This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 52%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM1%3C/text%3E%3C/svg%3E)
Prior to raising this question in this topic, I visited a few technical forums and followed the same instructions, but I'm not sure where I went wrong.
Tried followed the link (as well) as is - https://endpointmanagertips.com/dipping-my-toes-into-windows-autopilot-self-deploying-kiosks/, but single\Multi app & autologon does not function.
I was able to login to the KIOSK machine after manually entering the local account (.\KioskUser0), however single app mode is not functioning. It appears to be a standard desktop.
I tried to reset the testing machine using both ways without success. Please find the screenshot:
Note: Please see the following screenshots.
2. Created deployment profile
3. Added the Group in Compliance
4. Configuration profile:
6. Kiosk Browser (Offline) deployed to specific group
Note: 1 I was running many scenarios on the same testing computer.
I used to wipe the system from intune anytime I applied a new configuration or changed a profile.
Will it be the source of the problem?
Note: 2 - Though security baselines creates a problem but I couldn't find the Security baselines profile in Intune. Created the basic profile and excluded the kiosk group as well.)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 38%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPL%3C/text%3E%3C/svg%3E)
We have found that the DeviceLock settings in the Security Baseline have prevented Kiosks from deploying successfully.
For this reason, we removed all DeviceLock settings from the SB and deploy them instead through a separate Configuration Profile.
More recently, there has been a known bug preventing auto-login from working as intended.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 87%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
We are actually having around 30 devices deployed successfully as kiosk devices. By itself the deployment wasn't working, or better, it worked for a very short period of time. What we did is remove every compliance policy from the kiosk devices, except for the built-in that is. Having a compliance policy applied to a kiosk devices seems to break the autologin mechanism somehow. In addition to that, we enforced a script deployed as a Win32 app where we add the autologin registry entries (kioskUser0 as default user, .\ as default domain and AutoAdminLogon = 1).
For info, this doesn't seem to work with Windows 11 devices...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 7.000000000000001%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEM%3C/text%3E%3C/svg%3E)
This is really helpful! How do you set the default password to a blank value in the registry? Without a value or without a DefaultPassword string it just resets my AutoAdminLogon to 0.
That AutoAdminLogon reset happens when you still have a compliance policy associated to the device, make sure there isn't any. We didn't set any default password in the registry, no need to when it's empty. Also check the Windows version, the autologin for kiosk devices seems momentarily broken for both win10 and win11 22h2. Win10 21h2 is still working.
https://learn.microsoft.com/en-us/mem/autopilot/known-issues
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 71%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
The issue with kiosk mode was solved for us with the Windows 10 CU update April 11, 2023—KB5025221
This update addresses a known issue that affects kiosk device profiles. If you have enabled automatic logon, it might not work. After Autopilot completes provisioning, these devices stay on the credential screen. This issue occurs after you install updates dated January 10, 2023, and later.
Any update on this? We are facing the same issue. When we do a systemreset of a Windows 10 machine through the command prompt. We are facing the same issue with Multi App Kiosk mode Autologon. When we do a fresh installation of Windows through a USB image, it is working as intended.
Please verify whether you have implemented any security settings to prevent auto login in Endpoint security | Security baselines.
Also check in group policy as well.
If no settings have been applied, Wipe the windows 10 device from Intune. Once the device has been wiped, wait until Azure AD has deleted it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 88%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Having this same issue despite the device being excluded from SBs and compliance.
If no compliance policy is assigned, then make sure there's no device lock policy targeting the device. When that is done:
Be sure to remove the following keys from registry
HKLM:\SYSTEM\CurrentControlSet\Control\EAS
HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock
Create the autologin (defaultuser, defaultdomain, defaultpassword and autoadminlogon) entries in
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon