Kiosk Overseer (Windows Kiosk Builder)

Author (optional)

TASKBAR

FILE EXPLORER

APPLICATION TYPE

EDGE KIOSK

BREAKOUT CONTROL

Ctrl Alt Shift

Current: Ctrl+Alt+K

ADD APPLICATION

COMMON APPS

NOTE: Common apps use default installation paths. If an app is installed in a custom location, use "Add Application" above instead.

Browsers:

System Utilities:

Productivity:

Media & Communication:

Microsoft Office:

ALLOWED APPS LIST

Allowed Apps (0)

No apps added yet. Use "Add Common App" above to get started.

AUTO-LAUNCH

EDGE AUTO-LAUNCH

PINNED SHORTCUTS

Shortcut Name *

Target Path *

desktopAppLink (?)

Use Allowed App

Advanced Options

Arguments (optional)

Working Directory (optional)

Icon Path (optional)

EDGE SITE TILE

Tile Name *

Tile ID (optional)

Content Source

NOTE: Secondary tiles use the normal Edge profile (not InPrivate by default). Apply Edge policies if you need private-session behavior.

PIN LIST

Pinned Shortcuts (0)

No pins added yet. Add a desktop shortcut or UWP app above.

EDIT PIN

Edit Pin

Name *

Target Path

Arguments

Working Directory

Icon Path

System Shortcut Path (optional)

TASKBAR PINS

Name *

Type

Target Path *

Use Allowed App

Advanced Options

Arguments

Working Directory

Icon Path (optional, shortcuts only)

TASKBAR LIST

Taskbar Pins (0)

No taskbar pins configured. Add a desktop app or UWP app above.

EDIT TASKBAR PIN

Edit Taskbar Pin

Name *

Type

Target Path *

Arguments

Working Directory

Icon Path (optional, shortcuts only)

Profile

Name —

Account —

Application

Kiosk Mode —

Allowed Apps —

Layout

Start Pins —

Taskbar Pins —

Show Taskbar —

File Explorer —

DEVICE SETTINGS

EXPORT

Download the XML and paste it into an Intune OMA-URI custom policy. See Deploy Guide for full steps.

Recommended for enterprise. Deploy via Microsoft Intune using a custom OMA-URI policy.

1

Navigate to Intune

Go to Microsoft Intune admin center
Select Devices → Configuration profiles

2

Create Profile

Click + Create profile
Platform: Windows 11
Profile type: Templates → Custom

3

Configure OMA-URI

Field	Value
Name	AssignedAccess Configuration
OMA-URI	`./Vendor/MSFT/AssignedAccess/Configuration`
Data type	String
Value	(Open downloaded XML file and copy entire contents)

4

Assign & Deploy

Assign to a device group
Device will sync and apply configuration

5

Deploy Shortcut Creator (If Needed)

Required if: Your Start or Taskbar pins use desktopAppLink (reference .lnk file paths)

Deployment options:

Option A (Simpler): Deploy as Intune Script (Devices → Scripts → Add PowerShell script)
Option B (More Control): Package as Win32 App with detection rules and dependencies (see Step 7 below)

Download the Shortcut Creator script: Switch to Local / Script export mode, then click Shortcut Creator

6

Deploy Manifest Override (Optional)

Only needed if: You want custom names/icons for Edge shortcuts instead of "Microsoft Edge" branding

Deployment: Same as above - deploy as Intune Script or Win32 App (see Step 7 below)

Download the Manifest Override scripts: Switch to Local / Script export mode, then click Manifest Override (includes both install and remove scripts)

7

Win32 App Creation Guide (Shortcut Creator & Manifest Override)

For Option B above: Follow these steps to package both scripts as Win32 apps

7a. Get IntuneWinAppUtil Tool

Download from Microsoft GitHub
Extract IntuneWinAppUtil.exe to a folder (e.g., C:\IntuneTools\)

7b. Package Shortcut Creator

Create source folder: C:\IntunePackaging\ShortcutCreator\
Place downloaded Shortcut Creator script in folder (e.g., CreateShortcuts_Lobby-Kiosk.ps1)

Run IntuneWinAppUtil (replace filename with your actual script name):

IntuneWinAppUtil.exe -c "C:\IntunePackaging\ShortcutCreator" -s "CreateShortcuts_YourConfigName.ps1" -o "C:\IntunePackaging\Output"

Upload the generated .intunewin file to Intune

Install command (replace filename with your actual script name):

powershell.exe -ExecutionPolicy Bypass -File "CreateShortcuts_YourConfigName.ps1"

Uninstall command:

powershell.exe -Command "Write-Host 'Shortcuts remain in place'"

Detection script (PowerShell):

# Detect Shortcut Creator - checks for sentinel file
$sentinelPath = "$env:ProgramData\KioskOverseer\ShortcutCreator.installed"
if (Test-Path $sentinelPath) {
    Write-Host "Shortcut Creator installed"
    exit 0
} else {
    exit 1
}

Note: The Shortcut Creator script automatically creates this sentinel file - no manual modification needed.

7c. Package Manifest Override

Create source folder: C:\IntunePackaging\ManifestOverride\
Place both install and remove scripts in folder

Run IntuneWinAppUtil:

IntuneWinAppUtil.exe -c "C:\IntunePackaging\ManifestOverride" -s "KioskOverseer-EdgeVisualElements-Install.ps1" -o "C:\IntunePackaging\Output"

Upload the generated .intunewin file to Intune

Install command:

powershell.exe -ExecutionPolicy Bypass -File "KioskOverseer-EdgeVisualElements-Install.ps1"

Uninstall command:

powershell.exe -ExecutionPolicy Bypass -File "KioskOverseer-EdgeVisualElements-Remove.ps1"

Detection script (PowerShell):

# Detect Manifest Override - checks for backup file and scheduled task
$taskExists = Get-ScheduledTask -TaskName "KioskOverseer-EdgeVisualElements" -ErrorAction SilentlyContinue
$backupExists = Test-Path "$env:ProgramFiles\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml.kioskoverseer.bak"

if ($taskExists -and $backupExists) {
    Write-Host "Manifest Override installed"
    exit 0
} else {
    exit 1
}

8

Reboot & Validate

Device reboots to apply kiosk configuration
Sign in with kiosk account to test

Requirements: Device must be Azure AD joined or Hybrid Azure AD joined.

Deployment Summary: The OMA-URI policy applies the kiosk XML configuration. Shortcut Creator and Manifest Override must be deployed separately as scripts or Win32 apps because OMA-URI policies cannot create files or run commands on the device.

For standalone devices or testing. Simple two-step process: download the All-In-One script and run it as SYSTEM.

1

Download All-In-One Script

Switch to Local / Script export mode and click All-In-One Script to download the deployment script. This script handles everything: applies XML, creates shortcuts, and configures the kiosk.

2

Run as SYSTEM

Execute the script using PsExec to run as SYSTEM:

psexec -i -s powershell.exe -ExecutionPolicy Bypass -File "C:\path\to\Apply-AssignedAccess.ps1"

The device will reboot to apply the kiosk configuration.

Why SYSTEM context? The MDM WMI Bridge requires SYSTEM (LocalSystem account, SID S-1-5-18) privileges to apply AssignedAccess configurations. Running as Administrator is not sufficient - you must use the SYSTEM account. PsExec (-s flag) provides an easy way to run PowerShell as SYSTEM.

Download PsExec: Microsoft Sysinternals PsExec (free tool from Microsoft)

For bulk deployment during OOBE or to existing devices.

1

Install Windows Configuration Designer

Download from Microsoft Store or Windows ADK

2

Create Provisioning Package

Open Windows Configuration Designer
Select Advanced provisioning
Navigate to: Runtime settings → AssignedAccess → AssignedAccessSettings
Paste your XML configuration

3

Export & Apply

Export → Provisioning package → Create
Apply by double-clicking the .ppkg file or during Windows setup

TIP: Provisioning packages can be applied during OOBE by placing them on a USB drive.

Intune OMA-URI Deployment

Create OMA-URI Profile

→

Deploy XML via OMA-URI

→

Deploy Shortcut Creator (Win32/Script)*

→

Deploy Manifest Override (Win32/Script)**

→

Device reboots and applies kiosk

Local/PowerShell Deployment

Download All-In-One Script

→

Run as SYSTEM (psexec -i -s)

→

Script creates shortcuts + applies XML

→

Reboot and validate

* Shortcut Creator is required if your pins use desktopAppLink (.lnk file paths).
** Manifest Override is optional - only needed if you want custom Edge shortcut names/icons instead of "Microsoft Edge" branding.