I was recently tasked with deploying Windows 10 Kiosk Mode for a customer. This is without Intune.
Kiosk Mode can be easily deployed via Intune but if you are not using that as a deployment mechanism then it’s still possible but requires a bit more manual graft. There were some interesting observations along the way so I’ll capture these in this document and hopefully this will help you avoid the pitfalls.
So, the plan was to deploy a multi-app kiosk. Multi-app kiosks are allowed from Windows 10 1709 onward, make sure you have at least this version on your device. I’m going to be mentioning certain baselines here, since certain features are only allowed for certain baselines or simply because I had problems and the fixes were to deploy a particular release or hotfix. Make sure, also, that you are running either the Enterprise, Education, Pro or S SKU. Windows 10 Home is not supported.
Kiosks use the Assigned Access CSP feature and you can read about this here. Applications can be either Win32 apps or UWP apps. For UWP apps you must provide the App User Model ID (AUMID) and for Win32 apps the full path of the executable file in your allowed apps list and we’ll take a look at this shortly.
The basics of kiosk mode are that we must create a XML file which will contain a profile or set of profiles which are assigned to configs. The wording from Microsoft is as such:
- A configuration xml can define multiple profiles. Each profile has a unique Id and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
- A configuration xml can have multiple config sections. Each config section associates a non-admin user account to a default profile Id.
- Multiple config sections can be associated to the same profile.
- A profile has no effect if it’s not associated to a config section.
For the example here, we are going to keep it simple by creating one profile and one config.
Start off by generating a unique GUID which will be used to associate the profile with the config. You can do this online. I’ve used the site https://www.guidgenerator.com/online-guid-generator.aspx.
Now we can start to construct the XML file. Microsoft has lots of examples in their documentation so let’s take an example from there with my generated GUID added.
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="https://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="https://schemas.microsoft.com/AssignedAccess/201810/config"
> <Profiles>
<Profile Id="{bc38b341-6836-449d-ad4f-49672ab8e8a2}">
<AllAppsList>
<AllowedApps>
...
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads"/>
</rs5:FileExplorerNamespaceRestrictions>
<StartLayout>
...
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
</AssignedAccessConfiguration>
This example is the basic structure of the <PROFILE> section of the XML. Here assigned apps, start menu layout and Taskbar status can be defined.
Let’s expand this out slightly and add in some detail.
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:r1809="http://schemas.microsoft.com/AssignedAccess/201810/config"
>
<Profiles>
<Profile Id="{bc38b341-6836-449d-ad4f-49672ab8e8a2}">
<AllAppsList>
<AllowedApps>
<App DesktopAppPath="C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" r1809:AutoLaunch="true" />
<App DesktopAppPath="C:\Program Files\Internet Explorer\IEXPLORE.EXE" />
<App DesktopAppPath="C:\WINDOWS\SYSTEM32\CMD.EXE" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="">
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="Microsoft.InternetExplorer.Default" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>temp</Account>
<DefaultProfile Id="{bc38b341-6836-449d-ad4f-49672ab8e8a2}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
So what’s been added here?
Well I want to allow Internet Explorer and CMD to run on my kiosk. So I have defined these in the AllowedApps tags. For Internet Explorer I have also set the command parameter r1809:AutoLaunch=”true”. This is a new feature from Windows 10 1809, the ability to auto launch an app. You also have to add the line xmlns:r1809=”http://schemas.microsoft.com/AssignedAccess/201810/config” in the <AssignedAccessConfiguration> section of the XML.
Note from the field – take a look at the code in the example from Microsoft and compare with what I have added. xmlns:rs5= or xmlns:r1809= ? Well MS has mixed messages since their documentation references each but xmlns:r1809= is the one to use. They need to update their documentation to reflect this.
Note from the field – I’ve had zero success autolaunching when using Windows 10 1809, even though the code is written for it. Maybe I needed a hotfix but nothing is stated. In the end, I pushed 1903 out to the endpoint and the code works perfectly.
What else is happening in the code? Well I have set a Start Menu to display my IE and CMD shortcuts and I’m allowing the taskbar to be shown.
I’ve also created the <CONFIG> section and in this I am creating a link between the <CONFIG> and <PROFILE> section via DefaultProfile Id=. The GUID matches that of the Profile Id= in the <PROFILE> section. Therefore, the account associated with the <CONFIG> will have the <PROFILE> settings applied to it when logged in.
I have referenced a local account in the <ACCOUNT> tag, <Account>temp</Account>, however this can be a domain account, reference with domain\account or an Azure AD account.
Note from the field – when applying the XML the account must exist for the XML to apply successfully.
There is other functionality which you can add to the XML, such as configuring automatic logon, changing the display name which appears when logging in or allowing access to the Download folder for storage. As I say, I’m keeping this simple and showing you the basics to get up and running. Check out Set up a multi-app kiosk for more tips
With our XML ready to go we can apply the code by wrapping this in PowerShell and using the MDM bridge to apply.
So we enter
$nameSpaceName="root\cimv2\mdm\dmmap" $className="MDM_AssignedAccess" $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className Add-Type -AssemblyName System.Web $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@" <OUR XML CODE> "@) Set-CimInstance -CimInstance $obj
Here’s my example. You can download the code from here:
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:r1809="http://schemas.microsoft.com/AssignedAccess/201810/config"
>
<Profiles>
<Profile Id="{bc38b341-6836-449d-ad4f-49672ab8e8a2}">
<AllAppsList>
<AllowedApps>
<App DesktopAppPath="C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" r1809:AutoLaunch="true" />
<App DesktopAppPath="C:\Program Files\Internet Explorer\IEXPLORE.EXE" />
<App DesktopAppPath="C:\WINDOWS\SYSTEM32\CMD.EXE" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="">
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="Microsoft.InternetExplorer.Default" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>temp</Account>
<DefaultProfile Id="{bc38b341-6836-449d-ad4f-49672ab8e8a2}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
"@)
Set-CimInstance -CimInstance $obj
To inject this, we need to be running as SYSTEM. If you are using ConfigMgr to apply the PowerShell then this is nice and simple as you can simply deploy out in your Task Sequence as a Run PowerShell script step.
To manually do it follow these steps:
- Grab a copy of PSTools
- From an administrator CMD prompt run PSEXEC -i -s cmd to launch CMD as SYSTEM.
A quick whoami will confirm you are running as SYSTEM
Launch PowerShell from CMD and Set-ExecutionPolicy Unrestricted. Then run the PS1 script containing the code. If you get an error you may need to validate your code. As I mentioned earlier, make sure your account exists or can be referenced.
I’m using the local temp account but it’s not been defined.
After creating the account I can inject the PS1 code successfully.
You can use the first three lines of the PS1 script to query the AssignedAccess MDM to ensure that the code has been injected OK, or if you update the code and re-inject and need to check your changes have been accepted.
Check the $Obj variable to confirm.
Now when logging in as the assigned user the lockdowns and assigned access will take effect.
If anything fails to run check the AppLocker logon the device for blocks and update your XML file with the correct details.
Note from the field – There is a bug with printing from IE and you must run Windows 10 1903 with latest October KB’s to fix the problem. The error reports as a block in policy. The problem is also resolved in Windows 10 1909.
Note from the field – AppLocker blocked me from running CMD from anywhere except from the Start Menu tile, which points to the location %APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk. i was attempting to run the shortcut to CMD from another location on the c: drive. Not sure why this happened. Most kiosks wouldn’t want to allow CMD in the first instance but this was something I noted as part of my testing. Be aware.
With everything up and running you’ll have a locked down kiosk in full effect.
Feel free to comment with your experiences and let me know how you got on with adding in auto logon, folder access and more.
SCCMentor - Paul Winstanley 
Excellent post and very handy. 2 quick questions.
1. I would like apply screen saver for the Multi-app KIOSK section. Any idea to do so?
2. How to remove all the Multi-app KIOSK setting?
Thanks.
Ronald
1. You can apply the screensaver as normal to the device and use GPO to assign it. I was happily running a .scr file in my multi-app kiosk
2. I’m sure I read some MS docs on how to remove the assigned access XML but I’ve not been able to find them again since doing so. MS do state though, that due to the nature of the applied settings, then a factory reset of the device is the only way to get rid of all the settings and policies.
Hello,
A question to see if you could help me.
When performing an installation with multi-apps as you indicate, I have added a domain user with “”
The problem I have is to log in the user directly closes the session.
Event ID: 31000
Error Could not find group name. regarding assigned access for current user, logging off …
Operating system version 20h2.
Excellent post !
Do you know how to add access to directories ? not just access to the download directory…
That’s not possible at present. Only downloads is allowed. That could change at the solution matures.
Do you know other solutions to do this?
Thanks for your help.
No possible at present. An option would be to just apply the GPO’s which kiosk mode utilises, create your own AppLocker policies and not apply the AssignedAccess. Cheers Paul
Hello,
Firstly, I’d like to say thank you for the post as it was an interesting read.
Secondly, I’d like to address potential security leaks.
0.) The Use of PSExec
— This is old and a security nightmare.
— Consider switching to PSRemoting. https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands
— If it’s ABSOLUTELY necessary as one time use, PSExec shouldn’t be all to bad. Just remember to lock your Admin$ and C$ shares after.
1.) Powershell Execution Policy
— You don’t have to set the global execution policy to unrestricted.
— This can (and most likely will) be forgotten and any malicious scripts can be ran at free range.
— Instead use the following;
— powershell.exe -ExecutionPolicy Bypass -File .\KioskXML.ps1
Thirdly, no need to visit a 3rd party website for GUID generation. You can use powershell to do this!
In powershell, type the following;
[guid]::NewGuid() | Select -Property guid -ExpandProperty guid | Set-Clipboard
Conclusion,
Thanks for the article as it was helpful to understand how to run this without the use of Intune.
I was able to successfully run this on one of my labs.
Thank you and Happy Holidays!
Thanks for this info IT Guy. Worth noting that the method to run psexec is taken direct from MS docs. I’m only doing this to manually apply the ps script when testing but using MEMCM. via a TS to actually apply the script and using the bypass parameter 😉 Cheers Paul
I copied your code and created a test profile to test. I ran the script according to the directions you provided and I am getting the following error:
The property ‘Configuration’ cannot be found on this object. Verify that the
property exists and can be set.
At line:5 char:1
+ $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@”
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyNotFound
Set-CimInstance : Cannot bind argument to parameter ‘InputObject’ because it is
null.
At line:60 char:30
+ Set-CimInstance -CimInstance $obj
+ ~~~~
+ CategoryInfo : InvalidData: (:) [Set-CimInstance], ParameterBind
ingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Mi
crosoft.Management.Infrastructure.CimCmdlets.SetCimInstanceCommand
When I the $obj variable in powershell I do not get any configurations as you did in your example. Can you offer some advice on this issue?
I am using Win 10, 1809.
Thanks
Steven,
I’ll take a look tomorrow and get back to you.
Steven,
I’m not able to replicate this. Are you able to test this on a 1903 build out of interest? Cheers Paul
Thank you for the quick reply. I will try it on the 1903 image and see what results I get.
Cheers Steven. I know there are certain things which worked out of the box for us in 1903 which didn’t in 1809 – such as the autolaunch. I’d be interested to see where you get with this.
Hello!
I’m trying to follow your instructions in this post but i have problems importing code into $obj.
Pwershell dont recognize as html code. It is importing as < and other characters like \ or ” arent imported.
Can u help me to know the reason?
Thanks
I’ve not seen that happen. I’ve made the code downloadable in case there is an issue with characters in your copy and paste. shorturl.at/inELM
ps1
BTW I’ve fixed the download of the PS1 if anyone was having a problem with this.
Sorry, various missclicks in my last comment.
”
Hello!
I’m trying to follow your instructions in this post but i have problems importing code into $obj.
Pwershell dont recognize as html code. It is importing .\import.ps1
Set-CimInstance : A general error occurred that is not covered by a more specific error code.
At C:\temp\kiosk\import.ps1:54 char:1
+ Set-CimInstance -CimInstance $obj
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MDM_AssignedAcc…./Vendor/MSFT”):CimInstance) [Set-CimInstance], CimException
+ FullyQualifiedErrorId : MI RESULT 1,Microsoft.Management.Infrastructure.CimCmdlets.SetCimInstanceCommand
Thats my $obj:
$obj
Configuration :
<![CDATA[
]]>
Customer
InstanceID : AssignedAccess
KioskModeApp :
ParentID : ./Vendor/MSFT
ShellLauncher :
PSComputerName :
Can you download the PS1 file in the previous reply and try and inject that to see the end result.
How would you revert this?
Reset the device is the only way to revert I’m afraid.
Great Post Paul, I am very grateful for it, thanks.
There is only one thing I can not setup… as I see on your screenshot, that you could hide the “All programs” button on the upper left corner. I used your ps1 content, but somehow it is still available.
Did you use GPO or something else to hide it?
Thanks again,
Laszlo
Hi Laszlo, what version of Windows 10 out of interest? I’ve not seen this problem. Could you link to a screenshot? Cheers Paul
Hi Paul,
Here you can see the current layout: https://1drv.ms/u/s!AhkiyuRoDb6MhMJ7B87MQbbQXioO1Q?e=ebD2uQ
Thanks,
Laszlo
I almost forgot the version: Windows 10 Ent 19041.329
OK let me take a look. It’s possible some of the code has been modified for newer OS
OK I’ve replicated this on Win 10 2004. I can’t see anything in the docs which state how you can remove this and it’s a poor experience when you click it as well. Let me message Microsoft and see if this can be removed at all. Cheers Paul
I’m having some problems, the script takes an extended period of time to run, then once finished I find that the $obj contains nothing for the configuration value, with only the InstanceID and ParentID values present.
Any idea what might be going wrong?
Thanks.
Brian, what Windows 10 baseline? I’ve not tested on 1909 or 2004 so if one of those, let me know and I’ll test it to see if I can replicate the problem. Code does change with baseline releases. Cheers Paul
Hello!
Great post I am very thankful.
Tested it on Win10 Pro 1909 and it works.
The only problem I am having is when I add an exe’s path to AllowedApps it does not work if the path is UNC.
I have tried network mapping and even with assigned letter R:\qwe.EXE did not work.
Any clue?
Thanks,
Luka
HI Luka, IIRC mapped drive and UNC locaitons not allowed in the AllowedApp list. However in my instance, I was able to use an allowed app from the C: drive that called remote executables if that is something you can try out as a workaround. Cheers Paul
Hi Paul,
thanks for fast reply.
I have tried using start-process with remote exe path and then converted .ps1 file to .exe with ps2exe and added exe to the list. Still not working, exe runs fine but errors out as blocked exe.
Do you know any other way to hide remote exe?
Thanks!
Luka
OK I’m not sure then. I know by default UNC and mapped drives are blocked.
Hi Paul!
I have found a solution.
I run remote file as different user and it works.
Not the best solution but it does its job.
Thanks for pointing me in the right direction.
Cheers Luka
OK thanks Luka. It’s possible the customer was running a script as another user then. Great feedback thanks
Hey there Luka, Could you provide any details on how you run your remote file as a different user?
Cheers
Adam
Hey Adam,
I wrote pshell script to run as different user.
example: Start-Process $RQMExE -WorkingDirectory $RQMFolder -Credential $credential
I converted ps1 file to exe file using PS2EXE – https://github.com/MScholtes/PS2EXE
Then i just added that file to exceptions and it worked.
If you need more detailed instructions feel free to contact me.
Cheers, Luka
Hello Paul,
I downloaded the PS script and tried to run it. I get the following error :
The property ‘Configuration’ cannot be found on this object. Verify that the property exists and can be set.
At C:\Users\Wartung\Desktop\IEKiosk.ps1:5 char:1
+ $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@”
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyNotFound
Set-CimInstance : Cannot bind argument to parameter ‘InputObject’ because it is null.
At C:\Users\Wartung\Desktop\IEKiosk.ps1:47 char:30
+ Set-CimInstance -CimInstance $obj
+ ~~~~
+ CategoryInfo : InvalidData: (:) [Set-CimInstance], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Management.Infrastructure.CimCm
dlets.SetCimInstanceCommand
I am using Windows 10 2004 (OS Build 19041.421).
Do you know why could this be?
I only modified the username to reflect a local account.
Thanks!
I haven’t seen that Marc. Is there anyway you can share out the PS1 file for me to have a look at it?
Exactly same issue error coming when i tried the script with just a modification of the user
Does the local account exist?
is it possible to add some favorites in IE with this Kiosk mode ?
Sure it is
Thanks SCCMentor for the excellent document. I have successfully configured a multi app KIOSK.
Now I want to add Downloads folder and when I add the command, (
)
I am getting below error.
Set-CimInstance : A general error occurred that is not covered by a more specific error code.
At line:1 char:1
+ Set-CimInstance -CimInstance $obj
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MDM_AssignedAcc…./Vendor/MSFT”):CimInstance) [Set-CimInstance], CimExce
ption
+ FullyQualifiedErrorId : MI RESULT 1,Microsoft.Management.Infrastructure.CimCmdlets.SetCimInstanceCommand
OS: Windows10 Enterprise 64bit 2004update
i was trying to use this script on a machine and make it kisok for all the users . but script doesnt seems to be working that way. it only makes kiosk for the account which is mentioned in the script.
i pushed the script from intune.
any suggestions how to use this script for all the users
Ravi – this is in preview at present. I’m not sure which release of Win 10 supports (maybe only Insiders), you would have to check. Check out global profile here https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps. Otherwise you have to create a new profile and config per user you want to log in – see first XML here https://docs.microsoft.com/en-us/windows/configuration/kiosk-xml. Cheers Paul
How can i Add a non MS programm. Such as Firefox.
Joey, just point it to the .exe for Firefox – full path. Cheers Paul
Thx for Help. It´s Working how can i Add a New Programm into the Existing User Profil.
Add the allowedapp to the list and re-run the PS1 file
Absolutely excellent article thank you. Got me going much easier than MS’s document.
When I add a program I wrote and compiled in “C” lets say HelloWorld.exe which displays “Hello World”. I do not get any errors but I just can’t get the icon to show on the Kiosk desktop. I have placed it in every area of the local drive I can think of that should matter. I have no issues with apps from vendors or MS apps, just my own creations. I have tried the full path in each case.
Hi Scott, Do you see it being blocked at all in the applocker logs?
Would be so nice if there would be a gui tool to generate such a ps 🙂
hi, great script and clear instructions, I managed to run them and got in kiosk mode. the exit from kiosk mode script would be nice to have
my question would be, if you have the knowledge, how to put a hololoens 2 into kiosk mode. the xml is very similar but I cannot get it to run.
I haven’t done that sorry.
HI, I’m sorry I don’t understand the part with “I’m using the local temp account but it’s not been defined.” Must the account be linked to an MS Account or can it be local? I have a local account with admin rights and I’m constantly getting an error:
Set-CimInstance: A general error occurred that is not covered by a more specific error code.
At C: \ Users \ kiwik \ Desktop \ IEKiosk.ps1: 47 char: 1
+ Set-CimInstance -CimInstance $ obj
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo: NotSpecified: (MDM_AssignedAcc …. / Vendor / MSFT “): CimInstance) [Set-CimInstance], CimExce
ption
+ FullyQualifiedErrorId: MI RESULT 1, Microsoft.Management.Infrastructure.CimCmdlets.SetCimInstanceCommand
I’m sorry I don’t understand the part with “I’m using the local temp account but it’s not been defined.” Must the account be linked to an MS Account or can it be local? I have a local account with admin rights and I’m constantly getting an error:
Set-CimInstance: A general error occurred that is not covered by a more specific error code.
At C: \ Users \ kiwik \ Desktop \ IEKiosk.ps1: 47 char: 1
+ Set-CimInstance -CimInstance $ obj
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo: NotSpecified: (MDM_AssignedAcc …. / Vendor / MSFT “): CimInstance) [Set-CimInstance], CimExce
ption
+ FullyQualifiedErrorId: MI RESULT 1, Microsoft.Management.Infrastructure.CimCmdlets.SetCimInstanceCommand
This is beautyful!
But one Question:
After Lockdown, the Kiosk User couldn’t change WiFi Settings. Any Workaround for this?
Thanks in advance,
Andreas
Anyone have any luck getting Microsoft Edge to auto launch? I have the following:
on 1909 but not seeing it autolaunch.
So this worked perfectly to set up a kiosk, great guide.
However something for everyone to be aware of – because Assigned Access enforces Tablet Mode, you can’t have a kiosk with more than one display. Tablet Mode does not support dual displays, when the autologon account attempts to log in, it will be signed out straight away.
1909 had a workaround where you can unplug the second screen, sign in, then plug it back in and it will allow the screen, but that has been fixed in 2004 and 20H2 and no longer works.
It appears to be a long standing complaint with MS. Apparently the only solution at present is to manually replicate the actions of Assigned Access (applocker etc), without enforcing Tablet Mode at the end.
Thanks Brian for the comment. Yes this is true tablet mode is enforced. It’s a real pain, as well, when you use a browser in windowed mode as it snaps to specific locations on the screen as dictated by tablet mode. Cheers Paul
Hello Paul,
Recently we are getting new MSEdge automaticly placed on our taskbar. Is there any way to remove it?
Its not even in our allowedapps nor in startLayout.
attached photo:
Cheers Luka
Maybe apply taskbar to remove items in the start menu XML? https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar#remove-default-apps
Thanks, I tried with adding calculator but it only added it next to MSEdge icon.
This is my startlayout xml file:
<![CDATA[
]]>
For testing I have added just calcutaor to taskbar but MSEdge icon is still present.
Hey Luka,
How did you manage to get Chrome working on this? We’re trying to replicate this XML using chrome but given that its not a UWP we can’t actually get it to work. You got any magical tips?
Any luck getting this to autolaunch with Edge Chromium? I can’t get it to autolaunch.
I’ve never tried, what’s the autolaunch command line in your XML?
Here is the latest I have, tried using Edge Dev Channel also.
No XML
Weird, it stripped out the XML. I put it here: https://pastebin.com/PxKxrYsd
Hey Paul,
Great Article thanks! I was wondering if you came across an issue that has come up. I have successfully deployed multiple kiosks with this method. However, recently, we have been getting an error about “Configuration” not being a valid property. We have been able to consistently reproduce the error on 2004 and 20H2. The exact same powershell code works for 1909 but not the newer versions. What is strange is that WMI explorer shows Configurarion as still being a valid property. Here is a snippet of the error. (The same error happens when I try to set configuration to $null)
Thank You!
The property ‘Configuration’ cannot be found on this object. Verify that the
property exists and can be set.
At line:1 char:1
+ $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@”
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyNotFound
Haven’t used the kiosk on the latest releases I’m afraid. Cheers Paul
Thanks for your reply!
I just wanted to provide an update. It turned out in the end, we were given a batch of Windows Home computers! It never dawned on us to check that because we manage thousands of endpoints and our procurement department is usually spot on. Upgrading fixed the issue immediately. I can now confirm it works on 20H2 🙂
Anyone else having a problem to download this “PSTools”? Neither from the link here, nor from any other website will it complete the download (it shows downloading and the right before the end it says Error – Networkerror) i can download everything else i try to download anywhere though
I was just able to download from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec. Cheers Paul
I there any way to undo this changes made by powershell script????
You have to reset the device
Hello, great article on this process. I got everything setup using Chromium Edge and auto launching. I also added in download folder access. The only problem I have now is the user will need to download a video file from the website and Edge says “couldn’t download – blocked” but I don’t know what is controlling this. I’m able to open the downloads folder without issue and I’ve allowed the system video player, so I think it’s an Edge configuration. Do you have any insight into that?
Can you share your script that you have configured for Edge autolaunching? I can’t get it to work for the life of me.
Certainly. I hope pastebin is allowed. https://pastebin.com/h3HEvNeQ
Thank you for the great article. I succesfully applied a kiosk PC with firefox, chrome, edge and remote dekstop connection – that’s the function I need most.
I want to specify a rdp file which mstsc.exe should use.
But no matter how I try, whenever I specify a parameter for mstsc.exe, applocker blocks access.
Did you find a way to use a parameter with any app?
Someone should make a free gui tool to do this kind of stuff
Isnt there yet a free gui tool todo this kind of stuff out already?
Ahoy ahoy. Great article!! I’m attempting to do a re-inject using your PS script around my xml from my original push. I’m getting the same error you are mentioning about the account not being there. I’m using a slightly different account method though:
The local account is set up and working as expected (it has a different name than Name though), but the code is tossing the error.
I tried adding in RealName before the Autologin line, and replacing the Autologin line, and both ways gave me the same error.
I also tried replacing the ‘rs5’ with ‘r1809’ both in my schema definition and in the Autologin line, same error.
Thoughts?
Thank you!
Kirk
Kirk, I’ve had problems with the autologin line working well for me, so I’ve fallen back to adding the autologin details into the registry to resolve. Does it work if you do it that way?
Sorry that it ate my code snips. My original was:
Config
AutoLogonAccount rs5:DisplayName=”Name”
DefaultProfile Id=”GUID”
Config
I tried:
Config
Account RealName Account
AutoLogonAccount rs5:DisplayName=”Name”
DefaultProfile Id=”GUID”
Config
and tried dropping the AutoLogonAccount line completely, and changed the rs5 to r1809.
The account RealName has successfully been built and signed into, so I know that is working.
With my original, using the Windows Config Designer, the xml works as expected. I’m just fighting with an annoying quirk of the kiosk mode. I’m hoping that the re-injection will help it, but I keep getting that error.
Looking at how it’s been going, I’m not entirely certain if the AutoLogin is actually working completely. Another thing to check if can get this working.
Thanks!
Kirk
Hello all! love the post.
I’m trying to apply this to a kiosk we are building, but I need to have it auto launch a System level access application, I’ve attempted this through the scheduled task, but it seems to launch prior to the scheduled task so that’s out of the question. I’ve tried to launch an application similar to psexec, (psexec isn’t working for me here) but that forces the Credentials box when it comes up.
do you know of a way to auto launch an application (script) that is ran under system level access? (It sounds bad but it’s the PowerShell deployment toolkit that is running its EXE, completely enclosed and nobody is able to brute force open the script part of it)
I’ve been able to make the script launch how i want using PowerShell App Deploy Toolkit, but is there is Delay option for auto launch? I still want to Auto launch the Kiosk application but i want to delay its launch by 5 minutes. Is that possible by chance?
Built in, not that I know of.
what about a way to “switch” foreground focus on one of the allowed apps?, the PS file im running has it to where it can change focus and start an application, but the focus is kept on powershell so its all still in the background.
is it possible to give access to removeable usb device ? i want to give access to usb drive to upload documents. is there any way? all i can see download folder
Give this a try https://www.reddit.com/r/Intune/comments/sxjjua/how_to_allow_appssettings_on_multiapp_kiosk_mode/
how to delete the old $obj ? i changed the script but it still showing the old one
This is a great article. Good job, I hope you write more on the subject. One question: I have tried your example on Windows 11 Pro and the commands succeeded with no error. However, when I log into the kiosk account, none of the policies seem to be applied. Is this supposed to work on windows 11? If not, how can I do something similar. Thanks 🙏
Thanks Darryl. I haven’t tried this in a long time so I’m not sure tbh. Sorry I can’t give you a definite answer.
Ok. I do have more information now and since you’re the only knowledgeable person who seems to be very helpful, I thought I’d share it. I looked in Event Viewer logs and it shows this error: The attribute ‘UserModelId’ on the element ’{http://schemas.microsoft.com/AssignedAccess/2017/config}App is not defined in the DTD/Schema. Does that give any clues? It doesn’t for me since I’m very new to this
I’m trying to create a multi-app kiosk in WIndows 11 using XML as well (no Intune). The problem I am running into is when trying to add non-Microsoft apps like Zoom as a desktop app. Zoom DOES show up in the list of AUP apps, and I’ve tried loading it that way with the AppUserModelID attribute AND also tried pointing right to the zoom.exe binary with the DesktopAppPath attribute. Both result in an error when trying to load the package file. I also tried changing the Kiosk user to an admin and still the package load failed. If I remove Zoom and just use Microsoft apps (Teams, Edge), it works fine. ANy thoughts? Thank you!
Hey Matthew, I’ve not dealt with the kiosk mode in Win 11 so not sure how relevant this is for that OS. Have you referenced against the official docs to see if the commands in the blog are still relevant for that OS?
Correction: not AUP Apps, UWP Apps with an AUMID.
What kind of error occurs. Do you mean the “This app has been blocked by your system administrator “? If so, maybe double check that the app in your StartPins is actually the same as the app in your AllowedApps. In my case I actually gave up on Multi App kiosk mode and used Shell Launcher V2 and AppLocker with a simple custom shell. I’m interested in hearing how it goes for you. Especially if you are able to hide the taskbar and if the start menu launches full screen like it should. Neither of them worked for me.