- Remote help for Intune and Microsoft Endpoint Manager - Tue, Jan 25 2022
- Windows 10/11 Azure AD/Intune Enterprise subscription is not valid - Mon, Nov 8 2021
- Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune - Wed, Sep 22 2021
Setting up Windows 10 1809 in kiosk mode using Intune is really easy and beautiful. If you have the chance, be sure to test it out. The kiosk mode in Microsoft Edge is great. We can configure a reset after idle time and configure the behavior of Microsoft Edge in kiosk, single, or multi-app mode. An example might look like the screenshot below:
Microsoft Edge in kiosk mode
Configure Edge for kiosk/assigned access with a local account
I recommend a local account when using Windows 10 in kiosk/assigned access so you don't expose domain credentials. To do this (during operating system deployment using Configuration Manager for instance) we can simply run a PowerShell script:
$usrname = 'Kiosk' $PlainPassword = "Kiosk0!234" $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText Force New-LocalUser -Name Kiosk -Password $SecurePassword -PasswordNeverExpires -UserMayNotChangePassword Set-AssignedAccess -AppUserModelId Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge -UserName $usrname
The script performs these actions:
- Creates a local user named "Kiosk"
- Sets a password for that user
- Configures Microsoft Edge to run in kiosk/assigned access for the local user named "Kiosk"
Configure Edge kiosk/assigned access with an AD domain account
This is really easy, but if we want to want to use a domain account, it becomes much harder, since we can't use the built-in PowerShell command to configure assigned access for just that domain account. However, we have the PowerShell WMI Bridge.
The PowerShell script below will use the PowerShell WMI Bridge to configure Microsoft Edge for "User1" in the "CCMEXEC" domain. Note: The script must be executed in System context.
$LogonDomain = "CCMEXEC"
$User = "Kiosk"
function Set-KioskMode {
param(
[string]$Domain,
[string]$UserName
)
$User = "$($Domain)\$($UserName)".TrimStart('\')
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = @"
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
>
<Profiles>
<Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
<KioskModeApp AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>$($User)</Account>
<DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
"@
Set-CimInstance -CimInstance $obj
}
Set-KioskMode -Domain $LogonDomain -UserName $User
Configure Microsoft Edge using Group Policy
Windows 10 1809 introduces new Microsoft Edge Group Policies we can use to configure Microsoft Edge in kiosk mode. Here are the Group Policies I have configured in my example.
Microsoft Edge Group Policy settings
The two new settings are "Configure kiosk mode" and "Configure kiosk reset after idle timeout" where we configure the use of Microsoft Edge in multi-app mode or single-app mode and the idle timeout before it refreshes the session. I use the "Configure Start pages" Group Policy to set the start page for the kiosk as well. It's really simple.
Configuring kiosk mode
And this is the policy that sets the idle timeout:
Setting the timeout limit
Configure autologon using Group Policy Preferences
I prefer to configure autologon using Group Policy Preferences, so you can easily change the password. You could configure it during operating system deployment as well of course or by using a script. I have two different organizational units (OUs): one for the kiosk with the local logon and one for computers for the domain account to log onto. We could filter this using security groups as well, but the functionality is the same, and I use the same Group Policy Object (GPO) to configure the OS and Microsoft Edge in kiosk mode as well.
The autologon registry keys are basically the same; for the kiosk GPO that uses a local user, simply remove the DefaultDomainName registry key.
Autologon registry keys
Deployment with a Configuration Manager task sequence
How do we deploy the kiosk machines then? Well, in my lab, I use my own PowerShell front-end, which is not worth mentioning here. You can use collection variables, computer variables, or a front-end where you can select which kiosk you want to deploy. In the Task Sequence, I filter the group based on a Task Sequence Variable. I follow these steps:
- Run the PowerShell script to configure kiosk/assigned access
- Move the computer to the correct OU
- Restart the computer
- Set the SMSTSPostAction to run "cmd /c shutdown /r /t 60 /f" that so far has applied the correct GPO so that autologon works after the first reboot. You could modify this to run a GPUpdate as well if necessary.
Condition for the KioskDomain group
Configuring the kiosk mode step that runs the script
For the step that moves the computer to the correct OU, I use the script I blogged about here. We could also use a web service as long as we move the computer to the correct OU.
Moving the computer object to the OU
And the next step configures the SMSTSpostaction.
Subscribe to 4sysops newsletter!
Setting the SMSTSpostaction variable
That's it! We now have a script for configuring a Windows 10 1809 system in kiosk mode using either a local user account or a domain user account. The latter one is a bit more challenging to configure.
Jörgen,
In your first script example you have:
I believe you meant:
(notice the dash on the “UserMayNotChangePassword” switch)
otherwise great article.
Hi,
Thanks updated the post!
/Jörgen
If kiosk users is restricted browsing to specific sites it´s possible to achieve by setting these values in HKCU:
Powershell script:
Set-ItemProperty -Path “HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings” -Name ProxyServer -Value “127.0.0.1:8000”
Set-ItemProperty -path “HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings” -Name ProxyEnable -Value 1
Set-ItemProperty -path “HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings” -Name ProxyOverride -Value “*.mydomain.com;*.microsoftonline.com;*.office.com;*.mail.google.com;*.sharepoint.com”
It sets a fake proxy and port, enables proxy settings and ProxyOverride setting configures the allowed exceptions.
Regards /Joachim
While that will work, isn’t it a bit of a hack?
Hi,
Yes, it is a bit of a hack but as there is no other way to configure it to use Assigned Access/Kiosk using a domain account except for MDM not many options. As I wrote I recommend that you test it through Intune but evenryone cannot use Intune yet for different reasons.
Regards,
Jörgen
Hi,
Trying to use the script to create a local account, and get this output:
ConvertTo-SecureString : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
At line:3 char:36
+ … assword = $PlainPassword | ConvertTo-SecureString -AsPlainText Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Kiosk0!234:String) [ConvertTo-SecureString], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
New-LocalUser : Cannot validate argument on parameter ‘Password’. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:4 char:37
+ New-LocalUser -Name Kiosk -Password $SecurePassword -PasswordNeverExp …
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [New-LocalUser], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.NewLocalUserCommand
User was not found. Enter a valid local account UserName or UserSID
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1:236 char:9
+ throw $SCStringTable.ErrorUserNotFound
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (User was not fo…Name or UserSID:String) [], RuntimeException
+ FullyQualifiedErrorId : User was not found. Enter a valid local account UserName or UserSID
I just copied your example, something im missing? ..
Thanks!
@jorgen-nilsson
@loveArvidsson
In the first PowerShell example you should replace the third line with this one:
Thanks!
That worked better! 🙂
Now the user gets created as as specified, but a new error has occured
“C:\windows\system32\net.exe : Systemerror 1376 has occured.
At line:1 char:1
+ C:\windows\system32\net.exe localgroup administrators
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Systemfel 1376 har uppst†tt.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
The local Group does not exist.”
It’s looking for the “administrators” Group (and i dont know why, im not trying to add the account to it) and it doesnt find it, cause we run Swedish OS and its called “Administratörer”.
But, why does it look for this Group at all?
Wooho, fixedit with this
”
New-LocalGroup -name “Administrators”
Add-LocalGroupMember -Group “Administratörer” -Member “administrators”
”
But, anyone know why it needs to be in this Group? Wont this give the user admin-rights? (which we dont want)
Good Afternoon,
In your WMI Bridge script, where do I configure the Start page?
I will like to run a kiosk using AD Account.
Hey,
I can’t seem to get kiosk mode and auto login to work, both independently, but not together, is that not a thing?
Thanks
Chris
Hi Jörgen,
is it possible if you can share screenshots of your task sequence to deploy win 10 kiosk mode? under what group you have added the steps you have mentioned in this post.
thanks,
I followed the steps here to add a domain user to assigned access. Anyone ever experience an issue using a domain account with Edge to open an Internal sharePoint site and Edge not passing through the credentials? I am testing Kiosk Mode and every time it logs in I am prompted for credentials on the sharepoint site. We have verified that it has access, but we have not been able to get this to work. Any help is appreciated. Thank you
Hi – Have you found any kind of solutions? We have same kind of issue in kioskmode with edge within our intranet pages where ADFS in use. SSO is not working….. Any help is appreciated. Thanks!
Hi. Unfortunately M. Niehaus confirmed:
I don’t see any way to do that – InPrivate mode always disables integrated authentication.
There are settings for the Kiosk Browser to “Enable End Session Button” and “Restart on Idle Time” though, https://docs.microsoft.com/en-us/windows/configuration/guidelines-for-assigned-access-app.
Regs Kari
Nice work. One question. Is it possible to deploy favorites in Edge even when it is a kiosk mode? I tried setting the GPO's "Configure Favorites" and "Configure Favorites Bar" but neither the favorites nor the favorites bar is showing up. Instead Edge says that "some settings by managed by your organisation".
I need my laptop to be in a domain but the local account is what I intend to use for the assigned access account. I have it so Edge is in kiosk mode, however, the initial website that loads is one that is defined to our intranet site. If I press the home button, the correctly assigned website loads. However, when I press End Session, it takes you right back to the intranet. How can I prevent this, as I like to deploy the laptop through kiosk mode.
Thank you for posting this. I tried the method to use a domain account but it is not working. I used PSexec to run Powershell in the system context. I replaced the username and domain with my information, otherwise everything is exactly the same. I ran the script and came across the following error. Is there something that I am missing?
PS C:\temp> .\kiosk.ps1
Set-CimInstance : A general error occurred that is not covered by a more specific error code.
At C:\temp\kiosk.ps1:37 char:1
+ Set-CimInstance -CimInstance $obj
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MDM_AssignedAcc…./Vendor/MSFT"):CimInstance) [Set-CimInstance], CimExce
ption
+ FullyQualifiedErrorId : MI RESULT 1,Microsoft.Management.Infrastructure.CimCmdlets.SetCimInstanceCommand
I am also getting the following error :
"Set-CimInstance : A general error occurred that is not covered by a more specific error code."
Unsure on what I can do to clear this and test further.
Hi there – I have been getting around the error by using your markup HTML markup – is there a reason we can't use Xml <> instead of the html?
I've got it working with escaped xml, but it is not showing my custom start menu just yet:
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<App DesktopAppPath="c:\windows\system32\CLEANMGR.exe" />
<App DesktopAppPath="c:\windows\system32\userinit.exe" />
<App DesktopAppPath="c:\windows\system32\DisableLogonScript.cmd" />
<App DesktopAppPath="c:\windows\system32\cmd.exe" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Get Started">
<start:DesktopApplicationTile Size="2×2" Column="0" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\ThinClientStart.lnk" />
</start:Group>
<start:Group Name="Internet">
<start:Tile Size="2×2" Column="2" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
Hello,
grate article… I was trying to follow it and configure kiosk mode with AD account but I'm getting an error:
The property 'Configuration' cannot be found on this object. Verify that the property exists and can be set. At line:30 char:30 + <Account>$($User)</Account> + ~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : PropertyNotFoundany suggestions?
Hi Bartek,
I am getting the same error "Configuration cannot be found". Did you find a solution to this issue?
Having an issue with the auto logon, all reg keys exist, user kiosk account has no password and is a domain account, but when the machines are turned on, they appear to attempt to logon, I see a "welcome" below the user name, then it returns to a password prompt.
@Bartek & Omar
Note: The script must be executed in System context.
Download: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
Start "cmd" and type psexec.exe -i -s cmd
after that type start powershell and execute the script above
you have to set-executionpolicy unrestricted before you can run the script
Assuming I want to do it the same exact way as if I was doing this through the Kiosk Mode GUI. The account doesn't have a password, so would it work if I left $PlainPassword = "" ?
Also, is it possible to set the specific website? I just want the digital signage single website option. Also if it errors in anyway, automatically relaunch which is part of the options when doing this through the GUI
I have the same question, how to set up the Edge home page in kiosk/assigned access ?
Thank you Jörgen for sharing the above solution.
Do you plan to update the guide to work with the new Chromium Edge browser?
Especially the part related to Assigned access with Domain account.
Thank you
Question:
The script for AD user kiosk works, but i get an error saying it can’t start the application, do I need to make any changes to it in order to get it to start edge