Kiosk Mode not logging in - "kioskUser0 the user name or password is incorrect"

Copper Contributor

I am working with creating a Device Configuration Profile for Kiosk Mode. The device is Windows 10 1809 and is Azure AD joined only and is syncing and receiving policies, updates, and software.

 

When the device is restarted the Kiosk policy attempts to force the Auto-login option but fails. It is showing User "kioskUser0" and giving the generic message of "username/password is incorrect". I wait a minute or 2 and the timeout for attempting the login with the kiosk user occurs, then I am able to then login with any azure ad user I attempt.

 

When the policy is applied is it creating kioskUser0 as a local account on the device?

Other than restarting, is there any way for the device to attempt to log back into the kiosk section? (logging in and signing out does not seem to trigger this)

 

9 Replies

Hi @cbelcher,

the policy is creating the kioskuser0 and confgures the autologon. If you combine this with a Autopilot Self Deploying Mode (SDM) Profile then the OOBE will enable the Enrollment Status Page (ESP) and waits for the receiving of this policy and then when it proceeds the kioskuser0 autologon will instantly take you to the Kiosk. In my tests I found a problem in this mode as the ESP is currently not correctly waiting for the kiosk profile therefore the autologon is not working. This is currently known by Microsoft and they are working on a fix.

 

best,

Oliver

@Oliver Kieselbach 

To clarify,  I am not using Auto-pilot with ESP. This are provisioned with a USB and the the kiosk mode profile is applied when the device is synced. Is the issue you stated still going to affect me?

Hi @cbelcher,

hmm okay understand. I didn't setup kiosk with USB sticks and provisioning packages until now. Anyway after restart the auto logon should work. Did you try to specify .\kioskUser0 and leave the pasword blank? important is the .\ in front to make sure the logon window knows it is a local user logon. Do you have other MDM policies which getting applied to the device as well? maybe they create a kind of conflict. e.g. if you enforce via Compliance policy require passwort it will break auto logon.

 

best,

Oliver

@Oliver Kieselbach 

I am working with Premiere support at the moment to dig in and figure this out. I will reply back with my notes for others to benefit from as well. This reply is to let everyone know this is still being investigated.

@cbelcher 

@Oliver Kieselbach 

 

Below are the results of what I found with MS Support to be the steps taken to achieve Kiosk Mode.

 

  1. Devices must enrolled to MS Intune. I did this with Set up my School PC's app
    • Using open Wireless SSID (our MAC addresses were added CISCO ISE to allow them directly on to the network without the need to click our Acceptable Use Policy)
  2. Created a Dynamic Group to for the enrolled devices (Using Assigned will also work)
  3. Devices were updated from Windows 10 1803 to 1809 using the Software Update Ring policy
  4. Created a device configuration policy to “Enable share usage data” to Basic
  5. Obtained the Online and Offline version of the Kiosk Browser app from the MS Store for Education
    • ***Unable to tell the difference in the apps from the console UI once synced***
      • Assigned the app to the device group
      • ***The first app in the list was chosen, which in further investigation is the online app.

        6.Setup a Device Configuration policy for a Kiosk profile
  • Named "Kiosk Profile for Library Catalog"
  • Single App = Kiosk Browser
  • Set up for Auto logon, Windows 1803+
  • URL (for now) bing.com
  • In further testing, I found the Kiosk Browser app does support intranet sites
  • Assigned to the device group from Step 2

  

Notes for the experience:

I found I had to restart the devices several times after everything was in place before it would actually take place. (Approx 3-4 times per device)

 

During some further testing I found:

In a Device Restriction policy, password section, filling in the preferred tenant name breaks the auto login feature for kiosk mode. I made a single change and once the devices synced, and restarted, they were unable to auto-login.

 

Thank you Oliver for reaching out to help me.

 

Hi all,

 

i am suffering the same issue, even if I have some other prerequisites. The aim is the same, i want to deploy an Single app, full-screen kiosk device., which displays a full screen web page, which can be used without any interactive logon.

 

My configuration is the following:

  • Windows 11 Pro (Build 10.0.22621.1265)
  • Deployed via Self-Provisioning Autopilot profile
  • Intune Kiosk profile configured and assigned to device
  • Kiosk Browser (offline app from WSfB) is deployed to device
  • Device is configured with an extra ESP, waiting for all required apps (only Kiosk and TeamViewer Quick Support is deployed)

When I deploy my device, autopilot (WLAN or LAN) works like a charm, the device gets provisioned real fast, but then my trouble starts. Instead of displaying the configured website, I get the windows logonpage with no user prefilled. As soon as i enter the username '.\kioskuser0' i am able to sign in without the requirement of a password and the configured website gets displayed as i wish. But i have to logon every time with the user which is configured by the Kiosk Intune Profile. I can't remember, that this is an expected behavior and i haven't seen this in any blog or video.

 

Here are my Intune configurationprofiles, which get successfully deployed to the device:

Spoiler
Kiosk Template:
MichaelMornhinweg_0-1677081536512.png
Settings Catalog
MichaelMornhinweg_1-1677081600937.png

No the steps I did to find the error:

I have double checked, if the client got the policy and made several reboots, to be sure the configuration is on the client. Well, it is:

Spoiler
Template:
MichaelMornhinweg_2-1677081775118.png

Catalog:
MichaelMornhinweg_3-1677081789163.png
App:
MichaelMornhinweg_0-1677082234438.png

 

Since I know, any password policy or preferred Tenant information will break the experience, I have tripplechecked this and made shure, that no corresponding Policy is in place. I can confirm, there is no device lock policy on the device. To make the things more tricky, the following Eventlogs are empty and can't help me in any way:

  • Microsoft-Windows-AssignedAccess/Admin
  • Microsoft-Windows-AssignedAccess/Operational
  • Microsoft-Windows-Authentication User Interface/Operational

 

To get around the problem, i played with different settings within the Kiosk Profile, my problem didn't disappear. Regardless if i configure the Kiosk Browser or the Edge Browser with Digital/interactive Signage, i still get the windows 11 sign in screen.

 

@Oliver Kieselbach: Do you have any clue, how to get my configuration out of this mess? Even waiting an entire #membeer, to allow intune replication didn't work :(.

 

Greetings Michael

 

 

Kiosk device profile not auto logging in

There's currently a known issue in Windows Update KB5022303, which applies to both Windows 10 and Windows 11, where Kiosk device profiles that have auto log on enabled won't auto login. After Autopilot completes provisioning, the device stays on the sign-in screen prompting for credentials. To work around this known issue, you can manually enter the kiosk user credentials with the username kioskUser0 and no password. After entering this username with no password, it should take you to the desktop. There's a fix pending, but no estimated date for the release of the fix at this time.


https://learn.microsoft.com/en-us/mem/autopilot/known-issues

Have you seen this?

best,
Oliver

Hi Oliver,

thank you very much for the hint! Actually i haven't seen this article, but it explains my experiences on the clientside. As the article is linked to Autopilot, will it still ocure, when i deploy the machine on another way and assign the kiosk-profile afterwards?

Is there any way to get around this issue? Maybe the Autoadminlogon regkeyies or do i have to deal with "just enter kioskuser0 and hit enter"?

greetings,
Michael
Thank you!!! I have spent hours trying to learn the setup. I now understand that I was seing this working if I hadn't fully updated the machine (I have just rebuilt the same machine 5 times to work out why this was not working).

Lots of searching later and this comment has answered why I am struggling and that my settings are applying, but the autologin is not working.

Thank you so much for posting this!

:D