One of the great new features in Windows 10 1809 is that Microsoft Edge now supports kiosk mode. It is extremely easy to configure and long awaited, so we don't have to use Internet Explorer or Google Chrome for our kiosk computers.

Jörgen Nilsson

Jörgen is a principal consultant at Onevinn in Sweden. His work focuses on enterprise client management and system management. He is a Microsoft Certified Trainer and a Microsoft Most Valuable Professional (MVP) in Enterprise Mobility. He also speaks at events such as Microsoft TechDays, Microsoft Management Summits, and TechEd.

Setting up Windows 10 1809 in kiosk mode using Intune is really easy and beautiful. If you have the chance, be sure to test it out. The kiosk mode in Microsoft Edge is great. We can configure a reset after idle time and configure the behavior of Microsoft Edge in kiosk, single, or multi-app mode. An example might look like the screenshot below:

Microsoft Edge in kiosk mode

Microsoft Edge in kiosk mode

Configure Edge for kiosk/assigned access with a local account ^

I recommend a local account when using Windows 10 in kiosk/assigned access so you don't expose domain credentials. To do this (during operating system deployment using Configuration Manager for instance) we can simply run a PowerShell script:

The script performs these actions:

  1. Creates a local user named "Kiosk"
  2. Sets a password for that user
  3. Configures Microsoft Edge to run in kiosk/assigned access for the local user named "Kiosk"

Configure Edge kiosk/assigned access with an AD domain account ^

This is really easy, but if we want to want to use a domain account, it becomes much harder, since we can't use the built-in PowerShell command to configure assigned access for just that domain account. However, we have the PowerShell WMI Bridge.

The PowerShell script below will use the PowerShell WMI Bridge to configure Microsoft Edge for "User1" in the "CCMEXEC" domain. Note: The script must be executed in System context.

Configure Microsoft Edge using Group Policy ^

Windows 10 1809 introduces new Microsoft Edge Group Policies we can use to configure Microsoft Edge in kiosk mode. Here are the Group Policies I have configured in my example.

Microsoft Edge Group Policy settings

Microsoft Edge Group Policy settings

The two new settings are "Configure kiosk mode" and "Configure kiosk reset after idle timeout" where we configure the use of Microsoft Edge in multi-app mode or single-app mode and the idle timeout before it refreshes the session. I use the "Configure Start pages" Group Policy to set the start page for the kiosk as well. It's really simple.

Configuring kiosk mode

Configuring kiosk mode

And this is the policy that sets the idle timeout:

Setting the timeout limit

Setting the timeout limit

Configure autologon using Group Policy Preferences ^

I prefer to configure autologon using Group Policy Preferences, so you can easily change the password. You could configure it during operating system deployment as well of course or by using a script. I have two different organizational units (OUs): one for the kiosk with the local logon and one for computers for the domain account to log onto. We could filter this using security groups as well, but the functionality is the same, and I use the same Group Policy Object (GPO) to configure the OS and Microsoft Edge in kiosk mode as well.

The autologon registry keys are basically the same; for the kiosk GPO that uses a local user, simply remove the DefaultDomainName registry key.

Autologon registry keys

Autologon registry keys

Deployment with a Configuration Manager task sequence ^

How do we deploy the kiosk machines then? Well, in my lab, I use my own PowerShell front-end, which is not worth mentioning here. You can use collection variables, computer variables, or a front-end where you can select which kiosk you want to deploy. In the Task Sequence, I filter the group based on a Task Sequence Variable. I follow these steps:

  1. Run the PowerShell script to configure kiosk/assigned access
  2. Move the computer to the correct OU
  3. Restart the computer
  4. Set the SMSTSPostAction to run "cmd /c shutdown /r /t 60 /f" that so far has applied the correct GPO so that autologon works after the first reboot. You could modify this to run a GPUpdate as well if necessary.
Condition for the KioskDomain group

Condition for the KioskDomain group

Configuring the kiosk mode step that runs the script

For the step that moves the computer to the correct OU, I use the script I blogged about here. We could also use a web service as long as we move the computer to the correct OU.

Moving the computer object to the OU

Moving the computer object to the OU

And the next step configures the SMSTSpostaction.

Setting the SMSTSpostaction variable

Setting the SMSTSpostaction variable

That's it! We now have a script for configuring a Windows 10 1809 system in kiosk mode using either a local user account or a domain user account. The latter one is a bit more challenging to configure.

Are you an IT pro? Apply for membership!

1+
Share
22 Comments
  1. Conley Damron 10 months ago

    Jörgen,

    In your first script example you have:

    I believe you meant:

    (notice the dash on the "UserMayNotChangePassword" switch)

    otherwise great article.

    1+

  2. Joachim Häggström 10 months ago

    If kiosk users is restricted browsing to specific sites it´s possible to achieve by setting these values in HKCU:

    Powershell script:

    Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyServer -Value "127.0.0.1:8000"
    Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyEnable -Value 1
    Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyOverride -Value "*.mydomain.com;*.microsoftonline.com;*.office.com;*.mail.google.com;*.sharepoint.com"

    It sets a fake proxy and port, enables proxy settings and ProxyOverride setting configures the allowed exceptions.

    Regards /Joachim

    2+

    Users who have LIKED this comment:

    • avatar
    • Conley Damron 10 months ago

      While that will work, isn't it a bit of a hack?

      0

      • Author
        Jörgen Nilsson 10 months ago

        Hi,

        Yes, it is a bit of a hack but as there is no other way to configure it to use Assigned Access/Kiosk using a domain account except for MDM not many options. As I wrote I recommend that you test it through Intune but evenryone cannot use Intune yet for different reasons.

        Regards,
        Jörgen

        0

  3. Love Arvidsson 8 months ago

    Hi,

    Trying to use the script to create a local account, and get this output:

    ConvertTo-SecureString : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
    At line:3 char:36
    + ... assword = $PlainPassword | ConvertTo-SecureString -AsPlainText Force
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (Kiosk0!234:String) [ConvertTo-SecureString], ParameterBindingException
    + FullyQualifiedErrorId : InputObjectNotBound,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand

    New-LocalUser : Cannot validate argument on parameter 'Password'. The argument is null. Provide a valid value for the argument, and then try running the command again.
    At line:4 char:37
    + New-LocalUser -Name Kiosk -Password $SecurePassword -PasswordNeverExp ...
    + ~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [New-LocalUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.NewLocalUserCommand

    User was not found. Enter a valid local account UserName or UserSID
    At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1:236 char:9
    + throw $SCStringTable.ErrorUserNotFound
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (User was not fo...Name or UserSID:String) [], RuntimeException
    + FullyQualifiedErrorId : User was not found. Enter a valid local account UserName or UserSID

    I just copied your example, something im missing? ..

    Thanks!

    0

    • Luc Fullenwarth 8 months ago

      @jorgen-nilsson

      @loveArvidsson

      In the first PowerShell example you should replace the third line with this one:

      2+

      • Love Arvidsson 8 months ago

        Thanks!

        That worked better! 🙂

        Now the user gets created as as specified, but a new error has occured

        "C:\windows\system32\net.exe : Systemerror 1376 has occured.
        At line:1 char:1
        + C:\windows\system32\net.exe localgroup administrators
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (Systemfel 1376 har uppst†tt.:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError

        The local Group does not exist."

        It's looking for the "administrators" Group (and i dont know why, im not trying to add the account to it) and it doesnt find it, cause we run Swedish OS and its called "Administratörer".

        But, why does it look for this Group at all?

        0

  4. Love Arvidsson 8 months ago

    Wooho, fixedit with this

    "
    New-LocalGroup -name "Administrators"
    Add-LocalGroupMember -Group "Administratörer" -Member "administrators"

    "

    But, anyone know why it needs to be in this Group? Wont this give the user admin-rights? (which we dont want)

    0

  5. J 8 months ago

    Good Afternoon,

    In your WMI Bridge script, where do I configure the Start page?

    I will like to run a kiosk using AD Account.

     

    0

  6. Chris 5 months ago

    Hey,

    I can't seem to get kiosk mode and auto login to work, both independently, but not together, is that not a thing?

    Thanks

    Chris

    0

  7. Nav 5 months ago

    Hi Jörgen,

    is it possible if you can share screenshots of your task sequence to deploy win 10 kiosk mode? under what group you have added the steps you have mentioned in this post.

    thanks,

    0

  8. John Ferragamo 4 months ago

    I followed the steps here to add a domain user to assigned access. Anyone ever experience an issue using a domain account with Edge to open an Internal sharePoint site and Edge not passing through the credentials?  I am testing Kiosk Mode and every time it logs in I am prompted for credentials on the sharepoint site. We have verified that it has access, but we have not been able to get this to work.  Any help is appreciated.  Thank you

    1+

    • Kari Niemi 3 months ago

      Hi - Have you found any kind of solutions? We have same kind of issue in kioskmode with edge within our intranet pages where ADFS in use. SSO is not working..... Any help is appreciated. Thanks!

      1+

  9. Mathias 4 months ago

    Nice work. One question. Is it possible to deploy favorites in Edge even when it is a kiosk mode? I tried setting the GPO's "Configure Favorites" and "Configure Favorites Bar" but neither the favorites nor the favorites bar is showing up. Instead Edge says that "some settings by managed by your organisation".

    0

  10. Douglas 3 months ago

    I need my laptop to be in a domain but the local account is what I intend to use for the assigned access account.  I have it so Edge is in kiosk mode, however, the initial website that loads is one that is defined to our intranet site.  If I press the home button, the correctly assigned website loads.  However, when I press End Session, it takes you right back to the intranet.  How can I prevent this, as I like to deploy the laptop through kiosk mode.

    0

  11. Brian 3 months ago

    Thank you for posting this. I tried the method to use a domain account but it is not working. I used PSexec to run Powershell in the system context. I replaced the username and domain with my information, otherwise everything is exactly the same. I ran the script and came across the following error. Is there something that I am missing?

     

    PS C:\temp> .\kiosk.ps1
    Set-CimInstance : A general error occurred that is not covered by a more specific error code.
    At C:\temp\kiosk.ps1:37 char:1
    + Set-CimInstance -CimInstance $obj
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (MDM_AssignedAcc..../Vendor/MSFT"):CimInstance) [Set-CimInstance], CimExce
       ption
        + FullyQualifiedErrorId : MI RESULT 1,Microsoft.Management.Infrastructure.CimCmdlets.SetCimInstanceCommand

    0

  12. nigel 2 months ago

    I am also getting the following error :

    "Set-CimInstance : A general error occurred that is not covered by a more specific error code."

    Unsure on what I can do to clear this and test further. 

    0

  13. nigel 2 months ago

    Hi there - I have been getting around the error by using your markup HTML markup - is there a reason we can't use Xml <> instead of the html?

    0

  14. nigel 2 months ago

    I've got it working with escaped xml, but it is not showing my custom start menu just yet:

     

    &lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?&gt;
    &lt;AssignedAccessConfiguration xmlns=&quot;http://schemas.microsoft.com/AssignedAccess/2017/config&quot;&gt;
        &lt;Profiles&gt;
            &lt;Profile Id=&quot;{5B328104-BD89-4863-AB27-4ED6EE355485}&quot;&gt;
          &lt;AllAppsList&gt; 
          &lt;AllowedApps&gt; 
            &lt;App AppUserModelId=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt;
            &lt;App DesktopAppPath=&quot;c:\windows\system32\CLEANMGR.exe&quot; /&gt;
            &lt;App DesktopAppPath=&quot;c:\windows\system32\userinit.exe&quot; /&gt;
            &lt;App DesktopAppPath=&quot;c:\windows\system32\DisableLogonScript.cmd&quot; /&gt;
            &lt;App DesktopAppPath=&quot;c:\windows\system32\cmd.exe&quot; /&gt;
          &lt;/AllowedApps&gt; 
          &lt;/AllAppsList&gt; 
          &lt;StartLayout&gt; 
                    &lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
                          &lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
                          &lt;DefaultLayoutOverride&gt;
                            &lt;StartLayoutCollection&gt;
                              &lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt; 
                                &lt;start:Group Name=&quot;Get Started&quot;&gt; 
                                    &lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\ThinClientStart.lnk&quot; /&gt;                  
                                &lt;/start:Group&gt; 
                                &lt;start:Group Name=&quot;Internet&quot;&gt; 
                                  &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt;
                                &lt;/start:Group&gt;
                              &lt;/defaultlayout:StartLayout&gt;
                            &lt;/StartLayoutCollection&gt;
                          &lt;/DefaultLayoutOverride&gt;
                        &lt;/LayoutModificationTemplate&gt;
                    ]]&gt;
          &lt;/StartLayout&gt; 
          &lt;Taskbar ShowTaskbar=&quot;true&quot;/&gt; 
            &lt;/Profile&gt;
        &lt;/Profiles&gt;
        &lt;Configs&gt;
            &lt;Config&gt;
                &lt;AutoLogonAccount/&gt;
                &lt;DefaultProfile Id=&quot;{5B328104-BD89-4863-AB27-4ED6EE355485}&quot;/&gt;
            &lt;/Config&gt;
        &lt;/Configs&gt;
    &lt;/AssignedAccessConfiguration&gt;

    0

  15. Bartek 1 week ago

    Hello,

    grate article... I was trying to follow it and configure kiosk mode with AD account but I'm getting an error:

    any suggestions?

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account