-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assigned Access (KIOSK) Mode breaks application (Windows 10 and 11) #90
Comments
Same condition it seems to not apply on Windows 11 (23H2). |
We are looking into this! |
Can you provide more information on what you have configured in intune. Specifically these things
You mean basically that when you import the ADMX file you cannot select it as a configuration profile in intune? |
I have imported the ADMX template in Intune without errors , I tried your template first but it did not work on Windows 11 (Windows 10 was fine, but has another issue see issue 91) Everytime I created a policy in Intune where I configured the ADMX Regards, John |
Hi John, Great thanks. I managed to test this quickly. Target system is OS Name: Microsoft Windows 11 Enterprise
So I cannot replicate your issue on Windows 11.. |
Ok that is strange, then it must have something to do with the sharedpc settings. |
Ok update! This start to make sense as KIOSK mode only always certain applications to run. So I start looking for a solution and my idea was to set the KIOSK to allow multiple applications (Edge and the Yubikey removal tool) but for that I need the Application user model ID (AUMID) of your application which I couldn't find on my test machine. To clarify my goal
I hope this all makes sense to you and IMHO we should build the Scriber application that it has an Application user model ID (AUMID) so I can put it on the 'allow list' besides the Edge browser and maybe 1 or 2 other allowed business apps for the warehouse people Regards, John |
The stupid thing is that we had OS native support for years with Smartcards but this does not apply to FIDO2 tokens HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\LocalPoliciesSecurityOptions\InteractiveLogon_SmartCardRemovalBehavior\ |
Yea, we know. We will have a look at AUMID and see if we can add that, otherwise meanwhile feel free to modify it and see if you can get it to work. We have more time in a few weeks to look at it. |
Ok I think I have solution please see my pull request. |
Did this solve it on your side? |
Breaking my head over a minor thing, I think I have the solution, are you available for a quick call to show you my code? |
Ok so after explaining a few things to one of my co-workers it just all connected in my brain. Forget Intune and AUMID (wasted a whole day on this rabbit hole) for a moment and just focus on Assigned Access. So when the Yubilocker (running below the lock screen is triggering a logout or lock it does not work because the screen is locked by assigned access. OR Add an event handler to the *LockApplicationHost.Unlocking event from the Yubikey locker app that emulates that the user is pressing Ctrl+Alt+Del to exit the kiosk experience. I think the last one is the easiest as it keystroke to be sent. |
Anything is possible. |
Question is are you willing to work with me to accomplish this? |
I'll have to get back to you because we limited on time for this right now, I can plan within the next few weeks to have a look at it and if you manage to get it to work submit a pull request and we can test it. |
Porting this discussion here:
JMarkstrom/yubikey-removal-behavior#2
Doing my test now, just reuploaded the files in Intune with WIN11 statement and prepping my Windows 11 machine..will report back soon
The text was updated successfully, but these errors were encountered: