Aug 09 2023 05:50 AM - edited Aug 16 2023 08:54 AM
Hey guys,
so currently as this article states, kiosk multi app mode in Intune for windows 11 is on the roadmap, but there is no ETA, when it comes live. https://techcommunity.microsoft.com/t5/windows-it-pro-blog/multi-app-kiosk-mode-now-available-in-win...
I then tried as this article shows (https://learn.microsoft.com/en-us/windows/configuration/lock-down-windows-11-to-specific-apps )
to run the stated powershell script with my own configured XML file, as you can see here:
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode
(@"
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="dca70007-6874-49b3-930f-26ead1d85918">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Citrix.Workspace" rs5:AutoLaunch="true">
<App AppUserModelId="MSEdge" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Explorer" />
</AllowedApps>
</AllAppsList>
<win11:StartPins>
<![CDATA[
{"pinnedList": [
{"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Citrix Workspace.lnk"},
{"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"},
{"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}
]}
]]>
<win11:StartPins/>
<Taskbar ShowTaskbar="true"/><Taskbar/>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<DefaultProfile Id="{c374b80f-6aea-4c02-b1db-7bb1dfc4fe84}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
"@)
Set-CimInstance -CimInstance $obj
but im getting following errors:
Get-CimInstance: C:\Users\michael.woerner\GitHub-Repo\Github_Work\Intune\Scripts\Kiosk-XML-WMI.ps1:3:8
Line |
3 | $obj = Get-CimInstance -Namespace $namespaceName -ClassName $classNam …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Zugriff verweigert.
InvalidOperation: C:\Users\michael.woerner\GitHub-Repo\Github_Work\Intune\Scripts\Kiosk-XML-WMI.ps1:5:1
Line |
5 | $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The property 'Configuration' cannot be found on this object. Verify that the property exists and can be set.
Set-CimInstance: C:\Users\michael.woerner\GitHub-Repo\Github_Work\Intune\Scripts\Kiosk-XML-WMI.ps1:44:30
Line |
44 | Set-CimInstance -CimInstance $obj
| ~~~~
| Cannot bind argument to parameter 'InputObject' because it is null.
Can you guys help me with that?
Aug 09 2023 07:19 AM
Hi, Michael.
You'll have to forgive me, but as I can't speak German, I had to run "Zugriff verweigert" through a translator, but it seems to have translated to "Access denied", which I can accept as accurate.
In short, the second and third errors from your post described the problem - which is that $obj is null, but I needed to run the translation to understand why - which comes from your first error.
You'll need to either run this script with administration rights (preferred resolution), or - and I wouldn't recommend this - change the security on the "root\cimv2\mdm\dmmap" WMI namespace to grant non-administrators the necessary read+write permissions.
Because you haven't gotten far enough to use your XML yet, we can't comment on that. You'll know more once you resolve this initial permissions issue.
Cheers,
Lain
Aug 10 2023 12:39 AM
Aug 10 2023 12:41 AM
Aug 10 2023 12:44 AM
Aug 10 2023 02:38 AM - edited Aug 10 2023 02:39 AM
To use the WMI Bridge Provider (which is what you are doing here), you have to run it as local SYSTEM. Administrator ist not enough. You can read more about the WMI Bridge Provider and how to use it with PowerShell here: https://learn.microsoft.com/en-us/windows/client-management/using-powershell-scripting-with-the-wmi-...
Aug 10 2023 03:15 AM
The path will almost certainly exist. I run Windows 10 22H2 and even I see it:
Running the commands under an administrative process does allow you to get past the "access denied" issue (confirmed by the default permissions on this namespace as shown below), but if the authenticated user is being used by the MDM client, that would explain why the article requires the various commands to execute within the system process rather than just any administrative user:
But because I don't use InTune and therefore have no policy data to query, I can't go any further with this. That said, I can see other class information such as that from the MDM_DevDetail example below:
It doesn't seem like this is actually a PowerShell issue, but rather the specific requirements of the MDM - as @dretzer pointed out.
Cheers,
Lain
Aug 10 2023 05:17 AM
thank you both very much, that explains a lot, I have to use psexec to get this to work and run the script in system context. Ill try that out, nice.
Aug 11 2023 02:09 AM
Hey, so I ran the script over a powershell terminal that was started with psexec.exe -i -s cmd.exe
unfortunately It ran on line 44 into an error again, as the screenshot shows
Aug 11 2023 02:20 AM
Also tried it with powershell 7 and with another version of the script (also from an elevated cmd started with psexec)
$nameSpaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_AssignedAccess"
# Schreiben Sie die XML-Konfiguration in eine Datei
$xmlContent = @"
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
<!-- ... Ihre XML-Konfiguration hier ... -->
</AssignedAccessConfiguration>
"@
$xmlFilePath = "win11-kiosk-wmi.xml"
$xmlContent | Set-Content -Path $xmlFilePath -Encoding UTF8
# Get-CimInstance, um die Instanz zu erhalten
$obj = Get-CimInstance -Namespace $nameSpaceName -ClassName $className
# Setzen Sie die Konfigurationseigenschaft des $obj-Objekts
$obj.Configuration = $xmlFilePath
# Aktualisieren Sie die Instanz mit der neuen Konfiguration
Set-CimInstance -CimInstance $obj
but also getting an error
Aug 11 2023 02:26 AM
also ran the command on the client to test if I can access this class
Aug 11 2023 03:40 AM
Hi, Michael.
Again, I have to apologies for needing to use a translator (where I hope the translation is accurate), which for the error of:
Es ist ein allgemeiner fehler aufgetreten, fur den kein spezifischerer fehlercode verfugbar ist
I got a translation of:
A general error has occurred for which a more specific error code is not available
If that's accurate, that makes things a little difficult to troubleshoot since the MDM WMI provider isn't giving us a meaningful error to work with.
I do have to wonder though, if you run the following, do you get back a reference to your user account or the computer's account?
whoami
Here's an example of the command, which in my case shows my user account:
If you've followed the instructions correctly on using psexec, what you should get is a reference to the computer's account.
Cheers,
Lain
Aug 11 2023 04:03 AM - edited Aug 16 2023 12:41 AM
@LainRobertson Hi Lain, thank you for your response, here is the output
So powershell is using the system authority
Unfortunately im not that deep into WMI and manipulating windows on that level
Aug 11 2023 04:30 AM
Okay, that actually looks good. The username is right and the earlier call you made above that to Get-CimInstance succeeded.
So, I've gone back up and had a look at the script and it looks like a simple formatting issue.
Line 6 should actually be part of line 5. So, this (your lines 5 and 6):
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode
(@"
Should become this:
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
The issue putting the "(" on the next line creates is that the XML doesn't get assigned to $obj.Configuration. Instead, $obj.Configuration has the definition of the
So, make the simple change above and try again.
Cheers,
Lain
Aug 11 2023 05:01 AM
@LainRobertson Hi Lain, I understand unfortunately I got another error, I double checked the script on synthax errors, and wrote exactly as in the example stated on this page (https://learn.microsoft.com/en-us/windows/configuration/lock-down-windows-11-to-specific-apps)
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="dca70007-6874-49b3-930f-26ead1d85918">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Citrix.Workspace" rs5:AutoLaunch="true">
<App AppUserModelId="MSEdge" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Explorer" />
</AllowedApps>
</AllAppsList>
<win11:StartPins>
<![CDATA[
{"pinnedList": [
{"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Citrix Workspace.lnk"},
{"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"},
{"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}
]}
]]>
<win11:StartPins/>
<Taskbar ShowTaskbar="true"/><Taskbar/>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<DefaultProfile Id="{c374b80f-6aea-4c02-b1db-7bb1dfc4fe84}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
"@)
Set-CimInstance -CimInstance $obj
Aug 11 2023 05:24 AM
That's okay. It still looks like you're making progress, and it doesn't help that this is more about InTune than PowerShell, as all I can do is guess when it comes to InTune.
Because I don't understand the MDM's XML, could you leave out the XML and run just the following script skeleton for me as a test, and see if you still get an error?
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
Set-CimInstance -CimInstance $obj
If you don't get an error, then we know something is wrong with the XML. If we do get an error, then it's due to something other than the XML.
With all the previous issues taken care of, I'm expecting there should be no error.
Cheers,
Lain
Aug 11 2023 05:35 AM
Aug 11 2023 05:57 AM
Fantastic. That really helps us narrow our focus onto the XML.
I keep saying this as I feel like I'm the blind leading the blind here, but I really know nothing about this MDM stuff - it's way outside my areas of expertise. But for now, we can rule out the PowerShell side entirely and just look a the XML.
This first change is just a tip - it won't change your current XML at all: use the single-quote text block style rather than the double-quote form.
So, instead of this:
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
...
"@)
Use this:
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@'
...
'@)
Why?
PowerShell will try and identify any variables inside of a double-quotes block and swap out the variable name for the localised value, whereas using the single quote preserves the exact format of the text (i.e. no variable substitutions). This can be quite important for text blocks featuring symbols - like XML.
Here's a simple illustration of both double and single quotes and how PowerShell parses both:
As I say though, in this specific case, it's not an issue for your XML. It's just something important to be aware of that isn't always obvious.
Focusing on your XML, you could try stripping it down to something really simple and then building it back up, but one thing that sticks out to my untrained eye is that the GUID used near the top:
<Profile Id="dca70007-6874-49b3-930f-26ead1d85918">
Doesn't match the GUID near the bottom:
<DefaultProfile Id="{c374b80f-6aea-4c02-b1db-7bb1dfc4fe84}"/>
And I'm wondering (aka guessing) should they not both be the same value, as they are in the Microsoft article you referenced earlier?
Cheers,
Lain
Aug 15 2023 11:49 PM
Aug 16 2023 12:36 AM
Hi Lain, unfortunately im getting the same error again with single quotes:
"A general error has occurred for which no more specific error code is available."
also tried it like that with the same result...
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@'
'@)
Set-CimInstance -CimInstance $obj