Kiosk Overseer (Windows Kiosk Builder)

APPLICATION TYPE

EDGE KIOSK

BREAKOUT CONTROL

Ctrl Alt Shift

Current: Ctrl+Alt+K

ADD APPLICATION

COMMON APPS

NOTE: Common apps use default installation paths. If an app is installed in a custom location, use "Add Application" above instead.

Browsers:

System Utilities:

Productivity:

Media & Communication:

Microsoft Office:

ALLOWED APPS LIST

Allowed Apps (0)

No apps added yet. Use "Add Common App" above to get started.

AUTO-LAUNCH

EDGE AUTO-LAUNCH

FILE EXPLORER

TASKBAR

PINNED SHORTCUTS

Allowed App *

Shortcut Name *

Advanced Options

Arguments (optional)

Working Directory (optional)

Icon Path (optional)

EDGE SITE TILE

Tile Name *

Tile ID (optional)

Content Source

NOTE: Secondary tiles use the normal Edge profile (not InPrivate by default). Apply Edge policies if you need private-session behavior.

PIN LIST

Pinned Shortcuts (0)

No pins added yet. Add a desktop shortcut or UWP app above.

EDIT PIN

Edit Pin

Name *

Target Path

Arguments

Working Directory

Icon Path

System Shortcut Path (optional)

TASKBAR PINS

Allowed App *

Name *

Advanced Options

Arguments

Working Directory

Icon Path (optional, shortcuts only)

TASKBAR LIST

Taskbar Pins (0)

No taskbar pins configured. Add a desktop app or UWP app above.

EDIT TASKBAR PIN

Edit Taskbar Pin

Name *

Type

Target Path *

Arguments

Working Directory

Icon Path (optional, shortcuts only)

Author (optional)

These settings are applied by the On-Demand Kiosk Script, not the Assigned Access XML. For Intune/MDM deployments, configure these separately via Configuration Profiles or registry policies.

TOUCH INPUT

Profile

Name —

Account —

Application

Kiosk Mode —

Allowed Apps —

Layout

Start Pins —

Taskbar Pins —

Show Taskbar —

File Explorer —

EXPORT

Upload to Intune OMA-URI or Windows Configuration Designer

Run on a device to set up the kiosk immediately — does everything in one step

Creates .lnk shortcut files — deploy as a separate Intune app alongside the XML

Custom Edge shortcut branding — deploy as a separate Intune app (optional)

Recommended for enterprise. Deploy via Microsoft Intune using a custom OMA-URI policy.

Navigate to Intune

Go to Microsoft Intune admin center
Select Devices → Configuration profiles

Create Profile

Click + Create profile
Platform: Windows 11
Profile type: Templates → Custom

Configure OMA-URI

Field	Value
Name	AssignedAccess Configuration
OMA-URI	`./Vendor/MSFT/AssignedAccess/Configuration`
Data type	String
Value	(Open downloaded XML file and copy entire contents)

Assign & Deploy

Assign to a device group
Device will sync and apply configuration

Deploy Shortcut Creator (If Needed)

Required if: Your Start or Taskbar pins use desktopAppLink (reference .lnk file paths)

Deployment options:

Option A (Simpler): Deploy as Intune Script (Devices → Scripts → Add PowerShell script)
Option B (More Control): Package as Win32 App with detection rules and dependencies (see Step 7 below)

Click Shortcut Creator in the Export section above to download the script

Deploy Manifest Override (Optional)

Only needed if: You want custom names/icons for Edge shortcuts instead of "Microsoft Edge" branding

Deployment: Same as above - deploy as Intune Script or Win32 App (see Step 7 below)

Click Manifest Override in the Export section above to download both install and remove scripts

Win32 App Creation Guide (Shortcut Creator & Manifest Override)

For Option B above: Follow these steps to package both scripts as Win32 apps

7a. Get IntuneWinAppUtil Tool

Download from Microsoft GitHub
Extract IntuneWinAppUtil.exe to a folder (e.g., C:\IntuneTools\)

7b. Package Shortcut Creator

Create source folder: C:\IntunePackaging\ShortcutCreator\
Place downloaded Shortcut Creator script in folder (e.g., CreateShortcuts_Lobby-Kiosk.ps1)

Run IntuneWinAppUtil (replace filename with your actual script name):

IntuneWinAppUtil.exe -c "C:\IntunePackaging\ShortcutCreator" -s "CreateShortcuts_YourConfigName.ps1" -o "C:\IntunePackaging\Output"

Upload the generated .intunewin file to Intune

Install command (replace filename with your actual script name):

powershell.exe -ExecutionPolicy Bypass -File "CreateShortcuts_YourConfigName.ps1"

Uninstall command:

powershell.exe -Command "Write-Host 'Shortcuts remain in place'"

Detection script (PowerShell):

# Detect Shortcut Creator - checks for sentinel file
$sentinelPath = "$env:ProgramData\KioskOverseer\ShortcutCreator.installed"
if (Test-Path $sentinelPath) {
    Write-Host "Shortcut Creator installed"
    exit 0
} else {
    exit 1
}

Note: The Shortcut Creator script automatically creates this sentinel file - no manual modification needed.

7c. Package Manifest Override

Create source folder: C:\IntunePackaging\ManifestOverride\
Place both install and remove scripts in folder

Run IntuneWinAppUtil:

IntuneWinAppUtil.exe -c "C:\IntunePackaging\ManifestOverride" -s "KioskOverseer-EdgeVisualElements-Install.ps1" -o "C:\IntunePackaging\Output"

Upload the generated .intunewin file to Intune

Install command:

powershell.exe -ExecutionPolicy Bypass -File "KioskOverseer-EdgeVisualElements-Install.ps1"

Uninstall command:

powershell.exe -ExecutionPolicy Bypass -File "KioskOverseer-EdgeVisualElements-Remove.ps1"

Detection script (PowerShell):

# Detect Manifest Override - checks for backup file and scheduled task
$taskExists = Get-ScheduledTask -TaskName "KioskOverseer-EdgeVisualElements" -ErrorAction SilentlyContinue
$backupExists = Test-Path "$env:ProgramFiles\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml.kioskoverseer.bak"

if ($taskExists -and $backupExists) {
    Write-Host "Manifest Override installed"
    exit 0
} else {
    exit 1
}

Reboot & Validate

Device reboots to apply kiosk configuration
Sign in with kiosk account to test

Requirements: Device must be Azure AD joined or Hybrid Azure AD joined.

Deployment Summary: The OMA-URI policy applies the kiosk XML configuration. Shortcut Creator and Manifest Override must be deployed separately as scripts or Win32 apps because OMA-URI policies cannot create files or run commands on the device.

For standalone devices or testing. Simple two-step process: download the On-Demand Kiosk Script and run it as SYSTEM.

Download On-Demand Kiosk Script

Click On-Demand Kiosk Script in the Export section above to download. This script handles everything: applies XML, creates shortcuts, and configures the kiosk.

Run as SYSTEM

Execute the script using PsExec to run as SYSTEM:

psexec -i -s powershell.exe -ExecutionPolicy Bypass -File "C:\path\to\Apply-AssignedAccess.ps1"

The device will reboot to apply the kiosk configuration.

Why SYSTEM context? The MDM WMI Bridge requires SYSTEM (LocalSystem account, SID S-1-5-18) privileges to apply AssignedAccess configurations. Running as Administrator is not sufficient - you must use the SYSTEM account. PsExec (-s flag) provides an easy way to run PowerShell as SYSTEM.

Download PsExec: Microsoft Sysinternals PsExec (free tool from Microsoft)

For bulk deployment during OOBE or to existing devices.

Install Windows Configuration Designer

Download from Microsoft Store or Windows ADK

Create Provisioning Package

Open Windows Configuration Designer
Select Advanced provisioning
Navigate to: Runtime settings → AssignedAccess → AssignedAccessSettings
Paste your XML configuration

Export & Apply

Export → Provisioning package → Create
Apply by double-clicking the .ppkg file or during Windows setup

TIP: Provisioning packages can be applied during OOBE by placing them on a USB drive.

Intune OMA-URI Deployment

Create OMA-URI Profile

→

Deploy XML via OMA-URI

→

Deploy Shortcut Creator (Win32/Script)*

→

Deploy Manifest Override (Win32/Script)**

→

Device reboots and applies kiosk

Local/PowerShell Deployment

Download On-Demand Kiosk Script

→

Run as SYSTEM (psexec -i -s)

→

Script creates shortcuts + applies XML

→

Reboot and validate

* Shortcut Creator is required if your pins use desktopAppLink (.lnk file paths).
** Manifest Override is optional - only needed if you want custom Edge shortcut names/icons instead of "Microsoft Edge" branding.