A few weeks ago (was supposed to be last week, but I had to do a site visit for Workplace Ninjas US in Dallas, TX), we wrote about Windows 11 Kiosks. We discussed assigned access for the single-app kiosk use case, which is all fun and games. This week, we will cover some more interesting items (Shell Launcher and Restricted User Experience). Here’s what we’re going to look at:
You can access part one of our article here
What is Shell Launcher?
As we briefly discussed last week, Shell Launcher lets you execute an application that replaces the default Windows UI/shell aka Explorer, but it does not run above the lock screen.
Some of the reasons we might use Shell Launcher are:
-
- Wanting to replace the UI with custom built apps
-
- Digital Signage
-
- Thin PC use cases
The PC isn’t locked down, and its mostly just cultivating that user experience. One thing to note, it does require Windows Enterprise, Education, or IoT SKUs to work.
Let’s cover a few of the limitations at this juncture:
-
- Windows doesn’t let you set Shell Launcher pre-OOBE. Trying to do so will stop you from deploying the image.
-
- Shell Launcher doesn’t support custom shell with an app that launches a different process and then exits. Upon launching of the custom shell, it monitors the process to identify when the custom shell exits and restarts the shell.
Building the XML for the Shell Launcher Use Case for Windows 365
The process of writing the XML is fairly similar to assigned access, so we will cover that now in detail.
First, we have our building blocks with the schema config:
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration" xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
Similar to Assigned Access, we have the Profile Id GUID that we generate, but that is basically the only similarity. You can also optionally set the Name attribute to the profile like I do in my code, which you can see in a bit.
We will define a “Shell” element which provides details about the application we will execute. You can specify:
-
- Shell (tells it what application to use as Shell)
-
- V2:AppType (defines the app type, could be “Desktop” or “UWP”)
-
- V2:AllAppsFullScreen (defines whether every app launches in full screen or only the custom shell app)
You can also customize return code actions if you want. Basically, this is how you tell the Shell Launcher to handle app exits. The options are:
-
- RestartShell
-
- RestartDevice
-
- ShutdownDevice
-
- DoNothing
In our demo, we won’t be using these but the example of this would look like this:
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell" />
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice" />
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice" />
</ReturnCodeActions>Originally, we were going to do something with Windows 365 App, but we found that didn’t quite work, so we shifted to Notepad:
<Profiles>
<DefaultProfile>
<Shell Shell="%systemroot%\explorer.exe">
<DefaultAction Action="RestartShell"/>
</Shell>
</DefaultProfile>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}" Name="Windows 365 App">
<Shell Shell="Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" V2:AppType="UWP">
<DefaultAction Action="RestartShell" />
</Shell>
</Profile>
</Profiles>The final part of the XML matches what we did with assigned access outside of closing ShellLauncher instead of Assigned Access:
<Configs>
<Config>
<AutoLogonAccount />
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}" />
</Config>
</Configs>
</ShellLauncherConfiguration>Update: I was able to get the Windows App working with Shell Launcher by deploying WebView2 via PowerShell from here.
The functional ShellLauncher XML if interested can be found below:
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration" xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="%systemroot%\explorer.exe">
<DefaultAction Action="RestartShell"/>
</Shell>
</DefaultProfile>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}" Name="Windows 365 App">
<Shell Shell="MicrosoftCorporationII.Windows365_8wekyb3d8bbwe!Windows365" V2:AppType="UWP">
<DefaultAction Action="RestartShell" />
</Shell>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount />
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}" />
</Config>
</Configs>
</ShellLauncherConfiguration>For additional details, refer to part 1 of the article, but overall, this is our XML.
Deploying the Shell Launcher Policy in Microsoft Intune
We can very easily deploy the policy via an Intune Custom Policy:
The OMA-URI is: ./Vendor/MSFT/AssignedAccess/ShellLauncher and we just upload the XML we built.
It goes fast like AssignedAccess and should be no problem.
We also needed these local security policy settings:
The Shell Launcher User Experience
The video demo for Shell Launcher with Windows 365 can be now found below:
What is Restricted User Experience?
Last week, we also discussed “Restricted User Experience” aka Multi-App Kiosk which regulates exactly what you will see on your machine. So, it’s like a Kiosk, but not a kiosk?!
Restricted User Experience is basically when you want to do a kiosk but need multiple apps, but it can be very tricky to get right. You can see an example below of what that might look like:
You will specify what people can run and even the start menu is fully customized to reflect the settings in your XML. The setup, deployment, and such are very similar to Assigned Access, but we will work through how to do this to meet your requirements.
Building the XML for Restricted User Experience
Building the Restricted User Experience XML is a bit harder than assigned access was, but we can follow similar logic.
We will start piece-by-piece. First, we have our building blocks with the schema config:
<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config" xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config">
This time around, we will use “AllAppList”
AllAppList lets you define the apps that are allowed to run, which can be UWP apps and/or desktop apps. This will generate AppLocker rules behind the scenes that allow apps to run. Dependency apps must also be accounted for in this scenario. We have different properties with AllAppList that we can use:
-
- AppUserModelId: where you would specify the App User Model ID (You can get a list of these with PowerShell and “Get-StartApps”)
-
- DesktopAppPath: the full path of a desktop app executable (does support environment variables)
-
- rs5:AutoLaunch: can be used to tell it to auto-launch a certain application
-
- rs5:AutoLaunchArguments: arguments that you can pass to the application that is using auto-launch.
You can see my example below which shows how I set this up:
<Profiles>
<Profile Id="{64f010ec-c145-4a16-941c-3c245f435d6a}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
<App AppUserModelId="MicrosoftCorporationII.Windows365_8wekyb3d8bbwe!Windows365" />
</AllowedApps>
</AllAppsList>We also have a few more items that we can work on as well with Start menu and Taskbar customization.
Start menu customization is pretty easy actually. You basically run this in PowerShell on a machine
Export-StartLayout -Path c:\temp\startlayout.jsonOnce you have it, you can modify the JSON to meet your needs. That JSON looks like this, which makes it very easy to modify and update with additional ones you might need. You will notice I wrapped the JSON in v5:StartPins and a CDATA wrapper so it will work in your XML:
<v5:StartPins>
<![CDATA[
{"pinnedList":[{"packagedAppId":"MicrosoftCorporationII.Windows365_8wekyb3d8bbwe!Windows365"},
{"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}]}
]]>
</v5:StartPins>You will do something similar with the Taskbar. That example is below (I add in the closes for profiles since you will need them overall:
<Taskbar ShowTaskbar="true" />
<v5:TaskbarLayout><![CDATA[
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection>
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:UWA AppUserModelID="MicrosoftCorporationII.Windows365_8wekyb3d8bbwe!Windows365" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
]]>
</v5:TaskbarLayout>
</Profile>
</Profiles>The 3rd and final piece of the XML is the “Configs” section, where you tell it what the allowlist/login experience will be. You can specify a user or even just auto login with a basic account.
A few limitations with this are: no admins or users that requires Entra Conditional Access policies requiring interaction like MFA. One last note is if you want to make someone login with a local account, make sure you deploy this policy via Intune:
I will keep using a built-in account for automatic login for fun:
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="CloudPC Kiosk" />
<DefaultProfile Id="{64f010ec-c145-4a16-941c-3c245f435d6a}" />
</Config>
</Configs>
</AssignedAccessConfiguration>Alternatively, you could use a user account instead:
##For a Local User##
<Configs>
<Config>
<Account>MobileJon</Account>
<DefaultProfile Id="{64f010ec-c145-4a16-941c-3c245f435d6a}" />
</Config>
</Configs>
</AssignedAccessConfiguration>
##For an Entra User##
<Configs>
<Config>
<Account>AzureAD\[email protected]</Account>
<DefaultProfile Id="{64f010ec-c145-4a16-941c-3c245f435d6a}" />
</Config>
</Configs>
</AssignedAccessConfiguration>One final note, I recommend checking out the Assigned Access schema definitions here, which will let you look at other stuff you could set in the XML, which I am not using. A few examples are:
-
- Restricting File Explorer
-
- Blocking USBs
Deploying Restricted User Experience
We can very easily deploy the policy via an Intune Custom Policy:
The OMA-URI is: ./Vendor/MSFT/AssignedAccess/Configuration and we just upload the XML we built.
It will deploy down fairly quickly, but I will say that sometimes when you make changes it doesn’t come back gracefully and may requires a device reset to fully validate the changes.
Restricted User Experience Demo
Now, we can check out a short video demo that will showcase how the user experience looks!
After two articles, I think the future with Windows 11 Kiosks are certainly interesting. One of the takeaways is, Microsoft needs to find a better way to license Windows 11 Enterprise, because that is a major PITA. Some of my customers refuse to do Self-Deploying mode in Autopilot because it’s too much of a hassle for them (from needing to buy licenses, etc.).
No solution is a perfect fit for everyone, but it’s nice that we have 3 options for the variety of needs that customers have today. The XML build can be a bit tricky, but once you successfully deploy one, you can easily repeat it moving forward in the future.
We definitely still have some challenges about leveraging UWPs in much of the Kiosk suite, but I expect that should improve with time. Most of the built-in UWPs work pretty well.
40 thoughts on “Deep Dive into Windows 11 Kiosks Part 2: Advanced”
So, is it AllAppList or AllAppsList ? All blog articles about this topic just plagiate the faulty Microsoft doc.
It’s AllAppsList.
My functional XML: https://github.com/mobilejon/mobilejonrepo/blob/master/RestrictedUser.xml
Totally possible I did a typo in the blog because /ADHD
Did the search bar work in your Restricted User experience? I’m working a deployment of this and the Search Bar is there on the taskbar and in the Start Menu but I cannot even click into it.
I believe so, I will retest and see if I can get it to work. It’s only going to show stuff you have granted access to in the XML
Right. But what is the AUMID for that? I tested this using Microsoft’s example XML and I still cannot get it working.
You shouldn’t need the AUMID for Cortana or anything. I also checked the see if there was one.
Any application you want to surface in search must be added to the XML. If it’s not added it cannot be used for Search e.g. Edge, Office, etc.
I tested a deployment using the XML on your github and the search bar was not usable.
I will retest when I get back to the states but I believe it’s support is fairly limited and also only to apps you allowed in the XML.
I confirmed search bar doesn’t work and that’s expected per the PMs
For the life of me I can’t find how to enable Quick settings in the XML configuration.
Any info on how to get quick settings to work?
That’s not part of the XML capabilities, those include custom taskbar, custom start menu, and the starting allowed apps etc.
I went through the schema: https://learn.microsoft.com/en-us/windows/configuration/assigned-access/xsd and it appears the only thing you can do is configure the pinned apps to the taskbar.
Per this article: https://learn.microsoft.com/en-us/windows/configuration/taskbar/?pivots=windows-11 the quick settings are part of the taskbar CSP: https://learn.microsoft.com/en-us/windows/configuration/taskbar/policy-settings?tabs=taskbar&pivots=windows-11
Have you tried seeing if capabilities like “Simplify Quick Settings Layout” will make them available in your test device?
With the restricted user kiosk, is globalprofile possible so that standar users if they login get the kiosk mode but admins bypass it?
I don’t think you can because it’s an element of KioskModeApp. I’ll try to test when I get back to the US in a few days
I confirmed it’s not available in restricted
Great Deep Dive!
I am trying to create a digital Sign, that autologs and opens a PBI Report. Different challenges with that…
– User authentication to get access to PBI
– Edge can not run in private due to CA Policy require user to be signed in when opening corporate content.
Do you have any idea regarding digital sing and auto display a PBI report?
Maybe try it with the powerbi desktop application? Otherwise need an exclusion in the CAP for that IP
By the way you can still kiosk without in private you just lose the ability to automatic logout
With restricted user, can you add arguments to the applist applications?
You can configure arguments for the application set to AutoLaunch.
This works with a desktop app or UWP app e.g.:
Even if I copy and paste either your working version on Github or Microsoft’s own example, for some reason, I keep getting “Unable to save due to invalid data. Update your data then try again: XML must be well formed.”
Any suggestions?
Try to copy it to notepad, and then repaste it in.
Could be an encoding issue perhaps.
Oh, wow, thanks for the quick response.
Tried both standard NotePad and Notepad++ and saved it as .xml in both cases.
I previously had tried downloading your copy from Github using the Download button and editing it and that didn’t work either.
However, I’ve just now tried downloading it from Github rather than copy and pasting and that worked.
Question, one of the allowed apps I need is Citrix. However, there are dozens of Citrix exes, any way to determine which exe I need to actually exempt?
I would probably run a quick procmon and launch Citrix Workspace and see what binaries execute.
Hmm, just applied the configuration added some stuff to the “AllowedApps” section and StartPins but it’s failed with error code 0x87d101f4.
TO check, for Allowed Apps, I’ve put some ps1, bat and other extensions as well. Is it only meant to be exes?
Yeah it’s only gonna be EXE or store apps
Just tried applying your xml with no changes since I was having issues with my own one and still seems to fail.
Error code reported is -2016345707.
root\ccm\cimodels:CustomConfiguration.Key=’AssignedAccessConfiguration’,Type=100 [root\ccm\cimodels:CustomConfiguration.Key=’AssignedAccessConfiguration’,Type=100]
You might want to try applying it with the PS CMDlets. Sometimes iterating through on a device can have poor results.
I tend to spin up VMs to test
I’ve copied and pasted your XML from your Github and no matter what I do, I keep getting error 0x87d101f4. According to Microsoft’s doc, this translates to “Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request”.
I find any way to fix this.
Entra ID joined Windows 11 24H2 computer enrolled in Intune. I’m applying the XML via a custom configuration profile using the OMA-URI ./Vendor/MSFT/AssignedAccess/Configuration.
Any idea what could be the problem?
Try to copy it into notepad to strip the formatting.
That happens with encoding sometimes
Good walk through. Is there a good reason to use this method over the intune builtin multiapp kiosk template?
It’s not fully updated with many of the capabilities and functionality they came in over the last few builds so many things often don’t work
Hi , “FileExplorerNamespaceRestrictions” dont seem to restrict access to the whole Windows Drive, if you run edge and u can go around the browse , the drive can be access and not only download folder – wonder if this is limitation of the xml for windows 11?
Based on what I can see, specifically that capability “removes File Explorer’s default context menu”
Sandy actually reported this last May as being broken in Windows 11. I’ll ask one of the main guys at Microsoft if they ever fixed it, but I believe it’s still a regression when going to Windows 11.
i think this could help – setting only allow access to certain allowed location seem to be able to overcome this 🙂 https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-fileexplorer#setallowedfolderlocations
I got an answer from PMs just haven’t emailed you yet
Hi
Would you be able to post the answer from the PMs here please so we can all see as we’re also affected by this issue on our Win11 kiosk devices. Thank you 🙂
It was meant to be fixed for MMS but we picked up a bug, expect it will get fixed in a cu in the next few months.
If you look at the file explorer csp there is an allowed namespace control that does the same thing but you need to set it.
Thank you, I really appreciate you taking time out to respond 🙂
Really love your work on this. Helped me a lot in understanding all the different options.
I’ve had several issues with the 26200.7462 build (25H2).
v5:StartPins appears to be completely broken and caused my XML to outright fail unless removed. Anyone find a way to make it work with 25H2?
We deployed using the Intune UI (not XML), which worked fine for us until they began enforcing file explorer restrictions. We had some very limited file usage allowed on most kiosks which worked until they fixed that issue. Now I’m finding that we’ll need to convert to XML deployment to allow the documents / desktop space they had been saving to (very basic, non-critical files).
Anyone have advice on best method to go from Intune UI kiosk multi-app deployment to the XML based option?
I found in testing that just changing the config policies leaves behind artifacts from the UI based deployment that continue to block files.
Thank you!
What I typically do is spin up a VM to test assigned access because sometimes when you make changes they don’t flip cleanly
Yeah never ever use the build in kiosk it’s missing a lot of functionality