SCCM
Intune
AD
Powershell
Misc

Windows 11 and Multi app kiosks

Lets be clear. There are easier ways of doing this but I am not looking for a cut corners solution. I have made a multi app based kiosk with powershell scripts as Windows 11 and multi app kiosks are not really thought through.

Win11 leaves too much wiggle room for kioskuser so I make the assigned access by hand. And oh boy what problems does this make…

So in short I make a kiosk that has basics in place. Lets say browsers, Nomacs – Image Lounge, shutdown and explorer.

Setup is quite basic. So last month Microsoft did something to Windows 11 and when running this idea of kiosks then you’ll lose ability to see desktop after 2024-10-cumulative update. Have not seen why this is but… It is what it is.

So now you have to make your own task bar icons so you have start menu and task bar to allow your kioskuser to fuction well. I would rather had desktop but M$ doesn’t agree.

Limiting Win11 kiosk experience

So now we have a bases setup for you if you’d choose this way. There is much uncertainty based on this so I wouldn’t recommend this unless you wanted more security.

Create an Assigned Access configuration file | Microsoft Learn

So my idea is to use xml and have kioskuser0 be added to guest group. This will strict down access quite a bit and user will only allowed to use locally installed application – no UWP apps available.

So all needs to be setup in xml that then is imported to powershell and I use app install to use it in Intune. Powershell has scheduled tasks so there will be nothing left after the session is booted. All downloads will be removed, on log in and shutdown. 


# Specify the username of the user you want to add to the Guests group
$username = "KioskUser0"

# Check if the user exists
$user = Get-LocalUser -Name $username -ErrorAction SilentlyContinue
if ($user) {
    # Check if the Guests group exists
    if (Get-LocalGroup -SID "S-1-5-32-546" -ErrorAction SilentlyContinue) {
        Add-LocalGroupMember -SID "S-1-5-32-546" -Member $username
        Write-Host "User '$username' successfully added to the 'Guests' group."
        Write-Host "Password for '$username' set to never expire."
    } else {
        Write-Host "Error: The 'Guests' group does not exist."
    }
} else {
    Write-Host "Error: User '$username' does not exist."
}
# Set password to never expire
$user | Set-LocalUser -PasswordNeverExpires $true

So for me this is a key feature on this. You really do need to do this when using Win11. Well this i my opinion of course.

I don’t want to bore you with massive texts so lets put the key piece in here to emphasize what assigned was in this example:

        <AllowedApps> 
          <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
	      <App AppUserModelId="Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" />
		  <App AppUserModelId="Microsoft.Windows.Explorer!App" />
          <App DesktopAppPath="%windir%\explorer.exe" />
          <App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
          <App DesktopAppPath="%Programfiles%\Adobe\Acrobat DC\Acrobat\Acrobat.exe" />
          <App DesktopAppPath="%Programfiles%\Google\Chrome\Application\chrome.exe" />
		  <App DesktopAppPath="%windir%\system32\shutdown.exe" />
          <App DesktopAppPath="%windir%\system32\Notepad.exe" />
          <App DesktopAppPath="%Programfiles%\nomacs - Image Lounge\bin\nomacs.exe" />
        </AllowedApps> 
      </AllAppsList> 
        <v2:FileExplorerNamespaceRestrictions>
        <v2:AllowedNamespace Name="Downloads"/>
        <v3:AllowRemovableDrives/>
      </v2:FileExplorerNamespaceRestrictions>
      <win11:StartPins>
        <![CDATA[{
          "pinnedList":[
            {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Kiosk\\Notepad.lnk"},
            {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\nomacs - Image Lounge.lnk"},
			{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Acrobat.lnk"},
            {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"},
            {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Firefox.lnk"},
            {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Google Chrome.lnk"}    
			{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Kiosk\\sulje istunto.lnk"}  
			{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Kiosk\\File Explorer.lnk"}  
          ]
        }]]>
      </win11:StartPins>
      <Taskbar ShowTaskbar="true"/>
      <win11:TaskbarLayout>
  <![CDATA[
    <LayoutModificationTemplate 
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" 
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" 
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout" 
    Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
      <CustomTaskbarLayoutCollection PinListPlacement="Replace">
        <defaultlayout:TaskbarLayout>
          <taskbar:TaskbarPinList>
            <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
			<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk"/>
			<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Firefox.lnk"/>
			<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Kiosk\Notepad.lnk"/>
			<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\nomacs - Image Lounge.lnk"/>
			<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat.lnk"/>
			<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Kiosk\sulje istunto.lnk"/>
			<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Kiosk\File Explorer.lnk"/>
          </taskbar:TaskbarPinList>
        </defaultlayout:TaskbarLayout>
      </CustomTaskbarLayoutCollection>
    </LayoutModificationTemplate>

This is NOT the whole assigned access. This is only an example that has the required parts. So please don’t use this as “whole xml” since its not. You need to put your own layout but might use this as an example.

How Windows 11 kiosk looks

Virtual machine will get desktop so bare this in mind. As this is a virtual machine, it will actually see the public desktop icons. This is why there is a full screen explorer open, so you will not have false sense of hope that you can use desktopicons with Win11 kiosk. This is not something you will experience with proper computer:

There will be the option to use removeable drives but with VM being the test subject there is none available. It works tho.

Updated: This is an example of a real computer screen. Finnish OS that has been built with Windows 11 kiosk with limited access to only Downloads and removable drives. All the icons that should be in users desktop are gone. There are all icons in available in the public desktop, but kioskuser0 will not see these after last CU update and running the autopilot after these updates.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts