Separate Kiosk Baseline and Device Group

• Create a dedicated Intune / Entra device group for the kiosk machines (e.g. “Kiosk Devices”).
• Duplicate the current endpoint baseline(s) and create a Kiosk Baseline, scoped only to this group.
• In that Kiosk Baseline, keep the core security controls (hardening, encryption etc), but tune:
  • Session/lock timeouts to match shift length (e.g. up to 8 hours) rather than every few minutes.
  • Power and sleep settings so the kiosks stay available during shifts.
• Exclude the kiosk group from the generic “all devices” baseline to avoid conflicting policies.

Locked?Down Kiosk Experience (Single Website)

• Use Microsoft Edge kiosk mode to present a single?app experience that:
  • Launches directly into the required SharePoint “screen”.
  • Restricts access to only that site (or a very small URL allowlist).
  • Hides the address bar and browser settings and blocks general web browsing and downloads.
• Combined with your existing separate VLAN and firewall rules, this ensures the kiosks can only reach the intended application, even if someone tries to break out of the browser.

Accounts, MFA and Essential Eight

In an ideal world, each user would have an individual account, but we understand that is not practical for floor staff who only enter basic information. For now, we recommend:

• Using a dedicated, locked?down kiosk account (or set of accounts) per kiosk function, with no admin rights and no access to other apps.
• Documenting this as a formal business exception to the “no shared accounts” expectation in E8, with the following compensating controls:
  • Kiosks on a segregated VLAN with limited outbound access.
  • Edge kiosk mode locked to a single business application.
  • Application hardening and standard patching applied.
  • CAT Security tooling/logging/monitoring enabled for these devices.

This allows you to keep the user experience simple (no MFA prompts for floor staff) while still being able to demonstrate a controlled and risk?managed approach for E8.

Session Behaviour and HID Device

• Configure session and idle timeouts so that kiosks log out on shift boundaries (e.g. every 6–8 hours) rather than every 15 minutes, to reduce disruption to staff going back and forth to the line.
• If you proceed with the HID device, it can be used to streamline logon to the kiosk account, but we will ensure:
  • The HID is only associated with the kiosk account.
  • The underlying kiosk policies still enforce the security and session controls above.

Additional Considerations for Robustness

To ensure the solution is fully “audit-ready” and resilient, we suggest considering the following points:

• Physical Security and Port Control: Ensure that unused physical ports (USB, Ethernet) are disabled or physically blocked to prevent unauthorised HID devices or “rubber ducky” style attacks from being introduced by passers-by.
• Automated Reboot Schedule: We recommend a scheduled daily reboot (e.g., at 3:00 AM) via Intune to clear any hung sessions, refresh the browser cache, and ensure any pending security patches are applied and finalised.
• Restricted Keyboard Shortcuts: Ensure that common “breakout” shortcuts (like Alt+Tab, Ctrl+Alt+Del, or Windows+L) are suppressed via the Intune Kiosk configuration profile to prevent users from reaching the underlying OS.
• Data Sanitisation: Configure the Edge kiosk profile to clear all browser data (cookies, cache, and form data) upon the end of each session or at the scheduled logout to ensure no sensitive business data persists on the local disk.

Following technical configuration requirements being determined, your final step will be to draft a short business exception statement for your E8 documentation.

Also, as a final comment, all baselines should only be set for device, not user. If there are any user groups configured, we recommend they be removed as this “confuses” some settings and can lead to inconsistent policy application.