What’s up, everyone!
Last week I wrote a post on how to set up a Kiosk based on Windows 10. You can login using your Azure AD credentials and use SSO to automatically login to the AVD client and get access to the Windows 365 Cloud PC. But what if you have a Windows 11 endpoint and you want to use the Windows 365 App? That’s not possible…. is it? Well, turns out that it is possible!
Let’s take a look!
The challenges
There are two types of kiosk modes we can choose from:
- Single App, Full screen kiosk
- Multi App kiosk
So that leaves us with the multi app kiosk. It has a lot more features, so we could use that right?
And the bad news is, no we can’t. That’s because the multi app kiosk mode is not supported on Windows 11. You can try to set it up though, but you’ll end up with an endpoint that automatically logs off after you try to login.
So what can we do?
Shell Launcher V2
We do have another option and that is to use the Shell Launcher V2. There are two versions and the differences are explained on this Microsoft site. In short we will need the v2 version for this to work.
The first thing you’ll need to do is cleanup some kiosk configuration profiles that you might have used for your Windows 11 Kiosk endpoint. Next up is to configure a couple of things;
- Make sure the Windows 365 App is available on the endpoint.
- A security group containing all the Windows 11 endpoints that you want to configure with shell launcher.
- A configuration profile to configure the shell launcher.
I already used the new Microsoft Store to install the Windows 365 App on my endpoint so that takes care of that. Check out my previous post if you want to learn more on how to do that.
I’ll skip the part how to create a security group and add the Windows 11 endpoints so next up is to create the configuration profile. From the Intune portal, go to Devices, Windows, Configuration profiles and click on the + Create profile button in the ribbon.
- Platform: Windows 10 and later
- Profile type: Templates – Custom.
- Provide a name and description.
- Add the OMA-URI settings.
Fill in the following values;
- Name: for example (Shell Launcher v2.)
- Description: Publish Windows 365 App as Shell
- OMA-URI: ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
- Data type: String (XML file).
Now is the time to have a look at the way that your users will use this endpoint. Once endpoints boots up, they will only have the ability to close the app. Nothing more. So what happens if they close the app? You can choose from the following;
- Automatically restart the app.
- Restart the endpoint.
- Shutdown the endpoint.
In my case I’ll assume that only one user will logon to the endpoint per day. So that means I’m perfectly happy to shutdown the endpoint once the app closes. Users can already login using their AAD credentials. Let’s have a look on how to configure the .xml file. Microsoft has an example to start with. This is the default code for v2.
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:v2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="ShellLauncherV2DemoUwp_5d7tap497jwe8!App" v2:AppType="UWP" v2:AllAppsFullScreen="true">
<DefaultAction Action="RestartShell"/>
</Shell>
</DefaultProfile>
</Profiles>
<Configs/>
</ShellLauncherConfiguration>In it’s most basic form you’ll only have to change two things:
- Change the AUMID to the Windows 365 App. (If you wonder how, just check out the previous post on my blog.)
- Change the value of defaultaction.
I found the following values;
- Restart the App, use: RestartShell.
- Restart the endpoint, use: RestartDevice.
- Shutdown the endpoint, use: ShutdownDevice.
So the .xml file looks something like this in my example:
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:v2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="MicrosoftCorporationII.Windows365_8wekyb3d8bbwe!Windows365" v2:AppType="UWP" v2:AllAppsFullScreen="true">
<DefaultAction Action="ShutdownDevice"/>
</Shell>
</DefaultProfile>
</Profiles>
<Configs/>
</ShellLauncherConfiguration>If you choose to use this .xml code, you need to be aware that every user that logs into this endpoint will get the shell launcher instead of explorer.exe. And therefore they will all end up with the Windows 365 App. Even your admins. So there’s a couple of ways around this, some are more difficult than others;
- Unassign the configuration profile if you have to login as an admin. Remember that the endpoint will have to update the config before you’ll see the result. Also you’ll have to re-assign the profile once you are done.
- Use the .xml to scope the configuration to users. And yes, it does work with Azure AD accounts as well. Now I didn’t find a way scope it to a group. if groups don’t work, this could become a hassle. You can check out the GitHub page for a lot of sample files.
- Or just go quick and dirty. Use the taskmanager to end a process called CustomShellHost and start a new process; explorer.exe. You’ll end up with a GUI and can perform maintenance as needed. It might not be pretty, but it does work.
If the Windows 365 App is installed and the configuration is applied to the endpoint, you end up with a kiosk-like experience based on the Windows 365 App. Here’s what it looks like:
There you are, a shiny new kiosk based on a Windows 11 endpoint. Users can login using their Azure AD credentials and log in with the Windows 365 App from the new Microsoft Store.
Resources
I used the following resources for this blog:
Excellent guide! It looks like multi-app kiosk mode is now supported in Windows 11 and can be configured via InTune. However, I am experiencing a different issue that you might be able to help me with. I want to use multi-app kiosk mode, or even Shell Launcher v2, however I cannot get the new Windows App to function correctly on its own. I am looking to use InTune Auto Pilot to provision the Windows App and then ultimately launch it in kiosk mode. When I provision the Windows App on its own, I am receiving an error window titled ‘avd package dep could not be installed’ with the contents of the window stating ‘Windows365’. I can get around this error by installing and launching the ‘Azure Virtual Desktop (Preview)’ app but I don’t understand why that is necessary. Have you seen this before or have any ideas? Thank you.