Author: subsequent

How to setup a Windows 10 single app kiosk using Intune.

Want a fast and easy way to setup a Windows 10 kiosk ? Intune to the rescue!

Kiosk configurations in Intune is assigned to device. In this example we will use a AzureAD account for the kiosk user.

First create a user in AzureAD that you want to use for your kiosk.

AzureAD -> Users -> New User

Now lets create a device group where we want to put all our kiosk devices.

AzureAD -> Groups -> New Group

If you already have a device you can add it to the group now, or you can do it later.

Now we need to find the AUMID of the appx we want to run in kiosk mode. In this example i will use edge.

Log on to a windows 10 machine and open powershell. And paste the following code

$installedapps = get-AppxPackage
$aumidList = @()
foreach ($app in $installedapps)
{
foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
    }
$aumidList += $app.packagefamilyname + "!" + $id
    }
}
$aumidList

You will now get a list of AUMID’s in this example we are looking for edge

As you can see the AUMID for edge is Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge

Now we need to create a profile so we can assign this app to run in kiosk mode.

Intune -> Device Configuration -> Profiles -> Create Profile

Name the profile and select “Windows 10 and later” as platform, then set the profile type to “Device restrictions” next click the “Configure” button.

 

Select “Kiosk (Preview)” then set “Kiosk Mode” to “Single app kiosk” enter your user account and the Application user model ID of the app as we did earlier in this post.

TIP1: If using auto logon you should probably use a local account for the kiosk. But in this example we use an AzureAD account. Any AzureAD account assigned must be written like this “AzureDAusername@domainname.com

TIP2: If you want to run a legacy Win32 application you need to use “Multi app kiosk” as the “Kiosk Mode

Now create this setting and lets assign it to the device group made earlier.

Select the “Kiosk – Edge” profile.

Go to Assignments -> Select groups to include -> Your device group -> Select

Then click “Save

Now wait a little bit and see if it shows up in the Device Configuration -> Profiles -> “Kiosk – Edge” -> Device Status

TIP: If the client doesn’t show up or says pending try to sync it.

This is how it will look at the user side.

 

 

How to assign members from one group to another in Azure Active Directory.

I found it surprising when I started with Azure Active Directory that there was no support for nested groups. No worries, PowerShell to the rescue!

First off you need to install the Azure Active Directory PowerShell module from the Powershell Gallery.

Open PowerShell as Administrator and execute the following command:

Install-Module -Name AzureAD

Accept the NuGet Provider.

Accept the Untrusted repository.

When the AzureAD package is installed we need to connect to our Azure Active Directory tenant.

Execute:

Connect-AzureAD

This will present a popup for you to connect to your Azure Active Directory. Sign in with your admin credentials.

After you have signed in, a confirmation will appear in your powershell window.

When working with groups and users in Azure Active Directory you need to retrieve the ObjectId assigned to it. The ObjectId is unique to every group and user. So first off we need to find the ObjectId for the group we want to retrieve users from.

Execute:

Get-AzureADGroup -Filter "DisplayName eq 'Your Group Name Here'"

This will return the ObjectId like this

Now we need do the same for the group that we want to assign the users to. Execute the same command from above to find the ObjectId.

ProTip: You can also find the ObjectID in Azure Active Directory -> Groups -> Your Group Name on portal.azure.com

Now that you have both ObjectId we need to make variables and one foreach loop to retrieve and assign each  user, if not only the first user will be retrieved. You can also make this in to a script.

$FromGroup = “Your ObjectId” <- Variable with the ObjectId for the group you want to retrive users from.

$ToGroup = “Your ObjectId” <- Variable with the ObjectId for the group you want to add users to.

$Members = Get-AzureADGroupMember -All 1 -ObjectId $FromGroup <- Variable to retrieve the ObjectId for every user inside the group you want to reterive users from.

Foreach ($Member in $Members) {
    Add-AzureADGroupMember -ObjectId $ToGroup -RefObjectId $Member.ObjectId
}

Forech loop to retrieve every ObjectId  from the $Members variable to the group you want to assign users to.

When executing this it will take some time to finish depending on how many members the group has.

You can download the script from my GitHub repository.

Yet another post about Windows AutoPilot…

So, what is Windows AutoPilot? Windows autopilot is a collection of technologies designed to simplify and modernize the deployment and management of your new and existing Windows 10 devices. You can customize the Out of Box Experience (OOBE) with fewer clicks, company brand it and force users to be standard users instead of administrators on their devices. As it is a cloud service you don’t need any extra infrastructure to set it up and IT doesn’t need to be involved with setting up brand-new devices.

 

Its basically Microsoft’s equivalent of Apples Device Enrollment Program (DEP) if you are familiar with it.

 

What do you need to setup Windows AutoPilot?

Prerequisites

  • Azure Active Directory P1 or P2
  • Company Branding need to be configured in Azure Active Directory (Optional)
  • Azure AD configured for MDM auto enrollment.
  • Hardware IDs registered with AutoPilot profile assigned in Microsoft Store for Education/Business
  • Intune or other MDM services
  • Device need to be installed with Windows 10 1703 with the July update or later
  • Internet access in OOBE

 

Let’s take a look on how to collect hardware id’s and later import them into AutoPilot.

In this example I will collect a hardware ID from my virtual machine using the WindowsAutoPilotInfo script from the Powershell Gallery

Open Powershell as administrator and execute the following command:

Install-Script -Name Get-WindowsAutoPilotInfo


Accept the warning about PATH environment variable change

 


Accept the NuGet provider

 


And finally accept the PSGallery repository

Now, lets run the script.

Execute the following command:

Set-ExecutionPolicy bypass

Accept the Execution Policy Change prompt. It allows us to run the Get-WindowsAutoPilotInfo script. Now choose/make a directory where you want to save your collected AutoPilot info. Now execute:

Get-WindowsAutoPilotInfo.ps1 -ComputerName $env:computername -OutputFile .AutoPilotInfo.csv

The script will generate a .CSV file that should look something like this.

Now that we have generated the info we want, we can add this info to our tenant. We can do this in the Microsoft store for Education/Business or in the Intune portal. In this example I will use the Microsoft store.

Protip: I won’t recommend using the Intune portal at this time as I have seen some strange behavior when importing the CSV files. For example I cannot remove some devices that I added previously.

Log on to your Microsoft store for Education/Business and select devices

 

Then click Add Devices

 

Select your AutoPilotInfo.csv file and click open.

Protip: Create a AutoPilot deployment group, you can name it whatever you want. This will make it easier to deploy AutoPilot profiles to several devices at the same time.

Now wait a few seconds..

 

When your done you will see your device in the list like this:

 

Now lets create a AutoPilot deployment profile for us to deploy to our newly imported device.

 

Customize the settings to your needs. In this example I will create a new AutoPilot profile called “TESTVM” i want to skip the privacy settings, disable local admin account creation on the device and skip the EULA.

Now let us assign the AutoPilot deployment profile we just made to our device.

Select your device from the list

Now select the profile we just created.

Now you can see from the list that the AutoPilot deployment profile has been added to the device.

For the end user OOBE will look like this when they enroll their Windows 10 devices.