configuration

• Data Type: String (XML file)
• Value: Paste the entire XML content from Step 2
• Technical Insight: This custom OMA-URI maps to the MDM setting for Assigned Access and uses the Windows CSP (Configuration Service Provider). Any misconfigured XML or invalid characters will result in policy deployment failure, so validate your XML beforehand.
8. Assign the policy to the relevant device group
9. Click Create

Step 4: Optional Settings

These optional settings will:

• Disable screen turn-off
• Block access to fixed and removable drives
• Disable Edge restore pages prompt
• Auto-hide the taskbar
• Restart Edge every 45 minutes

1. Go to Microsoft Intune
2. Navigate to Devices → Scripts and Remediations
3. Click + Add
4. Choose Windows 10 and later
5. Give the script a name, then click Next
6. In Script settings:
• Upload the script from this Gist
• Run script using logged-on credentials: No
• Enforce script signature check: No
• Run script in 64-bit PowerShell Host: Yes
• Technical Insight: These scripts modify registry and system behavior at the machine level, such as setting power plans, modifying taskbar visibility via Explorer policies, and tweaking Edge session behavior via the WindowsFeatureUsage registry hive. They're designed for non-interactive system optimization.
7. Assign the script to the appropriate device group
8. Click Create

Conclusion

Implementing kiosk mode via Intune gives administrators a powerful way to deliver a controlled, purpose-built experience to users. By combining Autologon, custom Assigned Access XML, and optional hardening via PowerShell, you can fully automate and secure kiosk deployment. Whether you're setting up customer-facing terminals or employee self-service stations, this guide ensures you're equipped with both the how and the why. For production use, always test policies in a pilot group before broad deployment, and monitor logs via Intune and Event Viewer for troubleshooting.