Windows 10 kiosk mode
Windows 10 kiosk mode - Hybrid joined and with configuration manager client
I stumbled over this problem a few days ago. I have a Windows 10 v1909 client, domain-joined, and managed with Microsoft configuration manager.
Everything looked good from Intunes with policy settings, apps, and groups etc…so what happened? The policy for my kiosk settings doesn’t work, the Apps don’t get installed (set to required), and the logs saying nonsense.
The first thing, and this I totally missed, is if you have a client with ConfigMgr client installed that is hybrid joined you have to install the pre-released feature (Mobile apps for co-management) and change the load to Intune instead of ConfigMgr. If you don’t, the application won't be installed on your Windows 10 client (Hybrid joined with ConfigMgr client). Good to know, if you change the load Intune for client app your hybrid clients can still install applications from the software center if you want to deploy applications from ConfigMgr. This is something you should plan for in your production…
The second error was that policy settings seem odd or not working particularly well. I had the fortune to talk to a Microsoft PFE that explained that there are a lot of problems with the policy for multi-app kiosk and not fully supported with hybrid joined clients. So the way to do it is with a custom policy that gets the settings for apps and the device (see picture 1).
Enable the features in ConfigMgr. Set Mobile apps… to on. You will see the features in Co-management but this can take some time before you see them in Co-management.
In ConfigMgr Co-management, right-click on CoMgmtSettingProd… Go to Workloads and change the trigger for Client apps (pic 2).
Name your custom profile and add your XML file with the settings for kiosk mode. Remember that you can not do this in the profile kiosk, it must be done in the custom profile…
From Intunes, go to devices configuration - Profiles. Create a profile and chose Windows 10 as a platform and Custom as a profile. OMA-URI = ./Device/Vendor/MSFT/AssignedAccess/Configuration. Custom XML import your XML file. “Download example XML” In the XML file you can add more apps and group your apps.
In section <config> you can add your domain and security group for allowed users. The default profile id must be unique, use the id in this XML file if you want.
This will solve the problem for hybrid-joined windows 10 clients.