Forum Discussion
MichaelW
Aug 09, 2023Brass Contributor
Windows 11 assigned access - setting kiosk mode over powershell and WMI
Hey guys, so currently as this article states, kiosk multi app mode in Intune for windows 11 is on the roadmap, but there is no ETA, when it comes live. https://techcommunity.microsoft.com/t5/wi...
MichaelW
Aug 11, 2023Brass Contributor
No errors with the skeleton
LainRobertson
Aug 11, 2023Silver Contributor
Fantastic. That really helps us narrow our focus onto the XML.
I keep saying this as I feel like I'm the blind leading the blind here, but I really know nothing about this MDM stuff - it's way outside my areas of expertise. But for now, we can rule out the PowerShell side entirely and just look a the XML.
This first change is just a tip - it won't change your current XML at all: use the single-quote text block style rather than the double-quote form.
So, instead of this:
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
...
"@)
Use this:
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@'
...
'@)
Why?
PowerShell will try and identify any variables inside of a double-quotes block and swap out the variable name for the localised value, whereas using the single quote preserves the exact format of the text (i.e. no variable substitutions). This can be quite important for text blocks featuring symbols - like XML.
Here's a simple illustration of both double and single quotes and how PowerShell parses both:
As I say though, in this specific case, it's not an issue for your XML. It's just something important to be aware of that isn't always obvious.
Focusing on your XML, you could try stripping it down to something really simple and then building it back up, but one thing that sticks out to my untrained eye is that the GUID used near the top:
<Profile Id="dca70007-6874-49b3-930f-26ead1d85918">
Doesn't match the GUID near the bottom:
<DefaultProfile Id="{c374b80f-6aea-4c02-b1db-7bb1dfc4fe84}"/>
And I'm wondering (aka guessing) should they not both be the same value, as they are in the Microsoft article you referenced earlier?
Cheers,
Lain
- LainRobertsonJan 18, 2024Silver Contributor
Fair enough.
If that log is indeed enabled (you can check by right-clicking on it) yet there's nothing in it, then I can't help, as that's the only log I found whilst working through things with Michael (the original author).
For me on Windows 10 22H2, it was enabled by default.
Perhaps you're facing a different issue to Michael - I have no idea. But given that Admin log works for me, for Michael's original scenario, I'd be letting the errors guide me into which corrections I needed to make to the XML.
Cheers,
Lain
- AnrDaemonJan 18, 2024Copper ContributorIf you mean Application and Services Logs/Microsoft/Windows/AssignedAccess/Admin - it's entirely empty. Literally zero records.
- LainRobertsonJan 18, 2024Silver Contributor
Hi.
If you scroll back up to the post I mentioned from the 17th August 2023, there's a full write-up including the screenshot I referred to.
Cheers,
Lain
- AnrDaemonJan 18, 2024Copper ContributorPardon my ignorance, but which journal I should check? There's no relevant data in a number of "powershell" journals.
- AnrDaemonJan 13, 2024Copper ContributorI'm so used to eventlog being totally useless that I did not even though to look there.
What to the http/https, I'm aware of this and this is not an issue (unless IoT examples provided by Microsoft are an issue in itself), see https://github.com/AnrDaemon/samba4-ads/blob/master/opt/contrib/ShellLauncher/LiteStep.xml - LainRobertsonJan 13, 2024Silver Contributor
Hi.
I stepped away from this thread as it has nothing to do with PowerShell and everything to do with the XML file, which is a Windows/InTune topic (I know nothing about InTune, as I've mentioned above a few times).
That said, if I were to take this further and try resolving the "generic error" errors, then my process would be to use the Windows Event Log - which I've discussed and included a screenshot from above - as it tells you precisely which section is at fault, along with which section it expects to see.
I'd wager that once I've fixed the listed section from the error, I'll roll into a new error for the next section, but after a few iterations, I'd expect to end up with a valid XML file at which point everything will work.
Noting the comment above from Micah about using http instead of https, while those values look like web addresses, they're not web addresses.
XML uses URI's as identifiers - again, they are not web addresses. There is no security issue here since there is no web traffic going to these identifiers and - as noted by Micah - if you change an identifier (such as the http prefix to https), the XML file may be rendered invalid.
Only use the values provided by Microsoft. Don't change http to https from mistakenly thinking these are web addresses being used in some kind of web query.
Cheers,
Lain
- mkress5144Jan 12, 2024Copper Contributor
MichaelW Phew! I've figured it out.
You must use http for the base namespace uri:
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
Using https will result in the following error (in the Event Viewer):
Validate failed because the document does not contain exactly one root node.
, ErrorCode(0xC00CE223)For any other xml namespace, you can use either http or https. I first encountered this issue with ppkgs using the Window Configuration Designer, so I sought a different means to apply the configuration.
Thank you so much Michael for making your post which ultimately provided me a way to rapidly test XML alterations.
I will mention that I am using Windows 10.
Anyway, here is the final working script:
$nameSpaceName="root\cimv2\mdm\dmmap" $className="MDM_AssignedAccess" $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className Add-Type -AssemblyName System.Web $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@" <?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" > <Profiles> <Profile Id="{89f37c95-b165-4ecc-82bc-ebd086c30812}"> <AllAppsList> <AllowedApps> <App DesktopAppPath="C:\Program Files\Internet Explorer\iexplore.exe" /> <App DesktopAppPath="C:\WINDOWS\System32\cmd.exe" /> </AllowedApps> </AllAppsList> <rs5:FileExplorerNamespaceRestrictions> <rs5:AllowedNamespace Name="Downloads"/> </rs5:FileExplorerNamespaceRestrictions> <StartLayout> <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> <LayoutOptions StartTileGroupCellWidth="6" /> <DefaultLayoutOverride> <StartLayoutCollection> <defaultlayout:StartLayout GroupCellWidth="6"> <start:Group Name="Apps"> <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\CMD.lnk" /> </start:Group> </defaultlayout:StartLayout> </StartLayoutCollection> </DefaultLayoutOverride> </LayoutModificationTemplate> ]]> </StartLayout> <Taskbar ShowTaskbar="true"/> </Profile> </Profiles> <Configs> <Config> <Account>.\Kiosk</Account> <DefaultProfile Id="{89f37c95-b165-4ecc-82bc-ebd086c30812}"/> </Config> </Configs> </AssignedAccessConfiguration> "@) Set-CimInstance -CimInstance $obj
- AnrDaemonJan 03, 2024Copper Contributor
Sorry for hijacking the thread, but it seems I have a very similar error on a much more basic level.
I'm trying to enable ShellLauncherV2 using basically a word-by-word example script from IoT samples.
The script and example XML are at my githib.
After following an advice given above in the thread and using psexec to launch the script under LocalSystem account, I get the "generic error" when trying to install modified access profile.
If there are any way to debug the issue further, I'm all ears.
- MichaelWOct 18, 2023Brass ContributorHi michael,
thank you very much I will look into this, this week 😉 - michael_moshkovichOct 18, 2023Brass ContributorOK found it..
so, to use the rs5 tag you should include the schema.... 🤕
xmlns:rs5="https://schemas.microsoft.com/AssignedAccess/201810/config"
so the final result will include rs5 and win11:
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config" xmlns:rs5="https://schemas.microsoft.com/AssignedAccess/201810/config">
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config" xmlns:rs5="https://schemas.microsoft.com/AssignedAccess/201810/config">
<Profiles>.......
</AssignedAccessConfiguration> - michael_moshkovichOct 18, 2023Brass Contributor
Hallo,
I'm having the same issue on Win11, and noticed that if you remove the rs5 tags from the XML, the configuration went trough. e.g. rs5:AutoLaunch in your example or rs5:DisplayName for me.
if someone have some info regarding this, will be much appreciated. - MichaelWSep 22, 2023Brass Contributor
Hi, no unfortunately not yet
- Mattia_NocerinoSep 22, 2023Copper ContributorHi MichaelW
I'm facing the exact same issue. It's super frustrating.
Have you managed to find a solution? - LainRobertsonAug 16, 2023Silver Contributor
Hi, Michael.
It might pay to post in an InTune forum, as this is related to the XML that feeds into the MDM agent, not your PowerShell or WMI.
You can also check the errors from the following Windows Event Log location for more specific guidance on what's wrong with the XML:
- Application and Services Logs/Microsoft/Windows/AssignedAccess/Admin
Example
Unfortunately, the XML configuration is well outside being relevant to PowerShell, so I might stop here.
Cheers,
Lain
- MichaelWAug 16, 2023Brass Contributor
LainRobertson Hi Lain, unfortunately it changed nothing wiping the client and use english(US) as the OS language. Same problem general error.
Can please someone help who has a bit of experience with WMI? Its super frustrating that we are not able to use Multiapp Windows 11 kiosk devices...
- MichaelWAug 16, 2023Brass ContributorYes I will also change that, but In the latest tries I didnt even include the whole XML and I still got an error
- LainRobertsonAug 16, 2023Silver Contributor
No worries - I hope you had a good break!
Also, if you go back a couple of posts, I also mentioned that the GUIDs don't match across the profile definition on line 12 (of your previous post) versus the default profile selection on line 38.
I'm not sure if this matters, but since the example from the Microsoft post has both GUIDs matching, I thought I should mention it.
Cheers,
Lain
- MichaelWAug 16, 2023Brass Contributora colleague stated that It could have something todo with the OS language, because its a german OS client. I will switch the OS language to english (american)
- MichaelWAug 16, 2023Brass Contributor
Hi Lain, unfortunately im getting the same error again with single quotes:
"A general error has occurred for which no more specific error code is available."
also tried it like that with the same result...
$nameSpaceName="root\cimv2\mdm\dmmap" $className="MDM_AssignedAccess" $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className Add-Type -AssemblyName System.Web $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@' '@) Set-CimInstance -CimInstance $obj
- MichaelWAug 16, 2023Brass ContributorThank you very much Lain, sorry was on holiday for the past days. I will try both things out, thank you very much for the explanation of the double quote and single quote.