This post will cover how to create a maintainable Windows 10 multi-app kiosk with PowerShell and Configuration Manager and a PowerShell script that I wrote. I wrote a blog post here a couple of years ago about deploying Windows 10 1809 in kiosk mode with an AD domain account. Much has happened since then.

Kiosk machines, or single-purpose computers, are used in many scenarios and organizations. Kiosks come in several flavors, including single-purpose locked down kiosks and multi-app kiosks where you need to be able download files and work with them as well. They also need to be secure, as they are exposed in some use cases.

The result of the example script will look like the screen capture below.

Multi app kiosk example

Multi app kiosk example

We also allow access to removable media and the Downloads folder, so if we want to save a file in Google Chrome and then open it in Excel, for example, it possible as shown below.

Open in Excel

Open in Excel

The script will carry out the following configurations:

  • Configure AutoLogon with a domain user
  • Configure the Start Menu
  • Add applications to the allow list
  • Allow saving/reading from the Downloads folder
  • Allow removable USB drives
  • Write kiosk information to the registry

Here is the PowerShell script:

Configuring Assigned Access ^

We configure the assigned access parts in the script in the XML that we configure in the script. More information about what we can configure can be found here and here. Examples are included.

The AllowedApps section lists all apps that can run. In the back end, this includes AppLocker rules that are created on the machine, so troubleshooting in a third-party application calls more binaries. These binaries also need to be listed to be allowed to run. Everything that is not on the list is blocked.

Allowing folder access and removable media is done by using the V2 and V3 schemas that we defined earlier in the XML file, as shown in the example below. It is very easy to add new folders if necessary.

Configure auto logon ^

In my previous post, I used Group Policy preferences to configure AutoLogon, which stores the username and password in clear text in the registry. I also used AutoLogon.exe, which is a Microsoft tool that configures AutoLogon since it stores passwords as LSA secrets and not in clear text in the registry. In the sample script posted here, there is a section rewritten by my colleague, Johan Schrewelius, which does the same thing that AutoLogon.exe does. It also adds a scheduled task that is used to configure AutoLogon, as all attempts to configure it during OS deployment are cleared by the OOBE part of the setup.

Deploying the kiosk using MEMCM ^

To deploy the kiosk script using Configuration Manager, I have a kiosk group in my task sequence that includes the following steps:

Task sequence steps

Task sequence steps

For the kiosk computers, I added them to a collection with the variables shown below:

Collection variables

Collection variables

The variables are picked up by the PowerShell script in the task sequence when we deploy the computer. In my script, I hardcoded the domain name, which could easily have been a variable as well. It is set early in the script:

Let's look at the three different steps in the task sequence. Move to correct OUI use a simple PowerShell script to move the computer to my Kiosk OU to make sure that the correct Group Policies are applied. It is then executed using an account with the correct permissions to move the account in AD.

Move to correct OU

Move to correct OU

Configure kiosk mode ^

This step executes the PowerShell script that configures the computer in Kiosk mode. The variables passed to the script are -Username and -Password, as shown below.

Configure Kiosk Mode

Configure Kiosk Mode

Reboot after OSD ^

This step sets the task sequence variable "SMSTSPOSTaction," which reboots the computer after OSD is finished. There will be dual reboots before the computer is in kiosk mode, one caused by the SMSTSPostaction and one caused by the scheduled task that is configured. AutoLogon.

Reboot after OSD

Reboot after OSD

Writing information to the registry ^

We also write information to the registry about the account that was used and the version of the kiosk configuration. This comes in handy if and when we need to update the machine's kiosk configuration.

Registry value

Registry value

The name of the registry key can be modified in the script at the very beginning by changing the variable to your preference.

Summary ^

If you are still deploying kiosk machines and locking them down with Group Policy, AppLocker, and scripts, I highly recommend that you check out assigned access mode. It is so simple to deploy and lock down straight off and is locked down much more tightly than many kiosk setups I have seen.

Subscribe to 4sysops newsletter!

In my next post, I will explain how you can update the Windows 10 kiosk.

+3
avataravatar
17 Comments
  1. Leos Marek (Rank: 4)
    10 months ago

    Interresting post, might be useful at school 🙂

    +1
    avatar
  2. Claudio 10 months ago

    Would be so nice if there would be a gui tool to generate such a ps 🙂 

    +1
    avatar
  3. Diego 10 months ago

    This is really helpful!!!

    How can I revert from kiosk mode for the user configured?

     

    Thank you!!!

    +1
    avatar
    • Author

      Hi,

      Last time i checked there is no easy way of reverting from a MulitApp Kiosk.. If you use Assigned access and single app then it is possible using PowerShell

      Regards,

      Jörgen

      +2
      avatar
    • Daniel 1 week ago

      Log into the PC with an admin account, open up 'Settings > Accounts > Access work or school' and then select 'Add or remove a provisioning package' and remove the installed provisioning package.

      0

  4. Jim Gandini 10 months ago

    I get "The property 'Configuration' cannot be found on this object..." when i try to execute the PowerShell script.

    What am I missing in PowerShell?

    +1
    avatar
    • Leos Marek (Rank: 4)
      10 months ago

      Im getting the same thing. Its because this part of code:

      Returns no value at all. So the variable $obj is not created.

      0

    • Author

      Hi,

      Are you executing the script in System Context? I will doublecheck if there are any copy/paste errors as well.

      Regards,
      Jörgen

      +2
      avatar
      • Leos Marek (Rank: 4)
        10 months ago

        Hi Jorgen,

        I have not. Under standard admin account with elevated rights.

        Thought it can be done just by executing the Powershell script, without Config Manager, which I assume you use just to do the required sequence, which could be done manually?

        Or is it wrong assumption?

        Cheers L

        0

  5. Author

    Hi,

    It have to be run in System context, that is the only way to use the WMI MDM Bridge in Powershell. When I wrote it and tested it out I used PSexec.exe to run it in System context which works just great.

    Regards,
    Jörgen

    +1
    avatar
  6. howdee 10 months ago

    You've uploaded the wrong photo on the Configure Kiosk mode step.

    0

  7. Pedro Soto (Rank: 1)
    10 months ago

    Hi,

    I am starting to use SCCM and wanted to automate a single app kios for our municipality.  I have read you previous post and this one and it maybe just the thing i am looking for. I have something a question on something super simple that I just don't under stand. Once the AD account is created. Where in the script do i put the information.  I pasted the top part of the code here and i am guessing that i fill the information here but i wanted to ask to make sure.  I am new to all this and trying to learn as I go.

    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [string]$Username,
        [Parameter(Mandatory=$True)]
        [string]$Password
      )

    # Set values
    $Version="1"
    $RegKeyName = "NutanixKIOS"
    $FullRegKeyName = "HKLM:\SOFTWARE\" + $regkeyname 
    $Domain="*******"

    # Create Registry key 
    New-Item -Path $FullRegKeyName -type Directory -ErrorAction SilentlyContinue

    function Set-KioskMode {

        $DomainUser = "$($Domain)\$($UserName)".TrimStart('\')

    0

  8. Yaron 6 months ago

    Hello,

    Thank you for the useful post, it is very helpful.
    is there a way to cancel the autologon?

    Regards,
    Yaron

    +1
    avatar
    • Leos Marek (Rank: 4)
      6 months ago

      Id say you can just remove lines 81 to 270 and the last line of the script. That should do it.

      0

  9. Daniel Schueler 1 week ago

    I’m having an issue with the removable storage portion of the provisioning XML. I configured mine the exact same as yours and the downloads folder shows up but not the removable storage. The more confusing part is if I set it to v3:no restrictions I lose all folder access entirely

    I am on W10 Edu v20H2 and can post more info if it would help. 

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account