In the current pandemic context, working behaviors had to change overnight and in many companies had to find immediate solutions for their problems. In this post I would like to discuss a situation where a locked down machine is required for remote users.

Scenario

We have the following challenge: You are an Intune administrator facing the following situation. One department used to work from the office in a white-room environment. Now they are forced to work from home and you need to create a configuration that will allow them to connect over VPN and use a browser to connect to internal resources. In this scenario we will use Pulse VPN and Internet Explorer. Access to any other application or file should be restricted. Autopilot deployment is a requirement.

Solution  

We will use a multiapplication Kiosk Profile in Intune. The profile will define access to VPN client and Internet Explorer only. I selected IE for this post because it has a specific requirement: both 32 and 64bit versions need to be whitelisted in the profile.

We will not cover here the autopilot deployment part or how to create the pulse client win32 application. For this you have the following to links : AP profile and Win32Aps

We will perform the following steps

  • Prepare a VM with IE and Pulse VPN client in start menu
  • Get application AUMID (Application User Model ID)
  • Export Start Menu
  • Prepare kiosk users group
  • Create and deploy profile
  • Create a restrictive start menu profile  
  • Verification

Prepare a VM with needed applications

As stated before we will not discuss here this step, but a screen with how your VM should look like is presented below

Get application AUMID

On the VM that you provisioned before open a powershell window as administrator and run the following :

get-StartApps | ?{$_.name -like "Pulse*"}
get-StartApps | ?{$_.name -like "Internet Explorer"}

Make a note of the result.

Get the paths of Pulse client application and both Internet Explorer executables.

Note: we need to whitelist bot IE versions so make sure you get the path to both versions

The list of paths and AUMIDs should be as follows

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe

Name              AppID                             
Pulse Secure      Pulse Secure.Pulse.UserInterface  
Internet Explorer Microsoft.InternetExplorer.Default

Export Start Menu

On the VM run the following PowerShell script to create the start menu file

mkdir C:\temp
Set-Location c:\temp 
Export-StartLayout -UseDesktopApplicationID -Path layout.xml 

The file content should be similar with the one below:

<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
  <LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6">
        <start:Group Name="Productivity">
          <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="Pulse Secure.Pulse.UserInterface" />
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="Microsoft.InternetExplorer.Default" />
        </start:Group>
      </defaultlayout:StartLayout>
    </StartLayoutCollection>
  </DefaultLayoutOverride>
</LayoutModificationTemplate>

As you can see, we have only 2 applications and their AUMID match with the one we collected before

Now we have all the information we need to create the profile, but first let’s create an AAD group for the users to which we want to deploy the profile to.

Prepare Kiosk user group

In this demo we use AAD user logon type when creating the profile. Therefore we need to have the group already  created

Login into Intune and create a group by following the steps below:

  • Click on Groups
  • Click New group
  • Complete the group as in the below picture

As you can see, we have only 2 applications and their AUMID match with the one we collected before

Now we have all the information we need to create the profile, but first let’s create an AAD group for the users to which we want to deploy the profile to.

Create and deploy kiosk profile

Perform the following steps in Intune

  • Click Device Configuration/Profile/Create profile

In the Create a profile pane select Windows 10 and later for platform and Kiosk for profile then click Create at the bottom

  • A new window will open in the portal
  • In the Basics tab type in the name of the profile for example  KioskProfile and click Next
  • In the Configuration settings tab select Multi app Kisk for kiosk mode and No for Target  Windows 10 in S mode devices
  • A new set of options has just appeared
  • Select Azure AD user of group for User logon type and click add to add the group you just created

Now, we got to the point where we need the information we collected before. As you can see if you want Edge or the kiosk browser you can add them with just a click. But, we have other plans, so let’s move on

  • Click Add Win32 app and paste in the following
    • Internet Explorer 32bit for Application Name
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe for local path
    • Microsoft.InternetExplorer.Default for Application user model ID
  • Click OK

Repeat this for Internet Explorer 64 bit

And then for Pulse VPN client

Select Yes for Use Alternative Start layout and upload the layout you captured form the VM

  • Click Next
  • Skip the Scope tags tab by clicking Next
  • In the Assignment tab click Select groups to include and add Kiosk Users group
  • Click next
  • Skip the Applicability Rules tab by clicking Next
  • In the review and create pane you should have the following window.
  • Review and click Create

We now have a kiosk VM with only 2 applications and windows default start menu as you can see below. However, our objective was to remove access to everything but the 2 applications. This means that the objects highlighted in yellow should be removed or disabled

Create and deploy restrictive start menu profile

To completely remove the menu, we will use a Intune configuration profile

  • In Intune click Device Configuration/Profiles, then click Create profile
  • In the next screen select Windows 10 and later and Device Restrictions and click create
  • Type in the name as Start Menu and click next
  • In the configuration tab select items as you see in the below picture and click next
  • Click next in Scope tags
  • In Assignment click Select groups to include and add the Kiosk Users group
  • Click next to continue
  • Skip applicability rules by clicking next
  • Click create in Review + create tab

When resetting the device, the new profile will appear. Now we have less objects on the screen and the menu has been disabled

Summary

In this post we deployed a multi app kiosk on a VM managed with Intune. Although, this is not necessary a pure modern device management scenario, in some cases you might be requested to lock down a device as much as possible.