🖥️ Getting Windows Kiosks to Work in Intune While Avoiding InPrivate Browsing
Deploying Windows Kiosk devices with Microsoft Intune is a common setup in schools, libraries, retail stores, and front-desk environments. The challenge many admins face is ensuring that while the kiosk provides controlled web access, users can’t open InPrivate (private) browser sessions that could bypass monitoring or policy restrictions.
This guide explains how to configure Windows Kiosks properly, disable InPrivate browsing in both Microsoft Edge and Google Chrome, and apply Intune policies effectively.
⚙️ What Is a Windows Kiosk Mode?
Kiosk Mode in Windows is a locked-down environment designed to run specific apps or experiences. You can configure it in several ways depending on your needs:
| Kiosk Type | Description |
|---|---|
| Single-App Kiosk | Runs one app in full screen — ideal for information terminals or POS systems. |
| Multi-App Kiosk | Allows access to a set of apps defined by the admin — useful for shared devices in schools or public offices. |
| Assigned Access | Links a local or Azure AD account to specific app experiences. |
When configured with Intune, kiosk settings deploy automatically to managed devices, eliminating manual setup.
🧩 Step-by-Step: Configure Windows Kiosk in Intune
Step 1: Prepare the Device Group
- Go to Microsoft Intune Admin Center
https://intune.microsoft.com - Navigate to Groups > New Group.
- Create a Security group for kiosk devices (e.g., Windows-Kiosks).
- Add your kiosk devices to this group.
Step 2: Create the Kiosk Profile
- Go to Devices > Configuration profiles > Create profile.
- Choose:
- Platform: Windows 10 and later
- Profile type: Templates → Kiosk
- Under Configuration settings, select your kiosk mode:
- Single app, full-screen kiosk, or
- Multi-app kiosk
- Specify the user account or group that the kiosk will use.
- Add the apps you want available (e.g., Microsoft Edge, Calculator, Teams).
Step 3: Configure Microsoft Edge for Kiosk Use
When Edge is the kiosk browser, it supports Kiosk Mode parameters that allow you to control tabs, private browsing, and reset behavior.
- Under Kiosk settings, configure:
- Browser type: Microsoft Edge
- Kiosk mode type: Choose Digital/Interactive signage (fullscreen) or Public browsing
- Important: Select Public browsing mode for multi-user kiosks.
This mode:- Resets browser data after each session
- Prevents users from signing in
- Can disable InPrivate browsing
Step 4: Disable InPrivate Browsing via Intune Policy
You can block InPrivate browsing with a Configuration Profile using Administrative Templates or OMA-URI settings.
Option 1: Administrative Templates (Recommended)
- Create a new profile:
- Platform: Windows 10 and later
- Profile type: Templates → Administrative Templates
- Navigate to:
- Microsoft Edge → InPrivate
- Configure the following:
- Allow InPrivate browsing: Disabled
- Assign this profile to the same kiosk group created earlier.
Option 2: OMA-URI (Advanced)
If you’re using a Chromium-based Edge version (modern builds), use this OMA-URI policy:
OMA-URI:./Device/Vendor/MSFT/Policy/Config/Browser/AllowInPrivate
Data type: Integer
Value: 0 (Disabled)
This setting ensures InPrivate browsing is completely turned off system-wide.
Step 5: (Optional) Apply Edge Startup and Homepage Restrictions
To control browser behavior further:
- Under Administrative Templates → Microsoft Edge, configure:
- Set Microsoft Edge startup URLs → Specify your allowed site(s)
- Prevent users from changing startup pages → Enabled
- Configure home button → Enabled, specify the same site
- Set download restrictions → Block all downloads (optional)
- Set default search engine → Choose your preferred provider
This locks down the user experience to only approved pages.
🚫 Configuring Google Chrome Kiosks (If Used)
For environments using Chrome in kiosk mode:
- Use the Intune Configuration profile → Custom OMA-URI.
- Add:
- OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Chrome/IncognitoModeAvailability - Data type: Integer
- Value:
1
- OMA-URI:
This disables Incognito Mode in Chrome, ensuring browsing is logged and restricted.
You can also add:
- OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Chrome/RestoreOnStartupURLs - Value:
["https://yourhomepage.com"]
That forces Chrome to open a specific site on launch.
🧠 Best Practices for Secure Kiosk Deployment
- Use Assigned Access with Local or Entra ID Accounts
Create a dedicated kiosk user account (not admin) and assign the profile to that account only. - Pair Kiosk Policy with Device Restrictions
In Intune, add a Device Restrictions profile:- Block access to Task Manager, Registry Editor, and Control Panel
- Disable USB file transfer
- Enable Automatic sign-in after restart
- Reset Kiosk Sessions Automatically
Configure Edge or Chrome to reset browsing data after each session.
For Edge, “Public browsing” mode does this automatically. - Enable Windows Autologon
If the kiosk restarts, the same assigned access user should log in automatically. - Monitor Compliance
Use Intune > Devices > Monitor > Configuration profiles to verify policy application status.
Ensure Allow InPrivate browsing = Disabled is reported as Succeeded.
🧾 Troubleshooting Tips
| Issue | Likely Cause | Solution |
|---|---|---|
| InPrivate browsing still available | Wrong Edge version or local policy override | Verify Intune policy sync and Edge build; reapply profile |
| Kiosk not launching Edge | Assigned Access misconfiguration | Ensure app path and AUMID are correct |
| Kiosk restarts repeatedly | Multi-app Kiosk misconfiguration | Rebuild the kiosk XML layout and redeploy |
| Chrome still opens Incognito | Incorrect OMA-URI | Confirm Chrome policy name and value (must be 1) |
✅ Summary
By combining Kiosk Mode, Edge public browsing mode, and Intune configuration policies, you can create a secure, managed Windows environment where:
- Only approved apps run
- All browsing sessions reset after use
- InPrivate browsing and Incognito mode are fully disabled
This ensures consistent, auditable user behavior — ideal for education, healthcare, retail, or any shared device scenario.
