Kiosk mode deployment on Windows 10 with an AD Domain Account

This process is a little bit more straight forward using a local (built-in) windows account.

Note at the moment, PowerShell is not capable of configuring AssignedAccess only without having to use the PowerShell WMI Bridge.

Step 1:
Ensure all prerequisites are meant
Step 2: Use AutoLogon.exe to configure the automatic logon. In this way, you will not be using the Registry settings for Auto-login.
Download AutoLogon.exe Tool here https://docs.microsoft.com/en-us/sysinternals/downloads/autologon

Enable Automatic Logon on Windows 10 via SysInternal Too (AutoLogon.exe)
Note: If this is properly configured now, upon restart, the account (kiosk) configured for autologon will automatically logon. To verify this, use the switch below.

See how this is done https://techdirectarchive.com/2020/01/25/enable-automatic-logon-on-windows-10-via-autologon-exe/

- launch CMD
- type <whoami>

Autologon can also be configured via the registry, see the link for this as well https://techdirectarchive.com/2020/01/18/enable-automatic-logon-on-windows-10/

Note: This step is optional (Export the XML file in order to create a similar layout). This step can be ignored, but to get the best (desired) start layout, configure the start layout and tiles and import them.

Step 3: Create the XML with the MDM WMI Bridge Provider
A configuration XML can define multiple profiles. Then, wrap this in PowerShell by using the MDM bridge to apply the AssignedAccess configuration.

Ensure to save this file below with the PowerShell extension, that is .ps1. Each profile has a unique Id and defines a set of applications that are allowed to run, whether the taskbar is visible etc.

See how a Single App Kiosk Mode Configuration using MDM Bridge WMI Provider is configured. See the link for more details https://techdirectarchive.com/2020/01/24/single-app-kiosk-mode-configuration-using-mdm-bridge-wmi-provider/

$LogonDomain = "YourDomainName"
$User = "YourDomainUserAccount"
 
function Set-KioskMode {
param(
    [string]$Domain,
    [string]$UserName
)
 
$User = "$($Domain)\$($UserName)".TrimStart('\')
 
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className

$obj.Configuration = @"
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
    <Profiles>
        <Profile Id="{6a8bebd2-xxxx-4b5e-8e4b-bc8b9421xxxx}">
      <AllAppsList> 
      <AllowedApps> 
        <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
        <App DesktopAppPath="C:\Program Files\Notepad++\Notepad++.exe" />
      </AllowedApps> 
      </AllAppsList> 
      <StartLayout> 
                <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
                      <LayoutOptions StartTileGroupCellWidth="6" />
                      <DefaultLayoutOverride>
                        <StartLayoutCollection>
                          <defaultlayout:StartLayout GroupCellWidth="6"> 
                            <start:Group Name="Get Started"> 
                                <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Notepad++.lnk" />                  
                            </start:Group> 
                            <start:Group Name="Internet"> 
                              <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
                            </start:Group>
                          </defaultlayout:StartLayout>
                        </StartLayoutCollection>
                      </DefaultLayoutOverride>
                    </LayoutModificationTemplate>
                ]]>
      </StartLayout> 
      <Taskbar ShowTaskbar="false"/> 
        </Profile>
    </Profiles>
    <Configs>
        <Config>
            <AutoLogonAccount/>
            <DefaultProfile Id="{6a8bebd2-xxxx-4b5e-8e4b-bc8b9421xxxx}"/>
        </Config>
    </Configs>
</AssignedAccessConfiguration>
"@
 
Set-CimInstance -CimInstance $obj
}
 
Set-KioskMode -Domain $LogonDomain -UserName $User

Note: The profile ID needs to be identical and unique all through the file.

More on the CIM cmdlets
https://github.com/microsoftDocs/windows-itpro-docs/issues/3750
https://devblogs.microsoft.com/powershell/introduction-to-cim-cmdlets/
https://devblogs.microsoft.com/powershell/cim-cmdlets-some-tips-tricks/

Step 4: Run the script
The MDM Bridge WMI provider will be used to configure Notepad++ for the Kiosk (Domain User). 
– The script must run and will be executed in the system context. So it makes sense to have this script placed in C:\Windows\System32 location.

Here is how to use the PsExec Tool how to use it: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

Note: If you just select enter here, the script will never run. As it would assume the default standard of No (Nein 😉

You can use the first three lines of the PS1 script to query the Assigned Access MDM to ensure that the code has been injected correctly. Or whenever you update the code and re-inject, you would need to check your changes have been accepted.

Check the $Obj variable to confirm. This will display the Assigned Access Configuration file as shown below. Without following the order, using the object variable will not work and the desired out will not be prompted.

After applying the script, you MUST sign out of the current account that is being used to configure the Assigned Access and login as the Assigned Access user and this will take effect immediately and work as desired.

If you decide to turn the VM off, the Auto logon will automatically logon on the kiosk use as shown below before the settings are applied.

Note: In this step, windows start configuration (apply the XML file)
Sorting out driers and applying data structures as shown below.

At this point, the “Getting Windows ready”. This includes downloading and installing files or performing some tasks in the background. This can take a while for your device to finish these tasks.

Note: You can add this PowerShell script to a task sequence on WDS (as a post-installation or custom installation).

Kindly leave a comment if you found this article useful.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s