How to setup Kiosk mode on Windows 10 with AD user Account

Kiosk mode helps you create a dedicated and locked-down user experience on these fixed-purpose devices. Windows 10 offers a set of different locked-down experiences for public or specialized use: assigned access single-app kiosks, assigned access multi-app kiosks, or shell launchers. This process is a little bit more straightforward using a local (built-in) windows account. Note at the moment, PowerShell is not capable of configuring AssignedAccess only without having to use the PowerShell WMI Bridge. Kindly refer to the following related guides: Implementation of Kiosk Mode using Local Settings (Single App Kiosk Setup), Disable or Remove Kiosk Mode Via the Local Settings, how to of Single App Kiosk Mode (AssignedAccess) using Local Settings, About Windows 10 Single / Multi App Kiosk, how to activate Full-Screen (Kiosk Mode) in Internet Explorer, and pre-requisites for setting up a Single and Multi App Kiosk.

Follow the following steps below to have this configured.
Step 1: Ensure all prerequisites are meant
Step 2: Use AutoLogon.exe to configure the automatic logon. In this way, you will not be using the Registry settings for Auto-login.
Download AutoLogon.exe Tool here.

Enable Automatic Logon on Windows 10 via SysInternal Too (AutoLogon.exe)
Note: If this is properly configured now, upon restart, the account (kiosk) configured for autologon will automatically logon. To verify this, use the switch below. See how this is done here.

- launch CMD
- type <whoami>

Auto logon can also be configured via the registry, see the link for this as well.
– Note: This step is optional (Export the XML file in order to create a similar layout). This step can be ignored, but to get the best (desired) start layout, configure the start layout and tiles and import them.

Step 3: Create the XML with the MDM WMI Bridge Provider
A configuration XML can define multiple profiles. Then, wrap this in PowerShell by using the MDM bridge to apply the AssignedAccess configuration.

Ensure to save this file below with the PowerShell extension, that is .ps1. Each profile has a unique Id and defines a set of applications that are allowed to run, whether the taskbar is visible etc. You may want to see how a Single App Kiosk Mode Configuration using MDM Bridge WMI Provider is configured.

<pre class="wp-block-syntaxhighlighter-code">$LogonDomain = "YourDomainName"
$User = "YourDomainUserAccount"
 
function Set-KioskMode {
param(
    [string]$Domain,
    [string]$UserName
)
 
$User = "$($Domain)\$($UserName)".TrimStart('\')
 
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = @"
&lt;?xml version="1.0" encoding="utf-8" ?&gt;
&lt;AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"&gt;
    &lt;Profiles&gt;
        &lt;Profile Id="{6a8bebd2-xxxx-4b5e-8e4b-bc8b9421xxxx}"&gt;
      &lt;AllAppsList&gt; 
      &lt;AllowedApps&gt; 
        &lt;App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" /&gt;
        &lt;App DesktopAppPath="C:\Program Files\Notepad++\Notepad++.exe" /&gt;
      &lt;/AllowedApps&gt; 
      &lt;/AllAppsList&gt; 
      &lt;StartLayout&gt; 
                &lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"&gt;
                      &lt;LayoutOptions StartTileGroupCellWidth="6" /&gt;
                      &lt;DefaultLayoutOverride&gt;
                        &lt;StartLayoutCollection&gt;
                          &lt;defaultlayout:StartLayout GroupCellWidth="6"&gt; 
                            &lt;start:Group Name="Get Started"&gt; 
                                &lt;start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Notepad++.lnk" /&gt;                  
                            &lt;/start:Group&gt; 
                            &lt;start:Group Name="Internet"&gt; 
                              &lt;start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" /&gt;
                            &lt;/start:Group&gt;
                          &lt;/defaultlayout:StartLayout&gt;
                        &lt;/StartLayoutCollection&gt;
                      &lt;/DefaultLayoutOverride&gt;
                    &lt;/LayoutModificationTemplate&gt;
                ]]&gt;
      &lt;/StartLayout&gt; 
      &lt;Taskbar ShowTaskbar="false"/&gt; 
        &lt;/Profile&gt;
    &lt;/Profiles&gt;
    &lt;Configs&gt;
        &lt;Config&gt;
            &lt;AutoLogonAccount/&gt;
            &lt;DefaultProfile Id="{6a8bebd2-xxxx-4b5e-8e4b-bc8b9421xxxx}"/&gt;
        &lt;/Config&gt;
    &lt;/Configs&gt;
&lt;/AssignedAccessConfiguration&gt;
"@
 
Set-CimInstance -CimInstance $obj
}
 
Set-KioskMode -Domain $LogonDomain -UserName $User</pre>

Note: The profile ID needs to be identical and unique all through the file.

More on the CIM cmdlets
– https://github.com/microsoftDocs/windows-itpro-docs/issues/3750
–https://devblogs.microsoft.com/powershell/introduction-to-cim-cmdlets/
– https://devblogs.microsoft.com/powershell/cim-cmdlets-some-tips-tricks/

Step 4: Run the script
– The MDM Bridge WMI provider will be used to configure Notepad++ for the Kiosk (Domain User). 
– The script must run and will be executed in the system context. So it makes sense to have this script placed in C:\Windows\System32 location.

Here is how to use the PsExec Tool how to use it:

Note: If you just select enter here, the script will never run. As it would assume the default standard of No (Nein 😉 )

You can use the first three lines of the PS1 script to query the Assigned Access MDM to ensure that the code has been injected correctly. Or whenever you update the code and re-inject, you would need to check your changes have been accepted.

Check the $Obj variable to confirm. This will display the Assigned Access Configuration file as shown below. Without following the order, using the object variable will not work and the desired out will not be prompted.

After applying the script, you MUST sign out of the current account that is being used to configure the Assigned Access and login as the Assigned Access user and this will take effect immediately and work as desired.

If you decide to turn the VM off, the Auto logon will automatically logon on to the kiosk use as shown below before the settings are applied.

Note: In this step, windows start configuration (apply the XML file), sorting out driers and applying data structures as shown below.

At this point, the “Getting Windows ready”. This includes downloading and installing files or performing some tasks in the background. This can take a while for your device to finish these tasks.

Note: You can add this PowerShell script to a task sequence on WDS (as a post-installation or custom installation).

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session