Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assigned Access (KIOSK) Mode breaks application (Windows 10 and 11) #90

Open
jbruijntjes opened this issue Sep 26, 2024 · 17 comments
Open

Comments

@jbruijntjes
Copy link

Porting this discussion here:

JMarkstrom/yubikey-removal-behavior#2

Doing my test now, just reuploaded the files in Intune with WIN11 statement and prepping my Windows 11 machine..will report back soon

@jbruijntjes
Copy link
Author

Same condition it seems to not apply on Windows 11 (23H2).
Intune clearly does not apply the policy to the device( it does not even give not applicable, basically nothing happens)

@dtothelander
Copy link
Contributor

We are looking into this!

@dtothelander
Copy link
Contributor

Can you provide more information on what you have configured in intune. Specifically these things

  1. The Device Configuration Profile you have created
  2. The configuration policy you have created
  3. The file you imported (ADMX)
  4. Are you using an msi package?

You mean basically that when you import the ADMX file you cannot select it as a configuration profile in intune?

@jbruijntjes
Copy link
Author

I have imported the ADMX template in Intune without errors , I tried your template first but it did not work on Windows 11 (Windows 10 was fine, but has another issue see issue 91)
Secondly I edited the template to set Windows 11 as OS and uploaded it again to Intune

Everytime I created a policy in Intune where I configured the ADMX

image
image

Regards,

John

@dtothelander
Copy link
Contributor

Hi John,

Great thanks. I managed to test this quickly. Target system is

OS Name: Microsoft Windows 11 Enterprise
OS Version: 10.0.22631 N/A Build 22631

  1. On the target machine I removed the registry values that are setup using the ADMX template.
  2. In the testing tenant I removed the Device configuration profile and the ADMX profile
  3. Took the ADMX profile and the ADML file from this repo and uploaded it again
  4. Created the new Device configuration profile
  5. Assigned it to the target machine
  6. Did a sync on the target machine, and it now says assigned to the device and the registry keys are back. This took about 30 minutes

So I cannot replicate your issue on Windows 11..

@jbruijntjes
Copy link
Author

Ok that is strange, then it must have something to do with the sharedpc settings.
On Windows 10 it works to apply but the agent also only works once after a reboot (maybe also shared pc settings)
I will redeploy my WIN11 machine today with only your policy (no shared and no kiosk) and let you know asap!

@jbruijntjes
Copy link
Author

Ok update!
I played around and my first impression was that the removal of shared PC settings was the solution.
But it turned out that the KIOSK settings are breaking the application.
When I log in with a KIOSK user not defined in the configuration (see below picture of
Entra user or group the application is working!

image

This start to make sense as KIOSK mode only always certain applications to run.
Assigned Access: In Windows, kiosk mode uses "Assigned Access," which allows an administrator to specify a single Universal Windows Platform (UWP) app or a Win32 app that a user can interact with. Other apps, the taskbar, system tray, and other OS features are inaccessible

So I start looking for a solution and my idea was to set the KIOSK to allow multiple applications (Edge and the Yubikey removal tool) but for that I need the Application user model ID (AUMID) of your application which I couldn't find on my test machine.

image

image

To clarify my goal
My total setup is to build a warehouse PC that is used by multiple users with Yubikeys on key cords. People use the station as flex machines to access certain business applications. When the walk away from the machine they need to remove their Yubikey and the machine should logout.
For this we leverage

  1. Autopilot in self driven mode (no assigned user) to make it a non owned station
  2. 1 specific policy to set [shared pc settings](https://learn.microsoft.com/en-us/windows/configuration/shared-pc/set-up-shared-or-guest-pc?tabs=intune for profile management, cleanup and power settings
  3. 1 specific policy to set Kiosk mode with and edge browser and some favorites
  4. 1 policy to configure edge with specific settings
  5. 1 policy to set the password less experience (will remove certain credential providers)

I hope this all makes sense to you and IMHO we should build the Scriber application that it has an Application user model ID (AUMID) so I can put it on the 'allow list' besides the Edge browser and maybe 1 or 2 other allowed business apps for the warehouse people

Regards,

John

@jbruijntjes jbruijntjes changed the title Windows 11 issue KIOSK Mode breaks application (Windows 10 and 11) Sep 30, 2024
@jbruijntjes
Copy link
Author

The stupid thing is that we had OS native support for years with Smartcards but this does not apply to FIDO2 tokens
Security Settings > Local Policies > Security Options > Interactive Logon: Smart Card Removal Behavior , set to Lock Workstation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\LocalPoliciesSecurityOptions\InteractiveLogon_SmartCardRemovalBehavior\

@dtothelander
Copy link
Contributor

The stupid thing is that we had OS native support for years with Smartcards but this does not apply to FIDO2 tokens Security Settings > Local Policies > Security Options > Interactive Logon: Smart Card Removal Behavior , set to Lock Workstation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\LocalPoliciesSecurityOptions\InteractiveLogon_SmartCardRemovalBehavior\

Yea, we know.

We will have a look at AUMID and see if we can add that, otherwise meanwhile feel free to modify it and see if you can get it to work. We have more time in a few weeks to look at it.

@jbruijntjes
Copy link
Author

Ok I think I have solution please see my pull request.

@dtothelander
Copy link
Contributor

Ok I think I have solution please see my pull request.

Did this solve it on your side?

@jbruijntjes
Copy link
Author

Breaking my head over a minor thing, I think I have the solution, are you available for a quick call to show you my code?

@jbruijntjes
Copy link
Author

jbruijntjes commented Oct 1, 2024

I have found it!

image

But still not allowed in Intune with the AUMID option which makes sense a it is not an MSIX or UWP.
Error:Must be a valid application user model id

With the WIN32 option it allows

image

Now testing

@jbruijntjes
Copy link
Author

jbruijntjes commented Oct 1, 2024

Ok so after explaining a few things to one of my co-workers it just all connected in my brain.
Please follow me along.

Forget Intune and AUMID (wasted a whole day on this rabbit hole) for a moment and just focus on Assigned Access.
Assigned Access has applications 'above' lock screen (view) and 'below lock screen'
Assigned access in Windows 10 uses the lock framework. When an assigned access user logs in, a background task locks the desktop and launches the kiosk app above the lock.
Please see this article
https://learn.microsoft.com/en-us/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access

So when the Yubilocker (running below the lock screen is triggering a logout or lock it does not work because the screen is locked by assigned access.
So what we need to do its call the LockApplicationHost.RequestUnlock() method from the YubiKeyLocker app to Add a way out of Assigned Access mode and go back to the login screen
https://learn.microsoft.com/en-us/uwp/api/windows.applicationmodel.lockscreen.lockapplicationhost?view=winrt-26100

OR

Add an event handler to the *LockApplicationHost.Unlocking event from the Yubikey locker app that emulates that the user is pressing Ctrl+Alt+Del to exit the kiosk experience.

I think the last one is the easiest as it keystroke to be sent.
Do you think this is possible with the current code?

@jbruijntjes jbruijntjes changed the title KIOSK Mode breaks application (Windows 10 and 11) Assigned Access (KIOSK) Mode breaks application (Windows 10 and 11) Oct 1, 2024
@dtothelander
Copy link
Contributor

Anything is possible.

@jbruijntjes
Copy link
Author

Question is are you willing to work with me to accomplish this?

@dtothelander
Copy link
Contributor

Question is are you willing to work with me to accomplish this?

I'll have to get back to you because we limited on time for this right now, I can plan within the next few weeks to have a look at it and if you manage to get it to work submit a pull request and we can test it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants