Windows 10 Pro Multi App KIOSK Mode

V4lmont 96 Reputation points
2020-10-05T06:13:24.1+00:00

Hello folks,

Szenario:

For HomeOffice- usage we are rolling out diffrent Windows 10 Pro devices (Build 1909 and higher). This devices should be restricted as much as they can but you should be able to use following functions:

  • RemoteDesktop
  • Browser to connect to 1 website
  • phone software
  • Choose WiFi

To make this possible I choose to use the KIOSK Mode of Windows 10 in combination with Microsoft Intune and the Multi App function.

Detail:

In Intune:

Create Profile:

Platform: Windows 10 and later
Profile type: KIOSK

Configuration:
Select a kiosk mode: Multi app kiosk
Target Windows 10 in S mode devices: No
User logon type: Local

Now I´m going to configure allowed Apps:

for example:

Name: RDP

Path: C:\Windows\System32\mstsc.exe

DesktopApplicationId/AUMID for the Win32-App: Microsoft.Windows.RemoteDesktop

Tile Size: Mittel

To get the AUMID I user Shell:Appsfolder

https://jcutrer.com/windows/find-aumid

To roll out the specific startlayout I configure one layout as I need and save this in xml

Powershell: Export-StartLayout -Path 'C:\StartLayout.xml' -UseDesktopApplicationID

https://learn.microsoft.com/de-de/windows/configuration/start-layout-xml-desktop#specify-start-tiles

After configuration I connect the profile to my specific AD group.

So far so good. Everything is fine and worked for my test- device

My Problem:

For HomeOffice my users must be able to choose their Wifi. To make this possible I followed the instructions of a blog post by Nathan Blasac

https://nathanblasac.com/deploy-a-multi-app-windows-10-kiosk-with-intune-e261cedf2a21

He uses a shortcut to show available networks and deploy it via script.

In my scenario I create it manualy and saved it in

C:\ProgramData\Microsoft\Windows\Start Menu

When you're saving the shortcut in there you'll see in the Appsfolder and get an Microsoft genereated AUMID.

After you've done so and create a new Startlayout xml you can configure this "APP" in intune to be useable in KIOSK- Mode.

This worked for my Test- Device but not for a second or a third one. The other devices show a 4th icon but it doesn't open the available networks.

I noticed that:

The MS generated AUMID sometimes differs on other devices.

When I get the script right of Nathan blasc it saved the shortcut in 3 directories but I don't know why.

I tried to do the following:

Make the available networks available on the Login screen via GPO. This works but when you synchronize the device and it gets its KIOSK configuration it overwirtes the GPO.

I searched for a simple user-friendly app/program to choose Wifi, so I can configure it in intune. I didn't find anything usefull instead of Wifi- Analytics, profile managers etc.

My questions:

Is there a scheme whehre Windows generates the AUMID and when... what parameters does have impact to it? directories?

Is someone seeing a bad mistake in my configuration or has any other ideas/ hints?

Thank You in advance for your help and please excuse my bad language.

regards from Germany

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,682 questions
0 comments No comments
{count} votes

Accepted answer
  1. V4lmont 96 Reputation points
    2020-10-09T06:47:44.82+00:00

    Hey Crystal,

    thanks for your reply and sorry for my late reply.

    I do find a solution for my problem in an other way:

    I don't try to deploy the "show available networks"- shortcut anymore.
    To choose Wifi I allow the "settings" app in Kiosk Mode.

    In detail:

    To Allow the "Settings"- App you have to add following App- ID:

    windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel

    When you do so, you can create another configuration profile to reduce the available settings so that you can see only "network and internet"

    Profiletyp: userdefinied

    Name: Setting
    Description: show Network
    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList
    Value: showonly:network-wifi

    Info: to add mor settings you can add diffrent values, separated by " ; " f.e. "display"

    I think this is a much better solution because you can exactlx choose what you want to make available.

    Thanks for your Thoughts and your help.

    Regards from Germany


1 additional answer

Sort by: Most helpful
  1. Crystal-MSFT 41,761 Reputation points Microsoft Vendor
    2020-10-06T02:20:38.95+00:00

    @V4lmont , From your description, I know when we try a shortcut to show available networks and deploy it via script. One test device is working. But others are not. If there's any misunderstanding, please let us know.

    As this is Intune forum, we can check the script deployed status to see if it is deployed successfully. If it is failed, we can check the logs under \ProgramData\Microsoft\IntuneManagementExtension\Logs to see if there's any finding:

    30190-image.png

    Also as a test, we can manually run the script on the affected machine to identify if the problem is on the script.

    For the questions related with AUMID, as I am not familiar with this. I have done some research, find some related articles for this:
    https://learn.microsoft.com/en-us/windows/configuration/find-the-application-user-model-id-of-an-installed-app
    https://learn.microsoft.com/en-us/windows/win32/shell/appids

    As the AUMID is the identifier for Universal Apps (UWP) installed from the Windows Store. The AUMID is essentially the identifier and entry point for these applications. To know more details about AUMID, I suggest to post in the following link to get professional support:
    https://learn.microsoft.com/en-us/answers/topics/windows-uwp.html

    Hope it can help.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.