Single Mode Kiosk with an Active Directory User

I’ve been playing around with Windows 10 Kiosk mode in version 1809. Since the introduction of the MultiApp Kiosk I think it has great potential for Enterprise environments, but there are still a lot of improvements that can be done.

The Single Mode Kiosk is around for a bit longer, but it has it limitations. For instance, the Single Mode Kiosk can only set Assigned Access to a Local User. When you want to manage a Kiosk via Active Directory (e.g. PEAP / Sharepoint Access / Share Access or Web Access) it can’t be done via a local user. In this blogpost I will describe a way to work around this limitation.

In this example I will make a Single Mode Kiosk which automatically logs on a AD user and starts Edge to an internal URL.

I use the Configuration Designer to create a PPKG package to lock a Windows 10 pc in Kiosk mode.

The tool is part of the ADK Toolkit which can be downloaded here:
https://docs.microsoft.com/nl-nl/windows-hardware/get-started/adk-install

I create a new Project via Provision kiosk devices

Fill in the Project Name and Project Folder and choose Finish

In the Wizard on I choose the following options:

Set up Device:
Disabled

Set up Network:
I will be using PEAP for the wireless access so also Disabled

Account Management:
My tablet / workstation or laptop is already a member of the Active Directory. So Account Management will be Disabled

Add applications:
Skip

Add certificates:
Skip

Configure kiosk account and app
Let the PPKG create a new local user with password. Put Auto sign-n on Yes and fill in the AUMID for the universal windows app. I will be using Microsoft Edge.

AUMID: Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge

AUMID of Universal Windows Apps can be found here:
https://docs.microsoft.com/en-us/windows/configuration/find-the-application-user-model-id-of-an-installed-app

Configure kiosk common settings:
Tablet mode: Yes
Configure power settings Yes
Turn off screen timeout: Yes
Turn off sleep timeout: Yes

I still have to define the Internal URL, but it can’t be done via the Wizard. So on the summary screen choose Switch to advanced editor. Just choose Yes when the popup shows up.

In the Advanced Editor, go to Runtime settingsPolicies Browser Homepages and fill in the URL of the Internal website on the network.

Save the project and click Export Provisioning package

Choose a name for the PPKG package and choose next

I would recommend using a version number in the package which corresponds with the version number in the version box.

On the Encryption Tab choose next

Save the package somewhere and choose next

Choose Build and finish the Wizard

Copy the package to the Windows 10 machine and install the package

Choose Yes, Add it and Reboot the machine

When the machine has rebooted, it will automatically login with the newly created local user “kioskuser” and points to the Internal URL, but you will get access denied. My IIS website only allows Windows Authentication. So I need to change the AutoLogon from the local “kioskuser” to an Domain User. Firstly I go to the Active Directory and get the SID of the AD user I want to use. Then I change the registry settings of the Winlogon Key.

Go to:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Change the following parameters to the AD user settings:

AutoLogonSID: SID of the AD User
DefaultDomainName : NETBIOS domain name
DefaultPassword : AD User password
DefaultUserName : AD SAMaccountname

Also I have to change the AssignedAccess registry keys to match the SID of the AD User. This still can’t be done via Powershell, so I have to change it in the registry.

Go to:
HKLM\SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration\Configs

Rename the Key with the Local SID to the SID of the AD User. Also change value of the Id property to the AD User SID in the renamed key.

HKLM\SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration\Configs\S-1-5-NEW-SID\Account

After these modifications I need to reboot the machine

Now when the machine has rebooted it will automatically point to the URL, and it will be authenticated via it’s AD Credentials and the internal website is shown.

When the page is successfully shown, I delete the local “kioskuser”.

I also created a Powershell script that does the job.

#SID of the AD User
$SID = "S-1-5-21-1026485530-1075202727-2595178154-1110"

#Change AutoLogon to the Domain User
$AutoLogonSID = $SID
$DefaultDomainName = "DOMAIN"
$Password = "P@ssw0rd!"
$DefaultUserName = "ADKioskUser"

$AutoLogonRegistryPath = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
Set-ItemProperty -Path $AutoLogonRegistryPath -Name AutoLogonSID -Value $SID
Set-ItemProperty -Path $AutoLogonRegistryPath -Name DefaultDomainName -Value $DefaultDomainName
Set-ItemProperty -Path $AutoLogonRegistryPath -Name DefaultPassword -Value $Password
Set-ItemProperty -Path $AutoLogonRegistryPath -Name DefaultUserName -Value $DefaultUserName

#Getting the local SID
$registryRoot = "HKLM:\Software\Microsoft\Windows\AssignedAccessConfiguration\Configs\"
$LocalSID = Get-childItem -Path $registryRoot | %{$_.pschildname}

#Setting the Path for the Assigned Access Registry key
$registrypath = "$registryRoot" + "$LocalSID"

#Rename the Registry Key from the LocalSID to the AD SID
Rename-Item -Path $registrypath -NewName $SID

#Changing the String Value of the new Registry Key
$registrypathNEW = "HKLM:\Software\Microsoft\Windows\AssignedAccessConfiguration\Configs\"+"$SID"+"\Account"
Set-ItemProperty -Path $registrypathNEW -Name Id -Value $SID


#End Script




You may also like...

22 Responses

  1. Arwin ;-) says:

    Cheers mate

  2. Peter Fitzsimons says:

    Hi

    What version of the Windows Configuration Designer did you use? I have 10.0.18362.1 and Windows 10 1809. These registry keys like “HKLM:\Software\Microsoft\Windows\AssignedAccessConfiguration\Configs” aren’t used.

    Cheers
    Peter

    • Remco van Diermen says:

      Hi Peter,

      The time i created this my own OS was on Windows 10 1803 with configuration designer version 10.0.17763.1 . The Kiosk OS was Windows 10 1809.

      I’ve created a kiosk this week with this version. I will have to check if the regkeys are still used there. I’ll get back to it.

      Regards,
      Remco

      • Remco van Diermen says:

        I’ve checked again with my designer version. I guess you use the 1903 ADK to get to 10.0.18362.1? Because mine stays on 10.0.17763.1 with the 1809 ADK.

        Created a new kiosk and it still uses the same regkeys.

  3. Antonis says:

    Hello . I woulk like to mention that the last command it is not possible to run and an error occured because the folder”Configs” does not exist. HKLM:\Software\Microsoft\Windows\AssignedAccessConfiguration\Configs . Any idea ?
    Thank you

    • Remco van Diermen says:

      Hi Antonis, so u mean there’s no folders at all underneath the path HKLM:\Software\Microsoft\Windows\AssignedAccessConfiguration\ ? Or just not configs. On all my Windows 10 machines i have 4 folders;

      Configs
      GroupConfigs
      Profiles
      RawData

  4. Antonis says:

    Hello Remco . It is very strange , because before i start the powershell scipts the string value “configs” is listed in registry . When i start and run step by step the commands and run the last command i check in allready open registry window that the string value “configs” appeared , i run refresh and an error window appeared show that ” The system cannot find the file specified” , i understand that means the “configs” are deleted?? It is very strange

  5. Antonis says:

    Hi Remco . For above issue i would like to mention that the string value name “configs” renamed to the ID of the AD user “S-1-5-21-1487……” . So , the last command cannot execute because the string value “Configs” does not exist.Any idea ?

  6. Antonis says:

    Hi Remco, well I managed to perform the first part and created the kiosk with the local user. I attempted to run the powershell scripts but I cannot find any keys for local user SID under HKLM:\Software\Microsoft\Windows\AssignedAccessConfiguration\Configs\.
    Nevertheless, I created the key for AD user SID under HKLM:\Software\Microsoft\Windows\AssignedAccessConfiguration\Configs\
    and added the ID key. After restarting the system, it entered in kiosk mode using AD account BUT instead of starting the classic app specified under C:\program files\…\application.exe, the system starts cmd.exe

  7. Antonis says:

    Hello Remco . Sorry for inconvenience , is t possible to check the above ? If not i have tocheck another source . Thanks a lot

    • Remco van Diermen says:

      Hi Antonis, the problem would be that there’s no SID before running the script. Therefor the $LocalSID variable is empty and the Configs folder is renamed to the SID. I can’t understand why your PPKG isn’t creating a Local SID folder underneath the Configs folder.

      What happens when you create your own package without running the script? Is the app started under a local user which is created via the PPKG?

  8. Antonis says:

    Remco , if i will not run the scripts , and install only the PPKG file that i created for the Kiosk application it runs and start up normally . When i am try to run the commands then
    the application don’t run etc.

    • Remco van Diermen says:

      Antonis, as a quick check i’ve now created a Kiosk Test on a Hyper-v VM.
      In my case there’s a SID created under configs and when i run my script afterwards it’s set to an AD user. So still working. Can you perhaps send me your ppkg so i can test it on my VM? My email is below the website link.

  9. Antonis says:

    Remco , i just sent you the file . Thank you

  10. Remco van Diermen says:

    Hi Antonis, i think i’ve found the problem. Your local user is not created in the process when running the PPKG. Therefor it will not set the registry keys. My guess is the password doesn’t comply with the default windows password policy. As in a capital letter, small letter and a number atleast. Could this be the problem? In my own PPKG i see a local user been created and the Registry Key aswell.

  11. Antonis says:

    Remco , the PPKG file i created in Win 10 Ent environment and if you will add the package in Win 10 pro will not set up well . I checked and i set up a new pc with Win 10 Ent version and the user created as well .In the commands i think is the issue

  12. Antonis says:

    In my case the user created as well , the Kiosk user created with the PPKG file , but when i run all the commands , the AD user loggins but cannot start the app and run the cmd applet ( i dont know why )

  13. Remco van Diermen says:

    Ok found out why. Seems Microsoft has changed the way Assignedaccess is set to executables. When a classic Windows App is set as the Kiosk App Type, the settings are done via another Registry Setting.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Embedded

    I think i’ve got to change the instruction to UWP only, because that is still done with the AssignedAccess Registry key in the current instruction.

    When you want to start a Classic Windows App in Kiosk mode you must use the ShellLauncher. How to do this is described in this article:

    https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/shell-launcher

  14. Antonis says:

    Dear Remco , the ShellLauncher is currently enabled in Win10 Ent ( my case ), so there is no need to enable it . So , you have to change your commands and try to run them again ?

  15. Antonis says:

    Remco , i found a trick that the Kiosk user when log in in Windows , the app you need will start up and never close . You have to make a vb key ( Set WshShell = CreateObject(“WScript.Shell”)
    Do While True
    WshShell.Run “””C:\Program Files\…….exe”” -k”, 1, True
    Loop) , copy it to the windows/system32 folder , the file name will be xxxxx.vbs , go to registry HKEY_USERS\%AUTOLOGONUSERSID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon and modify the key shell. If you will close the app , it will start again( like Kiosk Mode ).

  16. Antonis says:

    The modification of reg key shell will be
    Shell=c:\windows\system32\wscript c:\windows\system32\xxxxxx.vbs(file )

Leave a Reply to Antonis Cancel reply

Your email address will not be published. Required fields are marked *