SmartSign is a flexible digital signage platform that makes it easy to manage and display content across screens of any size. In this post, I’ll show how I build a Windows 11 kiosk with Intune to run SmartSign in production at several customer sites. This is the same configuration I use today, proven in real environments. Once it’s in place, deploying a new device is fully automated from start to finish. The result is a locked-down, reliable signage setup that requires almost no hands-on work.
Interested in Smartsign? Check this link. It’s really a neat product for displays and do not need any IT for updating the information on the displays.
In this post, I am going to build a self-deploying Windows 11 kiosk for Smartsign using Autopilot and Microsoft Intune. The goal is simple: take a brand-new device, power it on, and let everything configure itself without any user interaction.
It’s a multi-app kiosk setup where SmartSign is the primary application, running as the digital signage platform, while Windows remains fully locked down in the background. This approach gives us the flexibility of multi-app kiosk mode, while still delivering a single-purpose device in practice.
We’ll walk through the overall flow, from Autopilot self-deployment and device enrollment, to installing SmartSign in the device context and applying kiosk restrictions. Along the way, we’ll look at how Intune handles app installation, policy enforcement, and Assigned Access during provisioning.
Finally, we’ll look at the end result: a Windows 11 device that goes from first boot to a ready-to-use SmartSign kiosk automatically. No local accounts, no manual setup, and no post-deployment configuration. This is the same pattern I use in production, and once it’s in place, rolling out a new kiosk is fully automated.
This blog is only about setting it up for Smartsing. Got other setup in mind? Check these blogposts out, they are really good post on other setups for multi-app.
How to setup Windows 11 kiosk Multi-App mode with Edge and the Windows App by Joery Van den Bosch.
Configuring multi-app kiosk mode on Windows 11 by Peter van der Woude.
Autopilot setup
We kick things off by creating a self-deploying Autopilot profile in Intune. This is what lets a Windows 11 device boot up, enroll, and configure itself with zero user input. Power on, connect to the network, and let it run. Autopilot joins the device to Entra ID, applies policies, and sets the stage for a locked-down kiosk without anyone touching a keyboard.
This is how I configured the self-deploying Autopilot profile:
As you can see this is assigned to a group. That group is based on the Group tag. So it’s set manually or the provider of the devices register them into Autopilot.
This group is used to assign autopilot enrollment profile, policeis for compliance, windows update, the assigned access, powers ettings and assign the W32app of Smartsign.
Note: Remember to exclude the SmartSign kiosk device from any apps or policies that are assigned to all devices by default. Anything not required for the kiosk can interfere with Autopilot, Assigned Access, or the SmartSign experience. Keep the device scope tight and intentional.
Assigned access configuration
We only need to policies one CSP and on from the settings catalog
Since the windows 11 multi-app cannot be configured via settings catalog we need to build and xml and use AssignedAccess CSP to apply it to our devices. This is the Xml I use for Smartsign:
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config"
>
<Profiles>
<Profile Id="{85b87431-bd07-4642-a450-03a5ec94a405}">
<AllAppsList>
<AllowedApps>
<App DesktopAppPath="C:\Program Files\Smartsign Windows Player\WatchGuard.exe" rs5:AutoLaunch="true"/>
<App DesktopAppPath="C:\Program Files\Smartsign Windows Player\WatchGuard.exe /config"/>
<App DesktopAppPath="C:\Program Files\Smartsign Windows Player\Winplayer.exe"/>
<App DesktopAppPath="C:\Program Files\Smartsign Windows Player\Winplayer.subprocess.exe"/>
<App DesktopAppPath="C:\Program Files\Smartsign Windows Player\Smartsign Player Guardian.exe"/>
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<v3:NoRestriction />
</rs5:FileExplorerNamespaceRestrictions>
<v5:StartPins>
<![CDATA[{
"pinnedList": [
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Smartsign Windows Player\\Smartsign Windows Player.lnk"},
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Smartsign Windows Player\\Smartsign Windows Player Configuration.lnk"}
]
}]]>
</v5:StartPins>
<Taskbar ShowTaskbar="false"/>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="Smartsign Kiosk"/>
<DefaultProfile Id="{85b87431-bd07-4642-a450-03a5ec94a405}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>There are a few EXE files dependencies we need to have in there so Smartsign can work properly. Remember to create a unique GUID for the profile. I use New-GUID to generate one.
Next important setting is ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers, which prevents local users from being listed on the sign-in screen. With this enabled, the kiosk account stays hidden and Windows boots cleanly into the assigned access flow, keeping the device focused on its single job.
Create a Custom policy
Add the CSP settings for AssignedAccess and EnumerateLocalUsersOnDomainJoinedComputers:
The OMA-URI is : ./Vendor/MSFT/AssignedAccess/Configuration
It’s a String from file. Upload the Xml from above.
The OMA-URI is : ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
It’s a String and the value: <enabled/>
Power Settings
For a signage kiosk, the device must stay awake at all times. Make sure power and sleep settings are configured in Intune so the device never goes to sleep, turns off the display, or suspends due to inactivity. The screen should always be on and showing information, no matter the time of day.. I cretea a policy based on settings catalog and apply to the same group:
Windows update
This depends on how you want to handle the updates, but I make sure that updates and reboots happens automatically but only during Sundays when more or less no one is at the office.
Application setup
Smartsign is just an MSI from the vendor but if you install in manually you can configure server and server settings. This is then stored in a file player.config. So before wrapping it into a win32 file, create a script or use PSADT, which I do, to copy the file once the app is installed.
Good to go
So once we have the device in autopilot, correct group tag and it got our deployment profile assigned we are ready to go.
Start up the device and it should boot straight into OOBE, start running Autopilot, install what ever it needs, reboot, automatically logon and start Smartsign. Smartsign connects to the server and starts showing information on the screen.