How to setup Kiosk mode on Windows 10 with AD user Account

This process is a little bit more straight forward using a local (built-in) windows account. Note at the moment, PowerShell is not capable of configuring AssignedAccess only without having to use the PowerShell WMI Bridge.

Follow the following steps below to have this configured.
Step 1: Ensure all prerequisites are meant
Step 2: Use AutoLogon.exe to configure the automatic logon. In this way, you will not be using the Registry settings for Auto-login.
Download AutoLogon.exe Tool here.

Enable Automatic Logon on Windows 10 via SysInternal Too (AutoLogon.exe)
Note: If this is properly configured now, upon restart, the account (kiosk) configured for autologon will automatically logon. To verify this, use the switch below. See how this is done here.

- launch CMD
- type <whoami>

Auto logon can also be configured via the registry, see the link for this as well.
Note: This step is optional (Export the XML file in order to create a similar layout). This step can be ignored, but to get the best (desired) start layout, configure the start layout and tiles and import them.

Step 3: Create the XML with the MDM WMI Bridge Provider
A configuration XML can define multiple profiles. Then, wrap this in PowerShell by using the MDM bridge to apply the AssignedAccess configuration.

Ensure to save this file below with the PowerShell extension, that is .ps1. Each profile has a unique Id and defines a set of applications that are allowed to run, whether the taskbar is visible etc.

See how a Single App Kiosk Mode Configuration using MDM Bridge WMI Provider is configured. See the link for more details

<pre class="wp-block-syntaxhighlighter-code">$LogonDomain = "YourDomainName"
$User = "YourDomainUserAccount"
function Set-KioskMode {
$User = "$($Domain)\$($UserName)".TrimStart('\')
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = @"
&lt;?xml version="1.0" encoding="utf-8" ?&gt;
&lt;AssignedAccessConfiguration xmlns=""&gt;
        &lt;Profile Id="{6a8bebd2-xxxx-4b5e-8e4b-bc8b9421xxxx}"&gt;
        &lt;App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" /&gt;
        &lt;App DesktopAppPath="C:\Program Files\Notepad++\Notepad++.exe" /&gt;
                &lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout="" xmlns:start="" Version="1" xmlns=""&gt;
                      &lt;LayoutOptions StartTileGroupCellWidth="6" /&gt;
                          &lt;defaultlayout:StartLayout GroupCellWidth="6"&gt; 
                            &lt;start:Group Name="Get Started"&gt; 
                                &lt;start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Notepad++.lnk" /&gt;                  
                            &lt;start:Group Name="Internet"&gt; 
                              &lt;start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" /&gt;
      &lt;Taskbar ShowTaskbar="false"/&gt; 
            &lt;DefaultProfile Id="{6a8bebd2-xxxx-4b5e-8e4b-bc8b9421xxxx}"/&gt;
Set-CimInstance -CimInstance $obj
Set-KioskMode -Domain $LogonDomain -UserName $User</pre>

Note: The profile ID needs to be identical and unique all through the file.

More on the CIM cmdlets

Step 4: Run the script
The MDM Bridge WMI provider will be used to configure Notepad++ for the Kiosk (Domain User). 
– The script must run and will be executed in the system context. So it makes sense to have this script placed in C:\Windows\System32 location.

Here is how to use the PsExec Tool how to use it:

Note: If you just select enter here, the script will never run. As it would assume the default standard of No (Nein 😉

You can use the first three lines of the PS1 script to query the Assigned Access MDM to ensure that the code has been injected correctly. Or whenever you update the code and re-inject, you would need to check your changes have been accepted.

Check the $Obj variable to confirm. This will display the Assigned Access Configuration file as shown below. Without following the order, using the object variable will not work and the desired out will not be prompted.

After applying the script, you MUST sign out of the current account that is being used to configure the Assigned Access and login as the Assigned Access user and this will take effect immediately and work as desired.

If you decide to turn the VM off, the Auto logon will automatically logon on the kiosk use as shown below before the settings are applied.

Note: In this step, windows start configuration (apply the XML file), sorting out driers and applying data structures as shown below.

At this point, the “Getting Windows ready”. This includes downloading and installing files or performing some tasks in the background. This can take a while for your device to finish these tasks.

Note: You can add this PowerShell script to a task sequence on WDS (as a post-installation or custom installation).

I welcome you to follow me on Twitter and Facebook. I hope you found this blog post helpful. If you have any questions, please let me know in the comment session

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x