Windows 11 Kiosk mode and Intune

When setting up kiosk devices with Intune, certain registry settings may be automatically applied, which can interfere with autologon functionality. The registry keys you mentioned, HKLM:\SYSTEM\CurrentControlSet\Control\EAS and HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock, are likely being set by default Intune policies related to device security and management. Unfortunately, these specific policies may not be explicitly visible in the Intune interface, as some settings are applied automatically based on the device configuration profiles or compliance policies.

To address the issue of the kiosk user account being forced to change the password at the next logon, this is typically a result of security policies applied to user accounts. While there may not be a direct registry setting to disable this behavior, you can manage user account settings through Intune by configuring user account policies or using PowerShell scripts to modify account properties after the account is created.

If you want to explore potential solutions, consider the following steps:

1. Review the Intune device configuration profiles to identify any policies that might be enforcing these settings.
2. Use PowerShell scripts to automate the removal of unwanted registry keys or to modify user account settings after the device is enrolled.
3. Check if there are any specific security policies applied to kiosk user accounts that could be adjusted to prevent the password change requirement.

Unfortunately, without specific details about your Intune configuration, it may be challenging to pinpoint the exact policy causing these issues. You may also want to reach out to Microsoft support for more tailored assistance regarding these registry settings and user account policies.

References:

• Windows kiosks and restricted user experiences
• Set up HoloLens as a kiosk

Hello,

What you’re seeing is expected when a Windows device is enrolled into Intune. Those registry keys are created by Intune’s baseline compliance and device restriction policies, which enforce password and lock requirements even if you haven’t set them yourself. That’s why autologon stops working.

The reliable way to manage kiosks is to use Intune’s Windows Kiosk configuration profile. This profile is designed for single‑app or multi‑app kiosk scenarios, bypasses the default password enforcement, and provisions the kiosk account correctly without forcing a password change. Manual registry edits won’t last, as Intune will reapply the settings at the next sync.

Let me know how it goes, and if this answer helps, feel free to hit “Accept Answer” so others can benefit too 😊

Domic Vo.

Hi

I did choose the Kiosk mode option in Intune and this is deployed to the devices. But we still have the issues with the registry keys being created and this is probably as soon as the devices are joined to Intune. They are obviously getting the default settings straight away and, since I can't actually get access to the settings, I can't exclude the devices from getting them.

The only workaround I've seen is to run scripts after the fact to delete the registry keys. But was hoping someone could advise if there was a way to stop the settings being applied in the first place.

Thanks

Hi

I just added a script in Intune to delete the registry entries and this seems to work.

But the problem now is that autologon stops working again and I think it's because the kioskuser0 account has a blank password. According to MS documentation, if there is no password then the autoadminlogon registry key gets reset to 0, meaning it doesn't work.

What is very strange, though, is that I have 2 virtual machines in kiosk mode and these still seem to work. But a physical laptop doesn't. I don't know if it's just pot luck that the VMs work.

Anyone know how to get round this apart from just giving the user a password ? Seems to be a LOT of manual intervention needed to get this working.

Thanks