Set Up Kiosk Modewith the MDM Bridge

Computer Uptime MPA Tools

Set up Windows Kiosk mode with the MDM Bridge

Welcome back to our extended Kiosk mode series on configuring kiosk mode in Windows 11! In this post, we’ll explore a hybrid approach using PowerShell in conjunction with the MDM Bridge. This combined method provides a robust solution for setting up and managing kiosk mode using the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. Unlike the previously discussed Set-AssignedAccess cmdlet, this method allows the following:

  • The assigned access user account can be an AD user account.
  • The assigned app for the Kiosk mode can be a desktop/Win32 application.
  • Arguments/parameters can be specified for the desktop/Win32 application.

For more information about using the MDM Bridge WMI provider in PowerShell to configure Assigned Access, see Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11) | Microsoft Learn.

Important: For kiosks in public-facing environments with Autologon enabled, Microsoft’s recommendation is to use a user account with the least privileges, such as a local standard user account.
Using a domain user or service accounts has risks and might allow an attacker to gain access to domain resources that are accessible to any domain account. When using domain accounts with assigned access, proceed with caution. Consider deploying policies and controls that restrict the domain user account access in order to protect domain resources.

Downloading PsExec

The MDM_AssignedAccess class requires that the PowerShell script must be executed in System context. So first, we will need to download the PsExec tool, which is part of the PsTools bundle by Sysinternals. This can be downloaded from here: PsExec – Sysinternals | Microsoft Learn

A screenshot of a computer Description automatically generated

Next, we will need to extract the downloaded PSTools.zip file.

A screenshot of a computer Description automatically generated

Executing the PowerShell script

Next, we run the following command to launch a CMD window in system context:

psexec.exe -i -s cmd.exe

From here, we can launch PowerShell or PowerShell ISE from the CMD window. The following PowerShell script snippet will enable Kiosk mode with an AD user account using the MDM Bridge WMI Provider.The script also allows us to specify the desktop/Win32 app executable and the app arguments, and in this example, we are specifying Microsoft Edge with the Kiosk mode parameters. For more information of the Edge Kiosk mode parameters, see Configure Microsoft Edge kiosk mode | Microsoft Learn.

$Account = “CORP\TestUser1”
$Win32AppPath = “%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe”
$Win32AppArgs = “–kiosk www.velessoftware.com –edge-kiosk-type=public-browsing –no-first-run”
$AssignedAccess = Get-CimInstance -Namespace “root\cimv2\mdm\dmmap” -ClassName “MDM_AssignedAccess”
Add-Type -AssemblyName System.Web

$AssignedAccess.Configuration = [System.Web.HttpUtility]::HtmlEncode(@”
<?xml version=”1.0″ encoding=”utf-8″ ?>
<AssignedAccessConfiguration
xmlns=”http://schemas.microsoft.com/AssignedAccess/2017/config”
xmlns:v4=”http://schemas.microsoft.com/AssignedAccess/2021/config”
>
<Profiles>
<Profile Id=”{AFF9DA33-AE89-4039-B646-3A5706E92957}”>
<KioskModeApp v4:ClassicAppPath=”$($Win32AppPath)” v4:ClassicAppArguments=”$($Win32AppArgs)”/>
<v4:BreakoutSequence Key=”Ctrl+Q”/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>$($Account)</Account>
<DefaultProfile Id=”{AFF9DA33-AE89-4039-B646-3A5706E92957}”/>
</Config>
</Configs>
</AssignedAccessConfiguration>
“@)

Set-CimInstance -CimInstance $AssignedAccess

This script uses the assigned access configuration XML for the MDM_AssignedAccess WMI class and in this example, we are using the Microsoft Edge Kiosk XML. For a reference of the various assigned access XML configurations, see Assigned Access configuration kiosk XML reference (Windows 10/11) | Microsoft Learn.
A screenshot of a computer Description automatically generated

Restarting and testing

Once the PowerShell script has been executed, restart the device.

A screenshot of a computer Description automatically generated

After the device has restarted, sign in with the designated AD user account specified in the PowerShell script.

A screenshot of a blue screen Description automatically generated

Once the Kiosk account has signed in, the Edge browser window will load in Edge kiosk mode, which provides an InPrivate browser session with the toolbar, tabs and navigation buttons. The kiosk mode prevents access to the Start menu or anywhere else on the desktop and all keyboard shortcuts will be disabled.

Note: With this method, Ctrl+Alt+Del is blocked and therefore will not work. Instead you have to use the key combination specified in the below XML line to break out of the Edge Kiosk mode i.e.  <v4:BreakoutSequence Key=”Ctrl+Q”/>

A screenshot of a computer Description automatically generated

Disabling Kiosk mode

To deactivate the Kiosk mode, the following PowerShell script can be used. Same as before, the script will be required to be run in system context.

$AssignedAccess = Get-CimInstance -Namespace “root\cimv2\mdm\dmmap” -ClassName “MDM_AssignedAccess”
Add-Type -AssemblyName System.Web
$AssignedAccess.Configuration = $null
Set-CimInstance -CimInstance $AssignedAccess

A screenshot of a computer Description automatically generated


Implementing Autologon

You may also want to set up automatic logon for your kiosk device. This way, whenever your kiosk device restarts, whether it be from an update or power outage, you can configure the device to sign into the assigned access account automatically.

While Intune and the XML configuration for the MDM Bridge WMI Provider allows you to set up an Auto Logon Account for your Kiosk mode, it doesn’t however provide support to enable automatic sign in for either an Azure AD (Entra ID) or AD user account. For this, we will use the Autologon tool by sysinternals.

Important: Automatic logon can be enabled with the AutoAdminLogon, DefaultDomainName, DefaultUserName, and DefaultPassword registry keys or it can be enabled with Group Policy. However, the password is stored in the registry in clear text. We therefore recommend using Autologon as the password is encrypted in the registry as an LSA secret. That said, a user with administrative rights can easily retrieve and decrypt it. (For more information see Protecting the Automatic Logon Password – Win32 apps | Microsoft Learn )

Downloading and extracting Autologon

In your browser, navigate to the following URL and click on the link to Download Autologon: Autologon – Sysinternals | Microsoft Learn

A screenshot of a computer Description automatically generated

Right-click the downloaded zip file and select Extract All.

Select your destination path and then click the Extract button.

A screenshot of a computer Description automatically generated

The resulting extracted folder should appear as follows.

A screenshot of a computer Description automatically generated

Copy the Autologon folder to C:\Program Files.

Configuring and enabling Autologon

On the kiosk device, log on with an administrator account and launch Autologon.exe from the Program Files location.
Enter the account username, domain and password that will be used for Autologon and then click the Enable button.

A screenshot of a login box Description automatically generated

The confirmation prompt will appear. Click OK.

A screenshot of a computer screen Description automatically generated

Restarting and testing

Restart the device for the changes to take affect.

A screenshot of a computer Description automatically generated

Once the device has restarted, the user account will automatically log on.

A screenshot of a blue screen Description automatically generated

When the device is configured with kiosk mode, the selected kiosk application will launch (as shown below). Otherwise, the device will load the full desktop experience.

A screenshot of a computer Description automatically generated

In the last post in the series, we will look at how to deploy Windows Kiosk mode and Autologon with MPA Tools

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This