Mastering Custom Kiosk Mode XML in Intune for Windows 11

Key Highlights

Custom XML Structure: Detailed steps to design an XML file for multi-app kiosk mode.
Fortinet VPN Client Inclusion: How to add the Fortinet VPN client as an allowed application.
Deployment Best Practices: Practical advice for testing, deploying, and troubleshooting through Intune.

Introduction to Windows 11 Kiosk Mode with Intune

Windows 11 Kiosk Mode enables organizations to provide a controlled and secure user experience by locking down a device to run a custom set of applications. When deploying devices in a kiosk environment using Microsoft Intune, a custom XML configuration file is required. This XML file details the allowed applications, start layout, taskbar configurations, and any additional required settings.

In many cases, the built-in kiosk configuration profiles might not fully support all advanced configurations, necessitating a custom configuration service provider (CSP) approach using OMA-URI. With a custom XML file, administrators can precisely dictate which applications are available, such as the Fortinet VPN client, which is crucial for secure network access within the kiosk environment.

Detailed XML Configuration for Kiosk Mode

Custom XML File Structure

The XML file must be well-formed, indicative of the correct namespace usage and correct schema declarations. The primary element used is the AssignedAccessConfiguration tag, which encapsulates the entire configuration.

XML Requirements and Namespace Details

The XML file typically includes multiple namespaces to cater to different configuration versions. For example, a common configuration might incorporate namespaces such as:

http://schemas.microsoft.com/AssignedAccess/2017/config
http://schemas.microsoft.com/AssignedAccess/201810/config
http://schemas.microsoft.com/AssignedAccess/2020/config

When creating the XML, it is essential to ensure that your XML file adheres to the proper version and schema. The Profile Id (a unique GUID) is vital to distinguish the configuration from any other existing profiles.

Defining Allowed Applications

A major aspect of creating the kiosk configuration is specifying the allowed applications. This is handled within the AllAppsList section using the AllowedApps element. Each application’s allowed configuration is defined using either the AppUserModelId (for Universal Windows Platform apps) or the DesktopAppPath (for Win32 desktop applications).

Including the Fortinet VPN Client

For the Fortinet VPN client, the configuration must reference its executable path accurately. In most scenarios, the path might look similar to:

<App DesktopAppPath="C:\Program Files\Fortinet\FortiClient\FCConfig.exe" />

It is important to verify the exact executable path on your devices since differences might occur depending on the installation method.

Customizing the Start Layout and Taskbar

Customizing the Start Layout and Taskbar further enhances the kiosk experience by limiting device functions and streamlining user access. The XML configuration supports embedding the Start Layout directives, which can either be included inline via CDATA sections referencing an external layout XML file, or embedded directly.

For instance, after exporting the Start Layout using PowerShell, you can integrate it into the <StartLayout> element:

<StartLayout>
    <![CDATA[
      <LayoutModificationTemplate Version="1">
        <LayoutOptions StartTileGroupCellWidth="6" />
        <DefaultLayout:StartLayout LayoutFile="LayoutModification.xml" />
      </LayoutModificationTemplate>
    ]]>
  </StartLayout>

Similarly, the <Taskbar> element can be set to display the taskbar or restrict its functions based on the desired kiosk experience.

Complete XML Example

Below is a comprehensive example XML configuration file that integrates the Fortinet VPN client as an allowed app, configures the Start Layout, taskbar settings, and additional options for a robust kiosk setup.

Section	Description	Example
Root Element	Definition of the AssignedAccessConfiguration including XML namespaces.	<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:v2="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config">
Profile	A unique profile that contains the kiosk settings.	<Profile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}">
AllowedApps	List of allowed applications, including Fortinet VPN.	<App DesktopAppPath="C:\Program Files\Fortinet\FortiClient\FCConfig.exe" /> <App DesktopAppPath="%windir%\explorer.exe" /> <App DesktopAppPath="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" />
Start Layout	Defines the Start Menu layout for the kiosk interface.	<StartLayout> <![CDATA[ ... XML layout content ... ]]> </StartLayout>
Taskbar	Sets the visibility and configuration of the taskbar.	<Taskbar ShowTaskbar="true"/>

The complete XML file example provided below brings together all components into one file that can be uploaded to Microsoft Intune.

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:v2="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config">
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}">
      <AllAppsList>
        <AllowedApps>
          <App DesktopAppPath="C:\Program Files\Fortinet\FortiClient\FCConfig.exe" />
          <App DesktopAppPath="%windir%\explorer.exe" />
          <App DesktopAppPath="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" />
        </AllowedApps>
      </AllAppsList>
      <StartLayout>
        <![CDATA[
          <LayoutModificationTemplate Version="1">
            <LayoutOptions StartTileGroupCellWidth="6" />
            <DefaultLayout:StartLayout LayoutFile="LayoutModification.xml" />
          </LayoutModificationTemplate>
        ]]>
      </StartLayout>
      <Taskbar ShowTaskbar="true"/>
      <v2:FileExplorerNamespaceRestrictions>
        <v2:AllowedNamespace Name="Downloads"/>
      </v2:FileExplorerNamespaceRestrictions>
      <v3:AllowRemovableDrives/>
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <UserGroup Type="AzureActiveDirectoryGroup" Name="YourAzureADGroupId"/>
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}"/>
    </Config>
  </Configs>
</AssignedAccessConfiguration>

Deployment and Best Practices

Once the XML file is crafted and thoroughly tested in a lab environment, the next step is deploying the configuration via Microsoft Intune. The process involves logging into the Microsoft Endpoint Manager admin center and creating a new configuration profile. Choose “Custom” for the profile type and use the OMA-URI path: ./Device/Vendor/MSFT/AssignedAccess/Configuration.

Paste the XML content into the provided configuration value field and assign the profile to the appropriate device groups. Ensure that the Fortinet VPN client is pre-installed on the target devices. Performing pilot tests is highly recommended before scaling to production to verify that the allowed application list and user interface behave as intended.

Visual Data Analysis and Structure

Radar Chart: Configuration Strengths

Below is a radar chart representing various dimensions of the kiosk XML configuration:

Mermaid Mindmap: XML Configuration Overview

The following mindmap outlines the core components and relationships in the kiosk XML configuration file.

mindmap root["AssignedAccessConfiguration"] subgraph "Profiles" direction LR A["Profile (GUID)"] B["AllAppsList"] C["StartLayout"] D["Taskbar"] end root --> A A --> B A --> C A --> D B --> E["AllowedApps"] E --> F["Fortinet VPN Client"] E --> G["Explorer"] E --> H["Edge Browser"]