Windows 11 assigned access - setting kiosk mode over powershell and WMI

Brass Contributor

Hey guys, 

 

so currently as this article states, kiosk multi app mode in Intune for windows 11 is on the roadmap, but there is no ETA, when it comes live. https://techcommunity.microsoft.com/t5/windows-it-pro-blog/multi-app-kiosk-mode-now-available-in-win... 

I then tried as this article shows (https://learn.microsoft.com/en-us/windows/configuration/lock-down-windows-11-to-specific-apps )
to run the stated powershell script with my own configured XML file, as you can see here:

 

 

 

$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode
(@"

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration  
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
    <Profiles>
        <Profile Id="dca70007-6874-49b3-930f-26ead1d85918">
            <AllAppsList>
            <AllowedApps>
                <App AppUserModelId="Citrix.Workspace" rs5:AutoLaunch="true">
                <App AppUserModelId="MSEdge" />
                <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
                <App AppUserModelId="Microsoft.Windows.Explorer" />       
            </AllowedApps>
            </AllAppsList>
            <win11:StartPins>
            <![CDATA[ 
                {"pinnedList": [
                    {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Citrix Workspace.lnk"},
                    {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"},
                    {"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
                    {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
                    {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}
                ]}
            ]]>
            <win11:StartPins/>
            <Taskbar ShowTaskbar="true"/><Taskbar/>
        </Profile>
    </Profiles>
    <Configs>
        <Config>
            <AutoLogonAccount/>
            <DefaultProfile Id="{c374b80f-6aea-4c02-b1db-7bb1dfc4fe84}"/>
        </Config>
    </Configs>
</AssignedAccessConfiguration>
"@)

Set-CimInstance -CimInstance $obj

 

 

 

but im getting following errors:

 

 

Get-CimInstance: C:\Users\michael.woerner\GitHub-Repo\Github_Work\Intune\Scripts\Kiosk-XML-WMI.ps1:3:8
Line |
   3 |  $obj = Get-CimInstance -Namespace $namespaceName -ClassName $classNam …
     |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Zugriff verweigert. 
InvalidOperation: C:\Users\michael.woerner\GitHub-Repo\Github_Work\Intune\Scripts\Kiosk-XML-WMI.ps1:5:1
Line |
   5 |  $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The property 'Configuration' cannot be found on this object. Verify that the property exists and can be set.

Set-CimInstance: C:\Users\michael.woerner\GitHub-Repo\Github_Work\Intune\Scripts\Kiosk-XML-WMI.ps1:44:30
Line |
  44 |  Set-CimInstance -CimInstance $obj
     |                               ~~~~
     | Cannot bind argument to parameter 'InputObject' because it is null.

 

 

 

Can you guys help me with that?

37 Replies

@MichaelW 

 

Hi, Michael.

 

You'll have to forgive me, but as I can't speak German, I had to run "Zugriff verweigert" through a translator, but it seems to have translated to "Access denied", which I can accept as accurate.

 

In short, the second and third errors from your post described the problem - which is that $obj is null, but I needed to run the translation to understand why - which comes from your first error.

 

You'll need to either run this script with administration rights (preferred resolution), or - and I wouldn't recommend this - change the security on the "root\cimv2\mdm\dmmap" WMI namespace to grant non-administrators the necessary read+write permissions.

 

Because you haven't gotten far enough to use your XML yet, we can't comment on that. You'll know more once you resolve this initial permissions issue.

 

Cheers,

Lain

Hi Lain,

thank you also for the work translating from german to english.
Unfortunately I ran the Script over Powershell ISE with Administrator rights, and also logged in with a LAPS local admin user account on the test client. The test client is a windows 11 physical machine, and is enrolled as a Azure AD Device.
$nameSpaceName="root\cimv2\mdm\dmmap"
is this maybe the error, since its a windows device, does this path even exist?
Or do I need any prerequisits, for running WMI commands?

To use the WMI Bridge Provider (which is what you are doing here), you have to run it as local SYSTEM. Administrator ist not enough. You can read more about the WMI Bridge Provider and how to use it with PowerShell here: https://learn.microsoft.com/en-us/windows/client-management/using-powershell-scripting-with-the-wmi-...

@MichaelW 

 

The path will almost certainly exist. I run Windows 10 22H2 and even I see it:

 

LainRobertson_0-1691662005385.png

 

Running the commands under an administrative process does allow you to get past the "access denied" issue (confirmed by the default permissions on this namespace as shown below), but if the authenticated user is being used by the MDM client, that would explain why the article requires the various commands to execute within the system process rather than just any administrative user:

 

LainRobertson_1-1691662163270.png

 

But because I don't use InTune and therefore have no policy data to query, I can't go any further with this. That said, I can see other class information such as that from the MDM_DevDetail example below:

 

LainRobertson_2-1691662525037.png

 

It doesn't seem like this is actually a PowerShell issue, but rather the specific requirements of the MDM - as @dretzer pointed out.

 

Cheers,

Lain

@LainRobertson @dretzer 

thank you both very much, that explains a lot, I have to use psexec to get this to work and run the script in system context. Ill try that out, nice.

Hey, so I ran the script over a powershell terminal that was started with psexec.exe -i -s cmd.exe
unfortunately It ran on line 44 into an error again, as the screenshot shows2023-08-11 11_04_14-Dok1 - Word.png

Also tried it with powershell 7 and with another version of the script (also from an elevated cmd started with psexec)

$nameSpaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_AssignedAccess"

# Schreiben Sie die XML-Konfiguration in eine Datei
$xmlContent = @"
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
    <!-- ... Ihre XML-Konfiguration hier ... -->
</AssignedAccessConfiguration>
"@
$xmlFilePath = "win11-kiosk-wmi.xml"
$xmlContent | Set-Content -Path $xmlFilePath -Encoding UTF8

# Get-CimInstance, um die Instanz zu erhalten
$obj = Get-CimInstance -Namespace $nameSpaceName -ClassName $className

# Setzen Sie die Konfigurationseigenschaft des $obj-Objekts
$obj.Configuration = $xmlFilePath

# Aktualisieren Sie die Instanz mit der neuen Konfiguration
Set-CimInstance -CimInstance $obj

 

but also getting an error 2023-08-11 11_18_03-knsdfg - Word.png

also ran the command on the client to test if I can access this class 2023-08-11 11_23_50-jbkb - Word.png

@MichaelW 

 

Hi, Michael.

 

Again, I have to apologies for needing to use a translator (where I hope the translation is accurate), which for the error of:

 

Es ist ein allgemeiner fehler aufgetreten, fur den kein spezifischerer fehlercode verfugbar ist

 

I got a translation of:

 

A general error has occurred for which a more specific error code is not available

 

If that's accurate, that makes things a little difficult to troubleshoot since the MDM WMI provider isn't giving us a meaningful error to work with.

 

I do have to wonder though, if you run the following, do you get back a reference to your user account or the computer's account?

 

whoami

 

Here's an example of the command, which in my case shows my user account:

 

LainRobertson_0-1691750394935.png

 

If you've followed the instructions correctly on using psexec, what you should get is a reference to the computer's account.

 

Cheers,

Lain

@LainRobertson Hi Lain, thank you for your response, here is the output 

So powershell is using the system authority

Unfortunately im not that deep into WMI and manipulating windows on that level

@MichaelW 

 

Okay, that actually looks good. The username is right and the earlier call you made above that to Get-CimInstance succeeded.

 

So, I've gone back up and had a look at the script and it looks like a simple formatting issue.

 

Line 6 should actually be part of line 5. So, this (your lines 5 and 6):

 

$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode
(@"

 

Should become this:

 

$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"

 

The issue putting the "(" on the next line creates is that the XML doesn't get assigned to $obj.Configuration. Instead, $obj.Configuration has the definition of the 

[System.Web.HttpUtility]::HtmlEncode method assigned to it. It's not important to understand that, only that it will cause your Set-CimInstance to fail.

 

So, make the simple change above and try again.

 

Cheers,

Lain

@LainRobertson Hi Lain, I understand unfortunately I got another error, I double checked the script on synthax errors, and wrote exactly as in the example stated on this page (https://learn.microsoft.com/en-us/windows/configuration/lock-down-windows-11-to-specific-apps)

 

2023-08-11 13_56_39-jkbb - Word.png

 

$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration  
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
    <Profiles>
        <Profile Id="dca70007-6874-49b3-930f-26ead1d85918">
            <AllAppsList>
            <AllowedApps>
                <App AppUserModelId="Citrix.Workspace" rs5:AutoLaunch="true">
                <App AppUserModelId="MSEdge" />
                <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
                <App AppUserModelId="Microsoft.Windows.Explorer" />       
            </AllowedApps>
            </AllAppsList>
            <win11:StartPins>
            <![CDATA[ 
                {"pinnedList": [
                    {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Citrix Workspace.lnk"},
                    {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"},
                    {"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
                    {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
                    {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}
                ]}
            ]]>
            <win11:StartPins/>
            <Taskbar ShowTaskbar="true"/><Taskbar/>
        </Profile>
    </Profiles>
    <Configs>
        <Config>
            <AutoLogonAccount/>
            <DefaultProfile Id="{c374b80f-6aea-4c02-b1db-7bb1dfc4fe84}"/>
        </Config>
    </Configs>
</AssignedAccessConfiguration>

"@)

Set-CimInstance -CimInstance $obj

 

@MichaelW 

 

That's okay. It still looks like you're making progress, and it doesn't help that this is more about InTune than PowerShell, as all I can do is guess when it comes to InTune.

 

Because I don't understand the MDM's XML, could you leave out the XML and run just the following script skeleton for me as a test, and see if you still get an error?

 

$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web

Set-CimInstance -CimInstance $obj

 

If you don't get an error, then we know something is wrong with the XML. If we do get an error, then it's due to something other than the XML.

 

With all the previous issues taken care of, I'm expecting there should be no error.

 

Cheers,

Lain

No errors with the skeleton

@MichaelW 

 

Fantastic. That really helps us narrow our focus onto the XML.

 

I keep saying this as I feel like I'm the blind leading the blind here, but I really know nothing about this MDM stuff - it's way outside my areas of expertise. But for now, we can rule out the PowerShell side entirely and just look a the XML.

 

This first change is just a tip - it won't change your current XML at all: use the single-quote text block style rather than the double-quote form.

 

So, instead of this:

 

$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
...
"@)

 

Use this:

 

$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@'
...
'@)

 

Why?

 

PowerShell will try and identify any variables inside of a double-quotes block and swap out the variable name for the localised value, whereas using the single quote preserves the exact format of the text (i.e. no variable substitutions). This can be quite important for text blocks featuring symbols - like XML.

 

Here's a simple illustration of both double and single quotes and how PowerShell parses both:

 

LainRobertson_0-1691758432777.png

 

As I say though, in this specific case, it's not an issue for your XML. It's just something important to be aware of that isn't always obvious.

 

Focusing on your XML, you could try stripping it down to something really simple and then building it back up, but one thing that sticks out to my untrained eye is that the GUID used near the top:

 

<Profile Id="dca70007-6874-49b3-930f-26ead1d85918">

 

Doesn't match the GUID near the bottom:

 

<DefaultProfile Id="{c374b80f-6aea-4c02-b1db-7bb1dfc4fe84}"/>

 

And I'm wondering (aka guessing) should they not both be the same value, as they are in the Microsoft article you referenced earlier?

 

Cheers,

Lain

Thank you very much Lain, sorry was on holiday for the past days. I will try both things out, thank you very much for the explanation of the double quote and single quote.

Hi Lain, unfortunately im getting the same error again with single quotes:

 

"A general error has occurred for which no more specific error code is available."

2023-08-16 09_24_21-Dok1 - Word.png

 

also tried it like that with the same result...

$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@'
    
'@)

Set-CimInstance -CimInstance $obj