Set Up Kiosk Modewith PowerShell

Computer Uptime MPA Tools

Set up Windows Kiosk mode with PowerShell

Welcome back to our Kiosk mode series focusing on setting up kiosk mode in Windows 11! In this second installment, we’ll delve into the PowerShell configuration, a powerful method to streamline the setup process. By leveraging PowerShell, users gain an efficient way to automate kiosk mode configuration and management.

Using the Set-AssignedAccess PowerShell cmdlet

Kiosk mode can be enabled in Windows 11 using the PowerShell cmdlet Set-AssignedAccess. This cmdlet configures the specified user account so that it can use only one Windows Store app. The user cannot exit the app, sign out, or access any system settings.

A screenshot of a computer Description automatically generated

The Set-AssignedAccess cmdlet requires the following. For more information on the cmdlet, see Set-AssignedAccess (AssignedAccess) | Microsoft Learn

  • A Windows UWP app must be provisioned or installed for the assigned access account before they can be selected as the assigned access app.
  • A local standard user account that will be used for the assigned access.

Note: Apps that are generated using the Desktop App Converter (Desktop Bridge) can’t be used as kiosk apps.

For enabling Kiosk mode using an AD user account with PowerShell, see our post titled Set up Kiosk mode with the MDM Bridge WMI Provider.

Using the Kiosk Browser UWP app

In the previous post, we set up the Kiosk mode to use the Edge browser. However, since the latest version of Edge, the Chromium version, is a desktop/Win32 app. Unfortunately, it cannot be used for this scenario because the Set-AssignedAccess cmdlet only supports UWP (AppX and MSIX) applications.

So in this example, we will be using the Kiosk Browser application that is available in the Microsoft App Store (Kiosk Browser – Microsoft Apps).

A screenshot of a computer Description automatically generated

The first thing we will need to do is download the Kiosk Browser app files. One option is to install the Kiosk Browser app directly from the Microsoft App Store using the kiosk mode user account. However, using this method would mean that the assigned access account is linked to a Microsoft account. Also, the app will install in the user profile and will not be installable for other accounts on the device.

In this example, we have downloaded the app files using the Microsoft Office 365 Admin portal so that we can provision the app for all users on the device. This is particularly helpful if the Kiosk device is a shared device and will be used by more that one logon account.

A screenshot of a computer Description automatically generated

Adding Kiosk Browser as a provisioned app

Adding an app package (.appx/.appxbundle) as a provisioned app means that the app will automatically install for each new user that signs in to Windows. The app can be provisioned by doing the following.

Open PowerShell or PowerShell ISE as an administrator.

The following PowerShell script snippet will provision the Kiosk Browser app on the device. Once the app is provisioned, the Kiosk Browser app will automatically be installed for all user accounts on the device (as well as any new user accounts that sign into the device – much like any of the built-in apps like Calculator, Paint 3D, etc.)

$FolderPath = “C:\Users\Administrator\Downloads\Kiosk Browser”
$PackagePath = Join-Path -Path $FolderPath -ChildPath “Microsoft.KioskBrowser_1.0.4.0_neutral_~_8wekyb3d8bbwe.AppxBundle”
$DependencyPackagePath = Get-ChildItem -Path $FolderPath -Filter “*.appx” | Select -ExpandProperty FullName
Add-AppProvisionedPackage -Online -PackagePath $PackagePath -DependencyPackagePath $DependencyPackagePath -SkipLicense

Creating an assigned access account

Next, we will need to create the local assigned access account (if not already done).
The following PowerShell script snippet will create a local standard user account called “Kiosk”

$Password = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force
New-LocalUser -Name “Kiosk” -Password $Password -FullName “Kiosk” -Description “Kiosk User Account”

A screenshot of a computer Description automatically generated

Getting the AUMID for the Kiosk Browser app

Next, we will need the Application User Model ID (AUMID) for the Kiosk Browser app. The following PowerShell script snippet will get all the AUMIDs on the device and with filtering, it will return the AUMID specifically for the Kiosk Browser app. For more information regarding AUMID, see Find the Application User Model ID of an installed app – Configure Windows | Microsoft Learn

$InstalledAppList = Get-AppxPackage

$AUMIDList = @()
ForEach ($InstalledApp in $InstalledAppList) {
ForEach ($Id in (Get-AppxPackageManifest $InstalledApp).package.applications.application.id) {
$AUMIDList += $InstalledApp.packagefamilyname + “!” + $Id
}
}

$AUMIDList | Where { $_ -like “*KioskBrowser*” }

A screenshot of a computer program Description automatically generated

Executing the Set-AssignedAccess cmdlet

Now we can execute the Set-AssignedAccess cmdlet using the assigned access account name and AUMID for the Kiosk Browser app.

Set-AssignedAccess -UserName “Kiosk” -AppUserModelId “Microsoft.KioskBrowser_8wekyb3d8bbwe!App”

A screenshot of a computer screen Description automatically generated

Restarting and testing

Next, we will need to restart the device.

After the device has restarted, we will need to sign in with the new Kiosk account, specifying the local account with “.\Kiosk” and entering the password.

A screenshot of a login screen Description automatically generated

Since it is a new account, the profile will be created at first logon.

A screenshot of a blue screen Description automatically generated

Once the Kiosk account has signed in, the Kiosk Browser window will appear in full screen. The kiosk mode prevents access to the Start menu or anywhere else on the desktop and all keyboard shortcuts will be disabled.

A screenshot of a computer Description automatically generated

The Kiosk Browser app interface is restricted further with no toolbars or navigation buttons, or keyboard shortcuts. This may be more suitable for public browsing or product demo kiosk devices.

A screenshot of a computer Description automatically generated

Using the Clear-AssignedAccess PowerShell cmdlet

Lastly, to deactivate the Kiosk mode, the Clear-AssignedAccess PowerShell cmdlet can be used (as shown below). For more information, see Clear-AssignedAccess (AssignedAccess) | Microsoft Learn.

A screenshot of a computer Description automatically generated

A screenshot of a computer program Description automatically generated

Next in the series, we will look at how to set up Windows Kiosk mode with Intune.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This