Windows 10 1809 kiosk mode with an AD domain account

One of the great new features in Windows 10 1809 is that Microsoft Edge now supports kiosk mode. It is extremely easy to configure and long awaited, so we don't have to use Internet Explorer or Google Chrome for our kiosk computers.

Setting up Windows 10 1809 in kiosk mode using Intune is really easy and beautiful. If you have the chance, be sure to test it out. The kiosk mode in Microsoft Edge is great. We can configure a reset after idle time and configure the behavior of Microsoft Edge in kiosk, single, or multi-app mode. An example might look like the screenshot below:

Microsoft Edge in kiosk mode

Microsoft Edge in kiosk mode

Configure Edge for kiosk/assigned access with a local account ^

I recommend a local account when using Windows 10 in kiosk/assigned access so you don't expose domain credentials. To do this (during operating system deployment using Configuration Manager for instance) we can simply run a PowerShell script:

The script performs these actions:

  1. Creates a local user named "Kiosk"
  2. Sets a password for that user
  3. Configures Microsoft Edge to run in kiosk/assigned access for the local user named "Kiosk"

Configure Edge kiosk/assigned access with an AD domain account ^

This is really easy, but if we want to want to use a domain account, it becomes much harder, since we can't use the built-in PowerShell command to configure assigned access for just that domain account. However, we have the PowerShell WMI Bridge.

The PowerShell script below will use the PowerShell WMI Bridge to configure Microsoft Edge for "User1" in the "CCMEXEC" domain. Note: The script must be executed in System context.

Configure Microsoft Edge using Group Policy ^

Windows 10 1809 introduces new Microsoft Edge Group Policies we can use to configure Microsoft Edge in kiosk mode. Here are the Group Policies I have configured in my example.

Microsoft Edge Group Policy settings

Microsoft Edge Group Policy settings

The two new settings are "Configure kiosk mode" and "Configure kiosk reset after idle timeout" where we configure the use of Microsoft Edge in multi-app mode or single-app mode and the idle timeout before it refreshes the session. I use the "Configure Start pages" Group Policy to set the start page for the kiosk as well. It's really simple.

Configuring kiosk mode

Configuring kiosk mode

And this is the policy that sets the idle timeout:

Setting the timeout limit

Setting the timeout limit

Configure autologon using Group Policy Preferences ^

I prefer to configure autologon using Group Policy Preferences, so you can easily change the password. You could configure it during operating system deployment as well of course or by using a script. I have two different organizational units (OUs): one for the kiosk with the local logon and one for computers for the domain account to log onto. We could filter this using security groups as well, but the functionality is the same, and I use the same Group Policy Object (GPO) to configure the OS and Microsoft Edge in kiosk mode as well.

The autologon registry keys are basically the same; for the kiosk GPO that uses a local user, simply remove the DefaultDomainName registry key.

Autologon registry keys

Autologon registry keys

Deployment with a Configuration Manager task sequence ^

How do we deploy the kiosk machines then? Well, in my lab, I use my own PowerShell front-end, which is not worth mentioning here. You can use collection variables, computer variables, or a front-end where you can select which kiosk you want to deploy. In the Task Sequence, I filter the group based on a Task Sequence Variable. I follow these steps:

  1. Run the PowerShell script to configure kiosk/assigned access
  2. Move the computer to the correct OU
  3. Restart the computer
  4. Set the SMSTSPostAction to run "cmd /c shutdown /r /t 60 /f" that so far has applied the correct GPO so that autologon works after the first reboot. You could modify this to run a GPUpdate as well if necessary.
Condition for the KioskDomain group

Condition for the KioskDomain group

Configuring the kiosk mode step that runs the script

For the step that moves the computer to the correct OU, I use the script I blogged about here. We could also use a web service as long as we move the computer to the correct OU.

Moving the computer object to the OU

Moving the computer object to the OU

And the next step configures the SMSTSpostaction.

Setting the SMSTSpostaction variable

Setting the SMSTSpostaction variable

That's it! We now have a script for configuring a Windows 10 1809 system in kiosk mode using either a local user account or a domain user account. The latter one is a bit more challenging to configure.

1+

Poll: Does your organization plan to introduce Artifical Intelligence?

Read 4sysops without ads and for free by becoming a member!

27 Comments
  1. Jörgen,

    In your first script example you have:

    I believe you meant:

    (notice the dash on the "UserMayNotChangePassword" switch)

    otherwise great article.

    1+

  2. Joachim Häggström 2 years ago

    If kiosk users is restricted browsing to specific sites it´s possible to achieve by setting these values in HKCU:

    Powershell script:

    Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyServer -Value "127.0.0.1:8000"
    Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyEnable -Value 1
    Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyOverride -Value "*.mydomain.com;*.microsoftonline.com;*.office.com;*.mail.google.com;*.sharepoint.com"

    It sets a fake proxy and port, enables proxy settings and ProxyOverride setting configures the allowed exceptions.

    Regards /Joachim

    2+
    avatar
    • While that will work, isn't it a bit of a hack?

      0

      • Author

        Hi,

        Yes, it is a bit of a hack but as there is no other way to configure it to use Assigned Access/Kiosk using a domain account except for MDM not many options. As I wrote I recommend that you test it through Intune but evenryone cannot use Intune yet for different reasons.

        Regards,
        Jörgen

        0

  3. Love Arvidsson 2 years ago

    Hi,

    Trying to use the script to create a local account, and get this output:

    ConvertTo-SecureString : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
    At line:3 char:36
    + ... assword = $PlainPassword | ConvertTo-SecureString -AsPlainText Force
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (Kiosk0!234:String) [ConvertTo-SecureString], ParameterBindingException
    + FullyQualifiedErrorId : InputObjectNotBound,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand

    New-LocalUser : Cannot validate argument on parameter 'Password'. The argument is null. Provide a valid value for the argument, and then try running the command again.
    At line:4 char:37
    + New-LocalUser -Name Kiosk -Password $SecurePassword -PasswordNeverExp ...
    + ~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [New-LocalUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.NewLocalUserCommand

    User was not found. Enter a valid local account UserName or UserSID
    At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1:236 char:9
    + throw $SCStringTable.ErrorUserNotFound
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (User was not fo...Name or UserSID:String) [], RuntimeException
    + FullyQualifiedErrorId : User was not found. Enter a valid local account UserName or UserSID

    I just copied your example, something im missing? ..

    Thanks!

    0

    • @jorgen-nilsson

      @loveArvidsson

      In the first PowerShell example you should replace the third line with this one:

      2+

      • Love Arvidsson 2 years ago

        Thanks!

        That worked better! 🙂

        Now the user gets created as as specified, but a new error has occured

        "C:\windows\system32\net.exe : Systemerror 1376 has occured.
        At line:1 char:1
        + C:\windows\system32\net.exe localgroup administrators
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (Systemfel 1376 har uppst†tt.:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError

        The local Group does not exist."

        It's looking for the "administrators" Group (and i dont know why, im not trying to add the account to it) and it doesnt find it, cause we run Swedish OS and its called "Administratörer".

        But, why does it look for this Group at all?

        0

  4. Love Arvidsson 2 years ago

    Wooho, fixedit with this

    "
    New-LocalGroup -name "Administrators"
    Add-LocalGroupMember -Group "Administratörer" -Member "administrators"

    "

    But, anyone know why it needs to be in this Group? Wont this give the user admin-rights? (which we dont want)

    0

  5. J 2 years ago

    Good Afternoon,

    In your WMI Bridge script, where do I configure the Start page?

    I will like to run a kiosk using AD Account.

     

    0

  6. Chris 2 years ago

    Hey,

    I can't seem to get kiosk mode and auto login to work, both independently, but not together, is that not a thing?

    Thanks

    Chris

    0

  7. Nav 2 years ago

    Hi Jörgen,

    is it possible if you can share screenshots of your task sequence to deploy win 10 kiosk mode? under what group you have added the steps you have mentioned in this post.

    thanks,

    0

  8. John Ferragamo 2 years ago

    I followed the steps here to add a domain user to assigned access. Anyone ever experience an issue using a domain account with Edge to open an Internal sharePoint site and Edge not passing through the credentials?  I am testing Kiosk Mode and every time it logs in I am prompted for credentials on the sharepoint site. We have verified that it has access, but we have not been able to get this to work.  Any help is appreciated.  Thank you

    1+

    • Kari Niemi 1 year ago

      Hi - Have you found any kind of solutions? We have same kind of issue in kioskmode with edge within our intranet pages where ADFS in use. SSO is not working..... Any help is appreciated. Thanks!

      2+

  9. Mathias 1 year ago

    Nice work. One question. Is it possible to deploy favorites in Edge even when it is a kiosk mode? I tried setting the GPO's "Configure Favorites" and "Configure Favorites Bar" but neither the favorites nor the favorites bar is showing up. Instead Edge says that "some settings by managed by your organisation".

    0

  10. Douglas 1 year ago

    I need my laptop to be in a domain but the local account is what I intend to use for the assigned access account.  I have it so Edge is in kiosk mode, however, the initial website that loads is one that is defined to our intranet site.  If I press the home button, the correctly assigned website loads.  However, when I press End Session, it takes you right back to the intranet.  How can I prevent this, as I like to deploy the laptop through kiosk mode.

    0

  11. Brian 1 year ago

    Thank you for posting this. I tried the method to use a domain account but it is not working. I used PSexec to run Powershell in the system context. I replaced the username and domain with my information, otherwise everything is exactly the same. I ran the script and came across the following error. Is there something that I am missing?

     

    PS C:\temp> .\kiosk.ps1
    Set-CimInstance : A general error occurred that is not covered by a more specific error code.
    At C:\temp\kiosk.ps1:37 char:1
    + Set-CimInstance -CimInstance $obj
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (MDM_AssignedAcc..../Vendor/MSFT"):CimInstance) [Set-CimInstance], CimExce
       ption
        + FullyQualifiedErrorId : MI RESULT 1,Microsoft.Management.Infrastructure.CimCmdlets.SetCimInstanceCommand

    0

  12. nigel 1 year ago

    I am also getting the following error :

    "Set-CimInstance : A general error occurred that is not covered by a more specific error code."

    Unsure on what I can do to clear this and test further. 

    0

  13. nigel 1 year ago

    Hi there - I have been getting around the error by using your markup HTML markup - is there a reason we can't use Xml <> instead of the html?

    0

  14. nigel 1 year ago

    I've got it working with escaped xml, but it is not showing my custom start menu just yet:

     

    &lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?&gt;
    &lt;AssignedAccessConfiguration xmlns=&quot;http://schemas.microsoft.com/AssignedAccess/2017/config&quot;&gt;
        &lt;Profiles&gt;
            &lt;Profile Id=&quot;{5B328104-BD89-4863-AB27-4ED6EE355485}&quot;&gt;
          &lt;AllAppsList&gt; 
          &lt;AllowedApps&gt; 
            &lt;App AppUserModelId=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt;
            &lt;App DesktopAppPath=&quot;c:\windows\system32\CLEANMGR.exe&quot; /&gt;
            &lt;App DesktopAppPath=&quot;c:\windows\system32\userinit.exe&quot; /&gt;
            &lt;App DesktopAppPath=&quot;c:\windows\system32\DisableLogonScript.cmd&quot; /&gt;
            &lt;App DesktopAppPath=&quot;c:\windows\system32\cmd.exe&quot; /&gt;
          &lt;/AllowedApps&gt; 
          &lt;/AllAppsList&gt; 
          &lt;StartLayout&gt; 
                    &lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
                          &lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
                          &lt;DefaultLayoutOverride&gt;
                            &lt;StartLayoutCollection&gt;
                              &lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt; 
                                &lt;start:Group Name=&quot;Get Started&quot;&gt; 
                                    &lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\ThinClientStart.lnk&quot; /&gt;                  
                                &lt;/start:Group&gt; 
                                &lt;start:Group Name=&quot;Internet&quot;&gt; 
                                  &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt;
                                &lt;/start:Group&gt;
                              &lt;/defaultlayout:StartLayout&gt;
                            &lt;/StartLayoutCollection&gt;
                          &lt;/DefaultLayoutOverride&gt;
                        &lt;/LayoutModificationTemplate&gt;
                    ]]&gt;
          &lt;/StartLayout&gt; 
          &lt;Taskbar ShowTaskbar=&quot;true&quot;/&gt; 
            &lt;/Profile&gt;
        &lt;/Profiles&gt;
        &lt;Configs&gt;
            &lt;Config&gt;
                &lt;AutoLogonAccount/&gt;
                &lt;DefaultProfile Id=&quot;{5B328104-BD89-4863-AB27-4ED6EE355485}&quot;/&gt;
            &lt;/Config&gt;
        &lt;/Configs&gt;
    &lt;/AssignedAccessConfiguration&gt;

    0

  15. Bartek 1 year ago

    Hello,

    grate article... I was trying to follow it and configure kiosk mode with AD account but I'm getting an error:

    any suggestions?

    1+

  16. Omar Latif 1 year ago

    Hi Bartek,

    I am getting the same error "Configuration cannot be found". Did you find a solution to this issue?

    1+

  17. Johno 12 months ago

    Having an issue with the auto logon, all reg keys exist, user kiosk account has no password and is a domain account, but when the machines are turned on, they appear to attempt to logon, I see a "welcome" below the user name, then it returns to a password prompt.

    0

  18. Noxn 8 months ago

    @Bartek & Omar

    Note: The script must be executed in System context.

    Download: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

    Start "cmd" and type psexec.exe -i -s cmd

    after that type start powershell and execute the script above

    you have to set-executionpolicy unrestricted before you can run the script

     

    0

  19. Kevin Still 3 months ago

    Assuming I want to do it the same exact way as if I was doing this through the Kiosk Mode GUI. The account doesn't have a password, so would it work if I left $PlainPassword = "" ?

    Also, is it possible to set the specific website? I just want the digital signage single website option. Also if it errors in anyway, automatically relaunch which is part of the options when doing this through the GUI

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account