Connect to Cloud PCs from Windows 10 kiosks using Windows App by info.odysseyx@gmail.com October 22, 2024 written by info.odysseyx@gmail.com October 22, 2024 0 comment 3 views 3 This guide shows you how to configure your Windows 10 PC as a kiosk to run Windows apps. Generally available in public preview for Windows, macOS, iOS, iPadOS, web, and Android. This provides users with a similar experience to Windows 365 Boot, whose sole purpose is to connect the user to the primary device, the cloud PC. As more organizations use Windows 365 Cloud PC as their primary Windows desktop environment, they want to reduce the complexity of configuring client devices, which are physical endpoints. To solve this, we Windows 365 bootThis is Generally available last year. This feature is often used by customers to repurpose devices they already own; Windows 365 Boot is designed to work only with Windows 11.. In December 2023 we announced: Extended Security Updates (ESU) are included with your Windows 365 subscription. For Windows 10 devices that access Windows 365 at no additional cost. Support for Windows 10 ends on October 14, 2025, but devices with ESU will continue to receive security updates for up to three years. To protect your organization and remain productive, we recommend migrating to a new Windows 11 PC with all the great security features turned on by default. However, there may be situations where you may not be able to replace a device that is not eligible for Windows 11 before the end of support date. If you can’t upgrade to Windows 11 using Windows Autopatch or Microsoft Intune, we recommend using Windows 11 on a cloud PC. Cloud PCs allow workers to securely access applications and documents from anywhere in the world, but require connectivity from client devices. Using a Windows device to open a Windows app and log in to Cloud PC can be awkward and time-consuming, and users may be tempted to work on the client instead of Cloud PC. This gives you the opportunity to configure Windows 10 devices as kiosks, allowing users to quickly and easily log into their Windows 365 Cloud PC directly from their kiosk devices. Cloud PC Kiosk Configuration To configure a Cloud PC kiosk on Windows 10 Pro or Enterprise, you need: This provides a starting point for a functioning kiosk by installing and configuring it using Microsoft Intune. You can then modify the configuration to suit your needs. We also use a new Microsoft Entra security group called Cloud PC Kiosk throughout this example. Members of the group must be Windows 10 devices that you want to configure as a kiosk. Although outside the scope of this guide, it is best to provision as a Microsoft Entra joined device using: Windows Autopilot. You can use user-driven or self-deployed mode as you prefer. Install Windows App Windows apps must be installed on a device in a system context to ensure that all users can run the application. The easiest way is to add it from the Microsoft Store. You can also download the MSIX package from: What’s new in the Windows Apps page. Line-of-business (LOB) applications require VCLibs.140.00 on which they depend. Search and select windows app and UWP Published by Microsoft Corp. and then set: Installation behavior to system. Finally, the app Cloud PC Kiosk in groups essential installation. Install WebView2 Windows apps require WebView2, which is not preinstalled on Windows 10. Because dynamic installation of WebView2 is not possible due to the kiosk configuration, We will use a PowerShell script. Download and install WebView2 also in the system context using: Evergreen Standalone Installer. This will always download the latest version of WebView2 and update it automatically. If you wish, you can create a Win32 package for your installer. download Get-UpdatedWebView2.ps1 script from GitHubMake sure it’s encoded using UTF-8. If the raw text is copied to Notepad Save As Sets the encoding type. In the Intune admin center, go to: device | windows > windows | Scripts and Modifications. Then platform script tab, select add. Install Cloud PC Kiosk – WebView2 and select the script you just saved. set Run this script using the credentials you are logged on with. to no, Enforce script signature verification to noand Run on a 64-bit PowerShell host to yes. Then assign the script to the same script. Cloud PC Kiosk Finish grouping and adding scripts. Create a custom kiosk policy use custom profile Create a kiosk configuration. This provides the most flexibility in how the kiosk operates and is completely defined in XML. Create a new item in Intune. policyfor platform choose Windows 10 or laterfor contour Select type templateand then select custom. When prompted for a name, use a name such as Cloud PC Kiosk Only Mode and select the configuration settings when prompted. add Provides details about the Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings, as described in the table below. name Kiosk for each user explanation Each user can access the kiosk experience through Windows apps and settings. OMA-URI ./Vendor/MSFT/AssignedAccess/Configuration category string value ]]> This uses Windows 10 Assigned Access CSPAutomatically configures various things about your kiosk, including some AppLocker settings that lock the kiosk so that only applications defined in the AllowedApps section can run. In this example, only two applications are allowed: windows app – Used to connect to Windows 365 Cloud PCs, Microsoft Dev Box machines, and Azure Virtual Desktop session hosts. It is also set to start automatically when a user logs into the kiosk. setting – Used to access network/Wi-Fi settings, Bluetooth pairing, system information, etc. There are many variations you can tweak to your liking, but to conclude this example, we’ll stick with this policy: Cloud PC Kiosk group. Once the policy is applied and you log in, your kiosk will look like this: You can later modify this XML to add other applications. Add it to AllowedApps so it can run, and add it to StartLayoutCollection so the user can see it. For example, to add the Edge browser, add the following two lines to that section: The kiosk now looks like this: You can also control which parts of your settings your users can access. Page Visibility List policy. Additional kiosk settings Here are some additional modifications that are not required but may provide a better experience: This example uses a custom CSP, but most can be found here: Settings catalog also. name Enable Kiosk Status for MDM explanation You can use Intune to query the status of your kiosk app. OMA-URI ./Vendor/MSFT/AssignedAccess/StatusConfiguration category string value OnWithAlerts name Disable first login animation explanation Reduces logon time for new users. OMA-URI ./Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation category integer value 0 name Disable user ESP explanation Reduce provisioning and logon times by not waiting for user assignment. OMA-URI ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage category boolean value truth name Show local users on lock screen explanation To switch between user and kiosk accounts, display the kiosk user on the lock screen. OMA-URI ./Vendor/MSFT/Policy/Config/WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers category string value name Show network selection UI on lock screen explanation Displays the network connection menu on the logon screen. OMA-URI ./Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI category string value Of course, there are numerous settings you can consider, such as: Setting an image for your lock screen Or wallpaper Other suggestions for boot devices. problem solving To test your kiosk configuration, add a Windows 10 device that is a Microsoft Entra ID joined to the group to which the configuration is assigned. Then reset it by restarting it or, if you’re using Windows Autopilot, do a factory reset. Once the policy is applied and installation is complete, you will be prompted to log in. Once you log in, the kiosk springboard will appear, your Windows app will load, and you’ll be ready to connect to your cloud PC. Take a look at the logs If something isn’t working, you can use Intune to: collect diagnosis Review log files and event logs to investigate errors that need to be resolved. Some useful areas to look at include those listed in the table below. event log Microsoft/Windows/AppLocker/EXE_and_DLL event log Microsoft/Windows/AssignedAccess/Operations write HKLM\Software\Microsoft\Windows\AssignedAccessConfiguration write HKLM\Software\Microsoft\Windows\AssignedAccessCsp log file C:\ProgramData\Microsoft\IntuneManagementExtension\Logs You may also review: Kiosk Mode Troubleshooting Guide. If WebView2 is not installed Windows 10 does not have WebView2 installed by default. When running a Windows app, users may be prompted to install WebView2, which cannot be done from an AssignedAccess kiosk. To resolve this issue, install WebView2 in the system context using Intune. Earlier in this guide we showed you how to do this using a PowerShell script. If Windows Defender Firewall is blocking Microsoft Teams If Teams runs and uses Cloud PC Media OptimizationAttempts to create an allow rule in the local kiosk’s Windows Defender Firewall. Because the user is not an administrator of the kiosk, this action cannot be permitted and the user will still be prompted for credentials. To resolve this issue, use Intune to pre-configure a firewall rule that allows the Windows app to accept incoming Teams media for all users of the kiosk, preventing the prompt from appearing. New template using your profile Endpoint protection Enter a name such as Cloud PC Kiosk Firewall Settings and give it a name. find Windows FirewallUse these settings to add a new rule to allow inbound connections to the Teams app. name Allow Teams apps inbound direction inbound action allow network type Domains, private and public application file path file path %USERPROFILE%\AppData\Local\Microsoft\Teams\current\teams.exe Then this Cloud PC Kiosk Group and complete policy creation. finish We hope this guide helps you transition to Windows 11 and Windows 365! Learn more about ESU and how Windows 365 users can get it at no additional cost. Windows in the Cloud episode with Mark Florida and Michael Raschko. Keep the conversation going. Find best practices. Add to bookmarks Windows Technology Communitythen follow us @MSWindowsITPro X and above linkedin. Looking for support? visit Windows on Microsoft Q&A. Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Windows 11, version 24H2 improved update fundamentals next post How to Choose the Right Models for Your Apps You may also like How to strengthen AI security with MLSecOps December 6, 2024 The Sonos Arc Ultra raises the bar for home theater audio December 5, 2024 Aptera Motors will showcase its solar EV at CES 2025 December 3, 2024 How Chromebook tools strengthen school cybersecurity December 2, 2024 Nvidia unveils the ‘Swiss Army Knife’ of AI audio tools: Fugato November 26, 2024 Nvidia Blackwell and the future of data center cooling November 25, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.