Forum Discussion
Windows 11 assigned access - setting kiosk mode over powershell and WMI
Hey guys,
so currently as this article states, kiosk multi app mode in Intune for windows 11 is on the roadmap, but there is no ETA, when it comes live. https://techcommunity.microsoft.com/t5/windows-it-pro-blog/multi-app-kiosk-mode-now-available-in-windows-11/ba-p/3845558
I then tried as this article shows (https://learn.microsoft.com/en-us/windows/configuration/lock-down-windows-11-to-specific-apps )
to run the stated powershell script with my own configured XML file, as you can see here:
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode
(@"
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="dca70007-6874-49b3-930f-26ead1d85918">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Citrix.Workspace" rs5:AutoLaunch="true">
<App AppUserModelId="MSEdge" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Explorer" />
</AllowedApps>
</AllAppsList>
<win11:StartPins>
<![CDATA[
{"pinnedList": [
{"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Citrix Workspace.lnk"},
{"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"},
{"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}
]}
]]>
<win11:StartPins/>
<Taskbar ShowTaskbar="true"/><Taskbar/>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<DefaultProfile Id="{c374b80f-6aea-4c02-b1db-7bb1dfc4fe84}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
"@)
Set-CimInstance -CimInstance $obj
but im getting following errors:
Get-CimInstance: C:\Users\michael.woerner\GitHub-Repo\Github_Work\Intune\Scripts\Kiosk-XML-WMI.ps1:3:8
Line |
3 | $obj = Get-CimInstance -Namespace $namespaceName -ClassName $classNam …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Zugriff verweigert.
InvalidOperation: C:\Users\michael.woerner\GitHub-Repo\Github_Work\Intune\Scripts\Kiosk-XML-WMI.ps1:5:1
Line |
5 | $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The property 'Configuration' cannot be found on this object. Verify that the property exists and can be set.
Set-CimInstance: C:\Users\michael.woerner\GitHub-Repo\Github_Work\Intune\Scripts\Kiosk-XML-WMI.ps1:44:30
Line |
44 | Set-CimInstance -CimInstance $obj
| ~~~~
| Cannot bind argument to parameter 'InputObject' because it is null.
Can you guys help me with that?
Hi, Michael.
You'll have to forgive me, but as I can't speak German, I had to run "Zugriff verweigert" through a translator, but it seems to have translated to "Access denied", which I can accept as accurate.
In short, the second and third errors from your post described the problem - which is that $obj is null, but I needed to run the translation to understand why - which comes from your first error.
You'll need to either run this script with administration rights (preferred resolution), or - and I wouldn't recommend this - change the security on the "root\cimv2\mdm\dmmap" WMI namespace to grant non-administrators the necessary read+write permissions.
Because you haven't gotten far enough to use your XML yet, we can't comment on that. You'll know more once you resolve this initial permissions issue.
Cheers,
Lain
- Hi Lain,
thank you also for the work translating from german to english.
Unfortunately I ran the Script over Powershell ISE with Administrator rights, and also logged in with a LAPS local admin user account on the test client. The test client is a windows 11 physical machine, and is enrolled as a Azure AD Device.- $nameSpaceName="root\cimv2\mdm\dmmap"
is this maybe the error, since its a windows device, does this path even exist?
To use the WMI Bridge Provider (which is what you are doing here), you have to run it as local SYSTEM. Administrator ist not enough. You can read more about the WMI Bridge Provider and how to use it with PowerShell here: https://learn.microsoft.com/en-us/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider
Hey, so I ran the script over a powershell terminal that was started with psexec.exe -i -s cmd.exe
unfortunately It ran on line 44 into an error again, as the screenshot showsAlso tried it with powershell 7 and with another version of the script (also from an elevated cmd started with psexec)
$nameSpaceName = "root\cimv2\mdm\dmmap" $className = "MDM_AssignedAccess" # Schreiben Sie die XML-Konfiguration in eine Datei $xmlContent = @" <?xml version="1.0" encoding="utf-8"?> <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config"> <!-- ... Ihre XML-Konfiguration hier ... --> </AssignedAccessConfiguration> "@ $xmlFilePath = "win11-kiosk-wmi.xml" $xmlContent | Set-Content -Path $xmlFilePath -Encoding UTF8 # Get-CimInstance, um die Instanz zu erhalten $obj = Get-CimInstance -Namespace $nameSpaceName -ClassName $className # Setzen Sie die Konfigurationseigenschaft des $obj-Objekts $obj.Configuration = $xmlFilePath # Aktualisieren Sie die Instanz mit der neuen Konfiguration Set-CimInstance -CimInstance $objbut also getting an error
also ran the command on the client to test if I can access this class
