Partnership that powers possibilities Let’s Build Together

Overview

Secure Kiosk Deployment using Intune & PowerShell

A banking client required a secure and compliant multi-app kiosk setup across its branch offices. We designed and deployed hardened Windows 10/11 kiosks using Microsoft Intune, AppLocker, and PowerShell. The solution enforced strict app control, disk encryption, and USB restrictions while ensuring centralized management and zero-trust compliance.

The Client Required

  • Limited app access on kiosks (Netop, Active Teller, Edge)
  • USB storage restriction
  • BitLocker-based full disk encryption
  • Disabled system tools (Task Manager, CMD, Explorer)
  • Compliance with zero-trust endpoint standards

Required

Kiosk Configuration via Microsoft Intune

01

Active Teller Profile: Multi-app kiosk mode using Netop & Teller app

02

USB Block Profile: Disabled external media using Admin Templates

03

Start Menu/Taskbar Hider: Removed user UI elements

04

Kiosk Lite (Win11): Lightweight kiosk version for newer endpoints

05

Start Menu Layout: Defined pinned apps and layout control ✔ All profiles were pushed and validated via Intune portal.

Techstern

Working experience

  • BitLocker Encryption Configured under Endpoint Security → Disk Encryption Secured offline access Pending rollout to all kiosk devices
  • App Whitelisting via AppLocker Enforced only apps from %PROGRAMFILES% and %WINDIR% Chrome browser explicitly denied Admins retained full access to apps
  • Start Menu and App Restrictions Used PowerShell to expose only approved apps
  • System tools hidden via: AppLocker DisableTaskMgr.ps1 Custom shell setup using Shellv1.ps1
  • System Restrictions Launch attempts on restricted apps triggered system error Custom shell allowed only approved apps Edge launched in digital signage mode Windows Taskbar and Downloads folder access disabled

  • Built and tested all Intune configuration profiles
  • Assigned profiles to specific kiosk device groups
  • Applied PowerShell scripts through Intune
  • Verified usability, app access, USB blocking
  • Finalized encryption & policy enforcement

  • Enhanced Security: Full lockdown with USB block and AppLocker
  • User Restriction: Only mission-critical apps visible
  • Lower Attack Surface: Disabled browser misuse and sys-tools
  • Regulatory Compliance: Matched financial industry standards
  • Centralized Control: Managed via Intune & Azure AD

This project demonstrates a robust approach to secure kiosk deployment using Microsoft Intune, AppLocker, and PowerShell automation. The solution provides a scalable and compliant environment tailored for financial branch operations—ensuring both security and usability across distributed endpoints.