Let’s discuss Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune. Blocked URL Exceptions policy in Microsoft Intune helps to manage web access within the legacy Microsoft Kiosk Browser app on Windows devices set up in Kiosk mode.
This setting allows an organization to create a whitelist of specific website URLs that users are permitted to visit, even if those URLs fall within a broader list of blocked websites. It acts as a set of precise overrides for the general URL blocking policy.
You can use wildcards (like *.contoso.com) to match multiple URLs with a single rule. For example, you might block * (everything), but allow *.yourcompany.com. This policy applies specifically to the legacy Kiosk Browser app from the Microsoft Store, not the newer Microsoft Edge kiosk mode configuration.
By default, the Kiosk is locked down, preventing access to malicious sites, phishing scams, and unauthorized downloads. This drastically reduces the attack surface and safeguards the corporate network and sensitive data.
Table of Contents
Block URL Exceptions for Kiosk Browser to Enforce Least Privilege for Web Access using Intune
This policy provides many benefits for users, admins and organization. Once the policy is applied, the admin knows the device can only access the specified work sites. This predictability makes remote troubleshooting and auditing much easier. Ensures devices are used strictly for their intended purpose (e.g., self-service, check-in, digital signage).
- How Idle Time Controls Kiosk Browser Session Restart using Intune Policy
- Control Least Privilege App Container Sandbox for Printing Services in Edge Browser using Intune
- How to Export Privileged Identity Management Role Assignments in Entra ID using PowerShell
How to Configure Policy From Intune Portal
This policy is generally enabled (configured with a list of exceptions) when an organization needs to implement a highly restrictive browsing environment while still providing access to a few required external or internal resources. Follow the below steps to start policy configuration.
- Sign in to Microsoft Intune admin center.
- Then go to Devices > Configuration > +Create >+ New Policy.

Choosing Platform and Profile Type
Choosing Platform and Profile is the next step after selecting New policy. It is very necessary step to effectively configure the policy to appropriate platform. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.

Basic Tab for Naming Policy
Basic Tab is used to give an identity for the policy by adding name and description. Here Name is Mandatory and Description is optional. After adding these details click on the Next button.

Configure Windows Apps Run In Background
On this tab you can access +Add settings hyperlink to access specific settings. When you click on this hyperlink, you will get Settings Picker. Here, I would like to select the settings by browsing by Category. I choose Kiosk Browser. Then, I choose Blocked Url Exceptions settings.

Add Value for Policy
The applicable values are URLs that you want the Kiosk Browser to allow, even if those URLs are covered by a broader block in the separate KioskBrowser/BlockedURLs
policy (which may be set to block everything, e.g., *
).
- Here i use https://kioskportal.contoso.com/* url for this policy
- Then I click on the Next Button

Scope Tag for Block Url Exceptions Policy
Scope Tags sections help you add restrictions to the visibility of the Policy. But it is not a mandatory step, so you can skip this step. Here, I don’t add scope tags for Block Url Exceptions Policy. Click on the Next button.

Assignment Tab for Selecting Group
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.

Review + Create Tab
Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.

Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync, the device on the Company Portal, Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.

Client Side Verification through Event Viewer
It helps you check the client side and verify the policy status. Open the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
Event ID Details |
---|
MDM PolicyManager: Set policy string, Policy: (BlockedUrlExceptions), Area: (KioskBrowser), EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User: (Device), String: (https://kioskportal.contoso.com/*), Enrollment Type: (0x6), Scope: (0x0). |

Removing the Assigned Group from Block Url Exceptions Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.

How to Delete Block Url Exceptions
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.

CSP Details
List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. This policy only applies to the Kiosk Browser app in Microsoft Store.
Description Framework Properties
The Description framework properties of Blocked Url Exceptions policy shows Property name and property Value. The below table shows the Details.
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: 0xF000 ) |

Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Entra, Microsoft Security, Career, etc.