Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune

Let’s discuss Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune. Blocked URL Exceptions policy in Microsoft Intune helps to manage web access within the legacy Microsoft Kiosk Browser app on Windows devices set up in Kiosk mode.

This setting allows an organization to create a whitelist of specific website URLs that users are permitted to visit, even if those URLs fall within a broader list of blocked websites. It acts as a set of precise overrides for the general URL blocking policy.

You can use wildcards (like *.contoso.com) to match multiple URLs with a single rule. For example, you might block * (everything), but allow *.yourcompany.com. This policy applies specifically to the legacy Kiosk Browser app from the Microsoft Store, not the newer Microsoft Edge kiosk mode configuration.

By default, the Kiosk is locked down, preventing access to malicious sites, phishing scams, and unauthorized downloads. This drastically reduces the attack surface and safeguards the corporate network and sensitive data.

Patch My PC

Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune

This policy provides many benefits for users, admins and organization. Once the policy is applied, the admin knows the device can only access the specified work sites. This predictability makes remote troubleshooting and auditing much easier. Ensures devices are used strictly for their intended purpose (e.g., self-service, check-in, digital signage).

How to Configure Policy From Intune Portal

This policy is generally enabled (configured with a list of exceptions) when an organization needs to implement a highly restrictive browsing environment while still providing access to a few required external or internal resources. Follow the below steps to start policy configuration.

Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.1
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.1

Choosing Platform and Profile Type

Choosing Platform and Profile is the next step after selecting New policy. It is very necessary step to effectively configure the policy to appropriate platform. Here I would like to configure the policy to  Windows 10 and later platform and settings catalog profile. Then click on the Create button.

Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.2
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.2

Basic Tab for Naming Policy

Basic Tab is used to give an identity for the policy by adding name and description. Here Name is Mandatory and Description is optional. After adding these details click on the Next button.

Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.3
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.3

Configure Windows Apps Run In Background

On this tab you can access +Add settings hyperlink to access specific settings. When you click on this hyperlink, you will get Settings Picker. Here, I would like to select the settings by browsing by Category. I choose Kiosk Browser. Then, I choose Blocked Url Exceptions settings.

Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.4
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.4

Add Value for Policy

The applicable values are URLs that you want the Kiosk Browser to allow, even if those URLs are covered by a broader block in the separate KioskBrowser/BlockedURLs policy (which may be set to block everything, e.g., *).

Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.5
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.5

Scope Tag for Block Url Exceptions Policy

Scope Tags sections help you add restrictions to the visibility of the Policy. But it is not a mandatory step, so you can skip this step. Here, I don’t add scope tags for Block Url Exceptions Policy. Click on the Next button.

Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.6
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.6

Assignment Tab for Selecting Group

To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.

Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.7
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.7

Review + Create Tab

Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.

Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.8
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.8

Monitoring Status

The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync, the device on the Company Portal, Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.

Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.9
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.9

Client Side Verification through Event Viewer

It helps you check the client side and verify the policy status. Open the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft >  Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.

Event ID Details
MDM PolicyManager: Set policy string, Policy: (BlockedUrlExceptions), Area: (KioskBrowser),
EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User:
(Device), String: (https://kioskportal.contoso.com/*), Enrollment Type: (0x6), Scope: (0x0).
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Table.1
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.10
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.10

Removing the Assigned Group from Block Url Exceptions Settings

If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.

To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.

Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.11
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.11

How to Delete Block Url Exceptions 

You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.

For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.

Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.12
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.12

CSP Details

List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. This policy only applies to the Kiosk Browser app in Microsoft Store.

Description Framework Properties

The Description framework properties of Blocked Url Exceptions policy shows Property name and property Value. The below table shows the Details.

Property nameProperty value
Formatchr (string)
Access TypeAdd, Delete, Get, Replace
Allowed ValuesList (Delimiter: 0xF000)
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Table.2
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune - Fig.13
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune – Fig.13

Need Further Assistance or Have Technical Questions?

Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM,  Windows,  Cloud PC,  Entra, Microsoft Security, Career, etc.

Leave a Comment