ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Setup Entra User Auto-Logon in Intune Kiosk Mode

How to Setup Entra User Auto-Logon in Intune Kiosk Mode

Configure automatic sign-in for dedicated Entra ID kiosk users in Intune multi-app kiosk mode using Sysinternals Autologon and remediation scripts for unattended Windows devices.

Evan MaelEvan Mael
March 26, 2026 18 min
hardintune 8 steps 18 min

Why Configure Entra ID Auto-Logon for Kiosk Mode?

Modern retail environments, digital signage deployments, and shared device scenarios require seamless, unattended operation without manual user intervention. Traditional local account kiosk setups lack the centralized identity management, security policies, and monitoring capabilities that enterprise environments demand. Entra ID (formerly Azure AD) auto-logon in Intune kiosk mode bridges this gap by combining the convenience of automatic sign-in with enterprise-grade identity management.

What Makes This Configuration Complex?

Setting up Entra ID auto-logon for kiosk devices involves multiple moving parts that must work in harmony. Unlike local account auto-logon, cloud-based authentication requires careful orchestration of Sysinternals Autologon tool deployment, PowerShell remediation scripts, and Intune device configuration profiles. The complexity stems from managing encrypted credentials, ensuring proper registry configuration, and maintaining security while enabling unattended operation.

What Will You Achieve?

By the end of this tutorial, you'll have a fully automated kiosk deployment that signs in dedicated Entra ID users without manual intervention, launches specified applications in a controlled environment, and provides centralized monitoring through Entra ID sign-in logs. Your kiosk devices will maintain enterprise security standards while operating autonomously in retail stores, lobbies, or shared spaces. The configuration supports Windows 11 multi-app kiosk scenarios with the flexibility to customize allowed applications and user interface elements.

Implementation Guide

Full Procedure

01

Create Dedicated Entra ID Kiosk User Account

Start by creating a dedicated Entra ID user account specifically for kiosk operations. This account needs special configuration to avoid authentication prompts during auto-logon.

Connect to Microsoft Graph PowerShell with the required permissions:

Connect-MgGraph -Scopes "User.ReadWrite.All"

Create the kiosk user with the following parameters:

$userParams = @{
    DisplayName = "Kiosk Terminal User"
    UserPrincipalName = "kioskuser@yourdomain.com"
    MailNickname = "kioskuser"
    PasswordProfile = @{
        Password = "ComplexKioskPassword123!"
        ForceChangePasswordNextSignIn = $false
    }
    AccountEnabled = $true
    UsageLocation = "US"
}
New-MgUser @userParams

Configure additional security settings for the kiosk user:

# Exclude from MFA requirements
$userId = (Get-MgUser -Filter "UserPrincipalName eq 'kioskuser@yourdomain.com'").Id
Update-MgUser -UserId $userId -PasswordPolicies "DisablePasswordExpiration"
Warning: Store the kiosk password securely as it will be embedded in the remediation script. Use a complex password that meets your organization's policy.

Verification: Run Get-MgUser -Filter "UserPrincipalName eq 'kioskuser@yourdomain.com'" to confirm the user was created successfully.

02

Download and Package Sysinternals Autologon Tool

The Sysinternals Autologon64.exe tool is essential for configuring automatic Windows logon with Entra ID credentials. Download the latest version and prepare it for Intune deployment.

Download Autologon from the official Microsoft Sysinternals suite:

# Download using PowerShell
$downloadUrl = "https://download.sysinternals.com/files/Autologon.zip"
$destinationPath = "C:\Temp\Autologon.zip"
Invoke-WebRequest -Uri $downloadUrl -OutFile $destinationPath
Expand-Archive -Path $destinationPath -DestinationPath "C:\Temp\Autologon"

Create the installation directory structure for the Win32 app package:

mkdir "C:\KioskPackage\Source"
copy "C:\Temp\Autologon\Autologon64.exe" "C:\KioskPackage\Source\"
copy "C:\Temp\Autologon\Eula.txt" "C:\KioskPackage\Source\"

Create an installation script (install.cmd) in the Source folder:

@echo off
if not exist "%ProgramData%\Autologon" mkdir "%ProgramData%\Autologon"
copy /Y "Autologon64.exe" "%ProgramData%\Autologon\"
copy /Y "Eula.txt" "%ProgramData%\Autologon\"
echo Installation completed > "%ProgramData%\Autologon\install.log"

Package the application using the Microsoft Win32 Content Prep Tool:

# Download and run IntuneWinAppUtil.exe
.\IntuneWinAppUtil.exe -c "C:\KioskPackage\Source" -s "install.cmd" -o "C:\KioskPackage\Output"
Pro tip: Always verify the Autologon64.exe version is 3.10 or later for optimal Entra ID compatibility. Check the file properties after download.

Verification: Confirm the .intunewin file was created in the Output folder and is approximately 200KB in size.

03

Deploy Autologon Tool via Intune Win32 App

Deploy the packaged Autologon tool to your kiosk devices through Intune's Win32 app deployment mechanism.

In the Microsoft Intune admin center, navigate to Apps > All apps > Add and select Windows app (Win32).

Configure the app package information:

  • Name: Sysinternals Autologon for Kiosk
  • Description: Autologon tool for Entra ID kiosk auto-signin
  • Publisher: Microsoft Sysinternals
  • App version: 3.10+

Set the program configuration:

# Install command
install.cmd

# Uninstall command
rd /s /q "%ProgramData%\Autologon"

Configure detection rules using a custom script:

# Detection script content
$autologonPath = "$env:ProgramData\Autologon\Autologon64.exe"
if (Test-Path $autologonPath) {
    $version = (Get-ItemProperty $autologonPath).VersionInfo.FileVersion
    if ([version]$version -ge [version]"3.10.0.0") {
        Write-Output "Autologon detected"
        exit 0
    }
}
exit 1

Set the requirements:

  • Operating system architecture: x64
  • Minimum operating system: Windows 10 1903

Assign the app to your kiosk device group with Required intent.

Warning: Ensure the device group contains only kiosk devices to prevent deploying Autologon to regular user workstations.

Verification: Check the device's %ProgramData%\Autologon folder contains Autologon64.exe after deployment completes.

04

Create Intune Remediation Scripts for Auto-Logon Configuration

Intune remediation scripts will detect and configure the auto-logon settings using the deployed Autologon tool. Create both detection and remediation scripts.

Create the detection script (Detect-EntraAutologon_v1.ps1):

# Detection script for Entra ID auto-logon configuration
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$expectedUser = "kioskuser@yourdomain.com"
$expectedDomain = "AzureAD"

try {
    $autoAdminLogon = Get-ItemProperty -Path $registryPath -Name "AutoAdminLogon" -ErrorAction SilentlyContinue
    $defaultUserName = Get-ItemProperty -Path $registryPath -Name "DefaultUserName" -ErrorAction SilentlyContinue
    $defaultDomainName = Get-ItemProperty -Path $registryPath -Name "DefaultDomainName" -ErrorAction SilentlyContinue
    
    if ($autoAdminLogon.AutoAdminLogon -eq "1" -and 
        $defaultUserName.DefaultUserName -eq $expectedUser -and 
        $defaultDomainName.DefaultDomainName -eq $expectedDomain) {
        Write-Output "Entra ID auto-logon is properly configured"
        exit 0
    } else {
        Write-Output "Entra ID auto-logon configuration missing or incorrect"
        exit 1
    }
} catch {
    Write-Output "Error checking auto-logon configuration: $($_.Exception.Message)"
    exit 1
}

Create the remediation script (Remediate_Entra_Autologon_v1.ps1):

# Remediation script for Entra ID auto-logon configuration
$KioskUserUPN = "kioskuser@yourdomain.com"
$KioskUserPassword = "ComplexKioskPassword123!"
$KioskDomain = "AzureAD"
$AutologonPath = "$env:ProgramData\Autologon\Autologon64.exe"

try {
    if (-not (Test-Path $AutologonPath)) {
        Write-Error "Autologon64.exe not found at $AutologonPath"
        exit 1
    }
    
    # Configure auto-logon using Autologon64.exe
    $arguments = @(
        "/accepteula",
        $KioskUserUPN,
        $KioskDomain,
        $KioskUserPassword
    )
    
    $process = Start-Process -FilePath $AutologonPath -ArgumentList $arguments -Wait -PassThru -WindowStyle Hidden
    
    if ($process.ExitCode -eq 0) {
        Write-Output "Entra ID auto-logon configured successfully"
        
        # Verify registry settings
        $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
        $autoLogon = Get-ItemProperty -Path $registryPath -Name "AutoAdminLogon" -ErrorAction SilentlyContinue
        $userName = Get-ItemProperty -Path $registryPath -Name "DefaultUserName" -ErrorAction SilentlyContinue
        
        Write-Output "AutoAdminLogon: $($autoLogon.AutoAdminLogon)"
        Write-Output "DefaultUserName: $($userName.DefaultUserName)"
        exit 0
    } else {
        Write-Error "Autologon configuration failed with exit code: $($process.ExitCode)"
        exit 1
    }
} catch {
    Write-Error "Error configuring auto-logon: $($_.Exception.Message)"
    exit 1
}
Pro tip: Test the remediation script manually on a test device first by running it from an elevated PowerShell prompt to ensure it works correctly.

Verification: Save both scripts and prepare them for upload to Intune remediation policies.

05

Deploy Remediation Scripts via Intune

Deploy the detection and remediation scripts through Intune's Scripts and Remediations feature to automatically configure auto-logon on kiosk devices.

In the Microsoft Intune admin center, navigate to Devices > Scripts and remediations > Remediations and click Create.

Configure the remediation policy:

  • Name: Entra ID Kiosk Autologon Configuration
  • Description: Configures automatic sign-in for Entra ID kiosk users
  • Publisher: IT Department

Upload the detection script:

  • Select Detect-EntraAutologon_v1.ps1
  • Run this script using the logged-on credentials: No
  • Enforce script signature check: No
  • Run script in 64-bit PowerShell: Yes

Upload the remediation script:

  • Select Remediate_Entra_Autologon_v1.ps1
  • Run this script using the logged-on credentials: No
  • Enforce script signature check: No
  • Run script in 64-bit PowerShell: Yes

Configure the schedule settings:

{
  "Schedule": "Daily",
  "Start time": "09:00 AM",
  "Frequency": "Once a day",
  "Retry settings": {
    "Number of retries": 3,
    "Retry interval": "4 hours"
  }
}

Set scope tags if required and assign to your kiosk device group.

Warning: The remediation script contains the kiosk user password in plain text. Ensure proper access controls are in place and consider using Azure Key Vault for production environments.

Verification: Monitor the remediation policy status in Intune and check device compliance reports after the next sync cycle.

06

Configure Multi-App Kiosk Profile in Intune

Create an Intune device configuration profile to enable multi-app kiosk mode with the auto-logon user account.

In the Microsoft Intune admin center, navigate to Devices > Configuration profiles and click Create profile.

Select the profile settings:

  • Platform: Windows 10 and later
  • Profile type: Templates
  • Template name: Kiosk

Configure the kiosk settings:

  • Kiosk mode: Multi-app kiosk
  • User logon type: Auto logon (Windows 10 version 1803 or later)
  • Application type: Add Store app, Desktop app, or AUMID

Add Microsoft Edge as a kiosk application:

<Application Id="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge">
  <AutoLaunch>true</AutoLaunch>
</Application>

Configure the user account section:

  • User account type: Azure AD user or Azure AD group
  • User name: kioskuser@yourdomain.com

For advanced configuration, use a Custom OMA-URI profile with AssignedAccess CSP:

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
  <Profiles>
    <Profile Id="{12345678-1234-1234-1234-123456789012}">
      <AllAppsList>
        <AllowedApps>
          <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
          <App DesktopAppPath="C:\Windows\System32\cmd.exe" />
        </AllowedApps>
      </AllAppsList>
      <StartLayout>
        <![CDATA[
          <LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
            <LayoutOptions StartTileGroupCellWidth="6" />
            <DefaultLayoutOverride>
              <StartLayoutCollection>
                <defaultlayout:StartLayout GroupCellWidth="6">
                  <start:Group Name="Kiosk Apps">
                    <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
                  </start:Group>
                </defaultlayout:StartLayout>
              </StartLayoutCollection>
            </DefaultLayoutOverride>
          </LayoutModificationTemplate>
        ]]>
      </StartLayout>
      <Taskbar ShowTaskbar="true" />
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <Account>kioskuser@yourdomain.com</Account>
      <DefaultProfile Id="{12345678-1234-1234-1234-123456789012}" />
    </Config>
  </Configs>
</AssignedAccessConfiguration>
Pro tip: Use the Windows Configuration Designer tool to generate and validate your AssignedAccess XML configuration before deploying through Intune.

Verification: Assign the profile to your kiosk device group and monitor deployment status in the Intune admin center.

07

Test and Verify Auto-Logon Configuration

Perform comprehensive testing to ensure the auto-logon and kiosk configuration work correctly on target devices.

Check the Windows registry for auto-logon configuration:

# Verify registry settings
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Get-ItemProperty -Path $registryPath | Select-Object AutoAdminLogon, DefaultUserName, DefaultDomainName, DefaultPassword

Expected output should show:

AutoAdminLogon    : 1
DefaultUserName   : kioskuser@yourdomain.com
DefaultDomainName : AzureAD
DefaultPassword   : [encrypted]

Test the auto-logon functionality:

  1. Restart the kiosk device
  2. Observe automatic sign-in without user interaction
  3. Verify the kiosk environment loads correctly
  4. Check that only allowed applications are accessible

Monitor AssignedAccess events in Event Viewer:

# Check AssignedAccess logs
Get-WinEvent -LogName "Microsoft-Windows-AssignedAccessManager/Admin" -MaxEvents 50 | 
  Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)} | 
  Select-Object TimeCreated, Id, LevelDisplayName, Message

Verify Entra ID sign-in logs:

  1. Navigate to Entra admin center > Sign-in logs
  2. Filter by the kiosk user account
  3. Confirm successful automatic sign-ins
  4. Check for any authentication errors or warnings

Test kiosk breakout prevention:

# Verify shell replacement
$shellValue = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -ErrorAction SilentlyContinue
Write-Output "Current shell: $($shellValue.Shell)"
Warning: Always have a break-glass recovery method available, such as a local administrator account or safe mode access, in case the kiosk configuration prevents normal access.

Verification: Document successful auto-logon, kiosk app launch, and user session establishment. Test device restart cycles to ensure consistency.

08

Monitor and Troubleshoot Common Issues

Implement monitoring and troubleshooting procedures to maintain reliable kiosk operations and quickly resolve common issues.

Create a monitoring script for ongoing health checks:

# Kiosk health monitoring script
$healthCheck = @{
    AutologonConfigured = $false
    KioskUserSignedIn = $false
    AssignedAccessActive = $false
    LastSignInTime = $null
}

# Check auto-logon configuration
$winlogonPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$autoLogon = Get-ItemProperty -Path $winlogonPath -Name "AutoAdminLogon" -ErrorAction SilentlyContinue
if ($autoLogon.AutoAdminLogon -eq "1") {
    $healthCheck.AutologonConfigured = $true
}

# Check current user session
$currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
if ($currentUser -like "*kioskuser*") {
    $healthCheck.KioskUserSignedIn = $true
}

# Check AssignedAccess status
$assignedAccessConfig = Get-AssignedAccess -ErrorAction SilentlyContinue
if ($assignedAccessConfig) {
    $healthCheck.AssignedAccessActive = $true
}

# Output health status
$healthCheck | ConvertTo-Json -Depth 2

Common troubleshooting scenarios and solutions:

IssueCauseSolution
Auto-logon failsAutologon64.exe not foundVerify Win32 app deployment and file path
Password prompt on bootForceChangePasswordNextSignIn=trueUpdate user account settings in Entra ID
Kiosk apps not loadingInPrivate browsing enabledDisable InPrivate mode in Edge policies
User locked outMultiple failed sign-in attemptsReset account lockout in Entra ID
Registry corruptionManual registry editsRe-run remediation script or rebuild device

Set up automated remediation for common issues:

# Emergency remediation script
param(
    [string]$Action = "Check"
)

switch ($Action) {
    "Check" {
        # Perform health checks
        $autologonStatus = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "AutoAdminLogon"
        Write-Output "AutoAdminLogon: $($autologonStatus.AutoAdminLogon)"
    }
    "Reset" {
        # Reset auto-logon configuration
        $autologonPath = "$env:ProgramData\Autologon\Autologon64.exe"
        if (Test-Path $autologonPath) {
            & $autologonPath /accepteula "kioskuser@yourdomain.com" "AzureAD" "ComplexKioskPassword123!"
            Write-Output "Auto-logon configuration reset"
        }
    }
    "Disable" {
        # Disable auto-logon for troubleshooting
        Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "AutoAdminLogon" -Value "0"
        Write-Output "Auto-logon disabled"
    }
}

Monitor Entra ID sign-in patterns:

# Connect to Microsoft Graph for monitoring
Connect-MgGraph -Scopes "AuditLog.Read.All"

# Get recent sign-ins for kiosk user
$kioskSignIns = Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'kioskuser@yourdomain.com'" -Top 50
$kioskSignIns | Select-Object CreatedDateTime, Status, ClientAppUsed, DeviceDetail | Format-Table
Pro tip: Create a scheduled task to run health checks every 4 hours and log results to a central location for proactive monitoring.

Verification: Test all troubleshooting procedures on a non-production device and document the resolution steps for your support team.

Frequently Asked Questions

What are the licensing requirements for Entra ID auto-logon in Intune kiosk mode?+
You need Microsoft Intune licensing (included in Microsoft 365 E3/E5 or standalone) and Microsoft Entra ID P1 or P2 for advanced identity features. Windows 11 Enterprise or Education edition is required on the kiosk devices. The Sysinternals Autologon tool is free from Microsoft and doesn't require additional licensing.
Can I use multi-factor authentication with kiosk auto-logon accounts?+
No, kiosk accounts used for auto-logon must be excluded from MFA requirements since there's no user interaction to complete additional authentication factors. Configure conditional access policies to exclude kiosk users from MFA while maintaining security through device compliance policies and restricted application access in kiosk mode.
How do I troubleshoot auto-logon failures on kiosk devices?+
Check the Windows registry at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon for AutoAdminLogon=1, correct DefaultUserName (UPN), and DefaultDomainName=AzureAD. Verify Autologon64.exe deployment in %ProgramData%\Autologon and review AssignedAccess event logs. Common issues include password expiration, account lockout, or incorrect domain configuration.
What happens if the kiosk user password expires or needs to be changed?+
Set the kiosk user account with ForceChangePasswordNextSignIn=$false and configure password policies to disable expiration using Update-MgUser -PasswordPolicies "DisablePasswordExpiration". If you must change the password, update both the Entra ID user account and the remediation script with the new password, then redeploy the remediation policy to all kiosk devices.
How can I monitor kiosk device sign-in activity and detect issues?+
Use Entra ID sign-in logs to monitor kiosk user authentication patterns and detect failures. Set up automated monitoring with Microsoft Graph PowerShell to query sign-in logs for the kiosk user account. Create Intune remediation scripts that run health checks every 4 hours and log results. Monitor AssignedAccess event logs on devices for kiosk mode issues and application launch failures.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#intune#entra-id#kiosk-mode

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Set PowerShell Execution Policy Using Intune and Group Policy
tutorial
DevOps

How to Set PowerShell Execution Policy Using Intune and Group Policy

Deep Dive
How to Deploy Bitwarden Password Manager Using Microsoft Intune
tutorial
Cybersecurity

How to Deploy Bitwarden Password Manager Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account