Setup Kiosk Mode on Windows 10 with AD User Account
In his guide, we will discuss how to Setup Kiosk Mode on Windows 10 with AD User Account. Kiosk mode helps you create a dedicated and locked-down user experience on these fixed-purpose devices. Please see how to create a Single App Kiosk Mode: Setup Assigned Access using Local Settings. Windows 10 offers a set of different locked-down experiences for public or specialized use: assigned access single-app kiosks, assigned access multi-app kiosks, or shell launchers.
This process is a little bit more straightforward using a local (built-in) Windows account. In this guide, we shall discuss steps to setup Kiosk Mode on Windows 10 with AD User Account.
Note at the moment, PowerShell is not capable of configuring AssignedAccess only without having to use the PowerShell WMI Bridge. Kindly refer to the following related guide: Disable or Remove Kiosk Mode Via the Local Settings,
How to setup Kiosk Mode
Follow the following steps below to have this configured.
- Step 1: Ensure all prerequisites are meant
- Step 2: Use AutoLogon.exe to configure the automatic logon. In this way, you will not be using the Registry settings for Auto-login. Please download AutoLogon.exe Toolere.
Enable Automatic Logon on Windows via SysInternal (AutoLogon.exe)
Note: If this is properly configured now, upon restart, the account (kiosk) configured for autologon will automatically logon.
To verify this, use the switch below. Here is how it is done.
- launch CMD
- type <whoami>You can configure auto logon via the registry. See the Enable Automatic Logon for this as well.
Note: This step is optional (Export the XML file in order to create a similar layout). To achieve the desired start layout, configure the start layout and tiles, and then import them.
Please see how to of Single App Kiosk Mode (AssignedAccess) using Local Settings, About Windows 10 Single / Multi App Kiosk, how to activate Full-Screen (Kiosk Mode) in Internet Explorer, and pre-requisites for setting up a Single and Multi App Kiosk.
Step 3: Create the XML with the MDM WMI Bridge Provider
A configuration XML can define multiple profiles. Then, wrap this in PowerShell by using the MDM bridge to apply the AssignedAccess configuration.
Ensure to save this file below with the PowerShell script with the extension “.ps1”. Each profile has a unique Id and defines a set of applications that are allowed to run, whether the taskbar is visible etc.
<pre class="wp-block-syntaxhighlighter-code">$LogonDomain = "YourDomainName"
$User = "YourDomainUserAccount"
function Set-KioskMode {
param(
[string]$Domain,
[string]$UserName
)
$User = "$($Domain)\$($UserName)".TrimStart('\')
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = @"
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{6a8bebd2-xxxx-4b5e-8e4b-bc8b9421xxxx}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<App DesktopAppPath="C:\Program Files\Notepad++\Notepad++.exe" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Get Started">
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Notepad++.lnk" />
</start:Group>
<start:Group Name="Internet">
<start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<Taskbar ShowTaskbar="false"/>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<DefaultProfile Id="{6a8bebd2-xxxx-4b5e-8e4b-bc8b9421xxxx}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
"@
Set-CimInstance -CimInstance $obj
}
Set-KioskMode -Domain $LogonDomain -UserName $User</pre>Note: The profile ID needs to be identical and unique all through the file.
See how a Single App Kiosk Mode Configuration using MDM Bridge WMI Provider is configured, and how to Fix Windows Security Blank Screen Issue.
Step 4: Run the script
The MDM Bridge WMI provider will be used to configure Notepad++ for the Kiosk (Domain User). The script must run and will be executed in the system context.
So it makes sense to have this script placed in C:\Windows\System32 location. Here is how to use the PsExec PsExecTool how to use it:
Note: If you just select enter here, the script will never run. As it would assume the default standard of No (Nein 😉 )
You can use the first three lines of the PS1 script to query the Assigned Access MDM to ensure that the code has been injected correctly. Or whenever you update the code and re-inject, you would need to check your changes have been accepted.
Check the $Obj variable to confirm. This will display the Assigned Access Configuration file as shown below.
Note: Without following the order, using the object variable will not work and the desired out will not be prompted.
Signout and Sign-in with the Assigned Access Account
After applying the script. You MUST sign out of the current account that is being used to configure the Assigned Access. Then login as the Assigned Access user and this will take effect immediately and work as desired.
Note: If you decide to turn the VM off, the Auto logon will automatically logon on to the kiosk use as shown below before the settings are applied.
Note: In this step, windows start configuration (apply the XML file), sorting out driers and applying data structures as shown below.
At this point, the “Getting Windows ready”. This includes downloading and installing files or performing some tasks in the background. This can take a while for your device to finish these tasks.
Note: You can add this PowerShell script to a task sequence on WDS (as a post-installation or custom installation).
I hope you found this blog post helpful on how to setup Kiosk Mode on Windows 10 with AD User Account. If you have any questions, please let me know in the comment session
So where is the Ad users password configured
Please, try to read this guide up. Upon restart, the kiosk accounts automatically sign in. Why do you need a password for this case?
Hello,
I have stucked with $obj. Doesn’t start your script
hmm, now i run $obj, but he still creating local user… doesn’t run on AD user
Hello, how are you accessing the device? This should point you to the fix. Also, if you wish to use a local acct, then this guide has all the information you need: https://techdirectarchive.com/2020/01/24/single-app-kiosk-mode-configuration-using-mdm-bridge-wmi-provider/