Introduction

Windows 10 IoT Enterprise 2019 - the marketing name of the next release of Windows 10. The release of this version was announced in September 2018, respectively, has version 1809, 18 - year, 09 - month. Many articles have been written on the new release of Windows 10 1809, but most of them are devoted to various “bows”, “beauties” and various functionality that is in demand at home.
This article will focus only on the functionality that may be in demand among manufacturers of fixed-purpose devices. Namely, about the new features of the "Kiosk" mode. The topic of changing the names of corporate Windows edition maintenance schemes will also be touched upon.

Old service scheme with a new name

To start with a little clarification, there are two servicing schemes in the enterprise segment of Windows editions by which Windows receives updates. Service plans have a letter designation. Now the service branches are called LTSC and SAC.

LTSC stands for Long Term Servicing Channel (with long term service). Previously, such a channel was called LTSB - Long Term Servicing Branch, Microsoft simply changed the name of the service channel, the service itself remained the same.

Microsoft also changed the name of the CBB servicing branch - Current Branch for Business, now this servicing branch is called SAC - Semi-Annual Channel. Again, only the name has changed.

But it should be mentioned that the LTSC and SAC servicing branches use different Windows distributions.

A little about the new kiosk mode in SAC

As I said, LTSC and SAC have different distributions. LTSC does not have standard universal apps and an app store, but SAC does. Accordingly, LTSC does not have an Edge browser, but SAC does. If you select the Edge browser when setting up the kiosk, then two modes are now available:

1. Like a digital sign or interactive display
2. As a public browser

I will not dwell on setting these modes, because. The setup is very simple and is done in a graphical interface. Simply create a user who is not a member of the Administrators group, enable kiosk mode using EDGE for him, and see how these modes work.

Kiosk with many applications

Some people think that licensed use Windows 10 IoT Enterprise implies the operation of only one application on the device, in fact it is not. The device must be dedicated to a single business task and the user must not have desktop access. Now Microsoft itself has given a tool to use many applications. This mode is called "multi-app kiosk", hereinafter for brevity I will call it "multi-kiosk". In this article, we will consider setting up this mode using the software package and some of the features of this mode.

A little about the Multikiosk mode

When you log in with a user account that is configured in multikiosk mode, the system will work in tablet mode. The Start menu will expand to full screen, displaying application tiles.

The list of basic settings and features of the mode:

1. Setting for multiple users or groups
2. Each user or group can be assigned individual settings
3. Ability to use universal and classic apps
4. Ability to automatically launch one of the applications when a user logs in
5. Work of applications on the white list
6. Access to whitelisted folders

It is worth paying attention to point 5. By default, only those applications that are necessary for the system to work will be allowed to work, the rest of the applications must be added to the list of allowed ones. Those. now you don't need to configure AppLocker separately. By the way, in order to avoid conflicting AppLocker settings, in multikiosk mode, all configured AppLocker rules will not work.

Point 6 indicates a good possibility, but at the moment it is possible to give write permission only to the Downloads folder. The mode allows you to use universal and desktop applications. All mode settings are specified in an XML file, where you can also specify settings for a single app kiosk.

And now let's try to set it all up ...

What do we need...

1. First of all, we need the system itself, which supports the multikiosk mode. Here you can download demo version
2. Instructions for setting up a multikiosk
3. Any XML editor
4. To apply Multikiosk settings:
   1. For method number 1 - ICD, which is part of the ADK. ADK can скачать здесь
   2. For method number 2 - the PsExec utility. The utility can скачать здесь

He said - "Let's go!"

I will conduct all experiments on Windows 10 IoT Enterprise 1809 LTSC x32 commercial version, not demo. The system will be without activation. the lack of activation does not affect the functionality of the system. I took 32 bits only because it takes up less space and will work faster with system images.

Step 1 - Installation

Installing Win 10 IoT Enterprise is no different from installing Win 10 Enterprise, so I won’t describe the entire installation process, I’ll just talk about some of the nuances.

Just in case, let me remind you, do not put the system on top of the installed one. When the installer asks about the installation location of the system, delete all partitions on the future system disk and specify an unpartitioned disk.

We put the system without an Internet connection so that the system does not pull up anything extra.

Because Since we will create backup images of the system and for this we will seal it in audit mode, you can save some time by booting the system in audit mode immediately after installation. To do this, when the system asks you to select a region “Let's start with region. Is this right" just press "Ctrl+Shift+F3".

Step 2 - create a system image

Because we will mock the system by trying various new settings, then it is possible that something will go wrong and it will be necessary to return the system to its original state. And for a quick return to its original state, you need to create an image of the system. The only thing I will do is copy the "gentleman's set" - the script and the answer file. All the files I have are in the "Sysprep" folder, which I will copy to the root of the system drive. And of course, I will share with you this "gentleman's set".

Sysprep.bat - to seal the system.

@echo off
chcp 1251>nul

net session>nul 2>nul
if %errorLevel% neq 0 (powershell -command "Start-Process "%~s0" -Verb RunAs"&exit)

tasklist /fi "ImageName eq sysprep.exe" | find /i "sysprep.exe"
if %errorlevel% lss 1 (taskkill /im sysprep.exe)

set AdminName=Admin
net user %AdminName%>nul 2>nul
if %errorLevel% neq 0 (call :AddAdmin "%AdminName%")
if %errorLevel% neq 0 (call :ShowMessage "‡‡‡Ошибка создания новой учетной записи администратора "%AdminName%"‡‡Нажмите любую клавишу для завершения работы скрипта"&pause>nul&exit)

pushd "%~dp0"

cls
call :ShowMessage ‡‡‡‡‡‡‡‡‡‡
echo  1 - Запечатать систему в режиме аудита
echo  2 - Запечатать систему в режиме приветствия
:Select
set /p Choice="Введите номер пункта меню: "
if "%Choice%"=="1" (goto Audit)
if "%Choice%"=="2" (goto OOBE)
echo.&echo Выбрано недопустимое значение.&goto Select

exit

:Audit
    call :ShowMessage "‡‡‡‡‡Запечатывание системы в режиме аудита"
    reg add HKLMSoftwareMicrosoftWindowsCurrentVersionRun /v KillSysprep /t REG_SZ /d "taskkill /im sysprep.exe" /f
    %SYSTEMROOT%System32Sysprepsysprep.exe /audit /generalize /shutdown /quiet
goto :eof

:OOBE
    call :ShowMessage "‡‡‡‡‡Запечатывание системы в режиме приветствия"
    reg delete HKLMSoftwareMicrosoftWindowsCurrentVersionRun /v KillSysprep /f
    powershell -command "(Get-Content -path 'Unattend.xml' -Raw).Trim() -replace 'Architecture=""".+?"""','Architecture="""%PROCESSOR_ARCHITECTURE%"""' | Set-Content -path 'Unattend.xml'"
    %SYSTEMROOT%System32Sysprepsysprep.exe /oobe /generalize /shutdown /quiet /unattend:Unattend.xml
goto :eof

:AddAdmin
    setlocal
    set UserName=%~1
    if not defined UserName (echo Не указано имя пользователя&endlocal&exit /b 1)

    call :GetGroupName "S-1-5-32-544" AdminGroup
    if not defined AdminGroup (endlocal&exit /b 2)

    call :GetGroupName "S-1-5-32-545" UserGroup
    if not defined UserGroup (endlocal&exit /b 3)

    net user %UserName% /add
    wmic useraccount where "Name='%UserName%'" set PasswordExpires=False>nul
    net localgroup %AdminGroup% %UserName% /add
    net localgroup %UserGroup% %UserName% /delete
    endlocal&exit /b 0
goto :eof

:GetGroupName
    if "%~1"=="" (echo Не указан SID группы&goto :eof)
    set %2=
    for /f "tokens=2 delims= " %%i in ('whoami /groups /fo table^|find "%~1"') do set %2=%%i
    if not defined %2 (echo Ошибка определения имени группы по SID'у "%~1")
goto :eof

:ShowMessage
    setlocal enabledelayedexpansion
    set String=%~1
    if not defined String (echo.&setlocal disabledelayedexpansion&goto :eof)
    set /a ConCols=120 & set /a Num=1
    set "String[!Num!].str=%String:‡=" & set /a Num+=1 & set "String[!Num!].str=%"
    for /l %%a in (1,1,%Num%) do (
        for /l %%b in (0,1,%ConCols%) do if "!String[%%a].str:~%%b!" == "" (set "String[%%a].str= !String[%%a].str! "&set /a String[%%a].len-=1) else (set /a String[%%a].len+=0||set /a String[%%a].len=0)
        if not defined String[%%a].str (set String[%%a].str= )
        if not !String[%%a].len! equ 0 (call set String[%%a].str=%%String[%%a].str:~,!String[%%a].len!%%)
        if "!String[%%a].str: =!"=="" (echo.) else (echo !String[%%a].str!))
    setlocal disabledelayedexpansion
goto :eof

When run, the script will check for the presence of the "Admin" account and create it if it does not exist. The account will be added to the Administrators group.

Unattend.xml is the answer file for sysprep.

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
        <component name="Microsoft-Windows-Deployment" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Path>reg add HKLMSoftwareMicrosoftWindowsCurrentVersionSetupOOBE /v SetupDisplayedProductKey /t REG_DWORD /d 1 /f</Path>
                    <Order>1</Order>
                    <Description>Dont show key page</Description>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Path>reg add HKLMSoftwareMicrosoftWindowsCurrentVersionSetupOOBE /v UnattendCreatedUser /t REG_DWORD /d 1 /f</Path>
                    <Order>2</Order>
                    <Description>Dont make account</Description>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Path>cmd.exe /c rd %systemdrive%Sysprep /s /q</Path>
                    <Order>3</Order>
                    <Description>Del Folder</Description>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <AutoLogon>
                <Enabled>true</Enabled>
                <Username>Admin</Username>
            </AutoLogon>
        </component>
    </settings>
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-International-Core" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <InputLocale>en-US; ru-RU</InputLocale>
            <SystemLocale>ru-RU</SystemLocale>
            <UILanguage>ru-RU</UILanguage>
            <UILanguageFallback></UILanguageFallback>
            <UserLocale>ru-RU</UserLocale>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <HideLocalAccountScreen>true</HideLocalAccountScreen>
                <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
                <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
                <ProtectYourPC>1</ProtectYourPC>
            </OOBE>
        </component>
    </settings>
</unattend>

When sealed in audit mode, the script will add a command to the registry to terminate the "sysprep.exe" process so as not to close the sysprep window manually each time. When sealed in hello mode, the script will remove the command to close the window from the registry and change the architecture value in the response file to the current one. The answer file contains options for booting the system without user interaction and a command for deleting the "Sysprep" folder at the root of the system drive.

Now I will seal the system in audit mode using "Sysprep.bat" and take an image of the system. I will take an image of the system using DISM and I will only take an image of the system volume. If you are taking an image of only the system volume, and not the entire disk, then do not forget to copy the contents of the "WindowsSystem32Recovery" directory on the first volume to the "RecoveryWindowsRE" folder after deploying the system. This will need to be done before the OS is loaded. after loading the OS, the "WindowsSystem32Recovery" directory will already be empty.

Step 3 - Russification of the system

The language pack can be installed without an internet connection if you have this pack. If not, the system itself will download it from the Internet when you add the language in the settings. Just do not need to take a language pack from previous versions of the OS. For Windows 10 1809, there must be a language pack specifically for Windows 10 1809.

Microsoft is following its plan to gradually transfer settings from the classic menu to the new one, so in the classic control panel you will no longer find settings for changing the language and installing a language pack. These settings are now only in the system settings.

In audit mode, you may encounter a problem opening system settings from the Start menu, to open system settings, run the command - "ms-settings:", pay attention to the colon at the end of the command, without it the command will not work. After opening the system parameters once with this command, it can be opened using the graphical menu.

But in the system settings you can install a language pack if the system is connected to the Internet, there is no option to install a language pack from a local file.

I will not describe the process of system localization. this will significantly complicate the article, especially since the localization process is detailed described here. But I would like to draw your attention to the peculiarity of changing the system language after installing the language pack using the console. This feature is described in the same wiki to which I gave a link earlier, in the subsection "Adding a language to the list of languages".

I will install the language pack without internet connection.

After the system is completely localized, be sure to create an image of the system.

Step 4 - Installing the Required Applications

Because since LTSB and LTSC systems do not have an app store, installing apps from the "Microsoft Store" causes some difficulties, namely downloading the app. To download applications, the Adguard company has created a very convenient service - "Adguard Store", with which you can get temporary download links for applications and their components.

To install the application, you will need files with the extensions "Appx" and "AppxBundle". Before installing the application itself, you must install its components. As a rule, components from an application can be intuitively distinguished by the name of the file.

In order not to make the article too long, I will not describe in detail the process of installing applications, especially since there is a detailed instructions. But I will add one more way to install applications to the current account. Applications can be installed using the program App Installer, but to install applications you will need an Internet connection, but applications can be installed by double-clicking and you will not need its components, all the necessary components will be downloaded and installed App Installer.

And a little reminder, when you install the application on the current account, you will not be able to seal the system. How to install applications so that you can seal the system, see the above instructions. And to check the operation of the multikiosk, the existing applications will be enough.

Step 5 - Creating a Configuration File for the Multikiosk

So we got to the most interesting thing - to setting up the kiosk mode. We look in instructions by setting and see. First of all, we need to create an XML configuration file, a complete example of which can be see here.

Let's start by setting up the layout of the tiles. The simplest way to create a tile customization XML configuration is exporting their current state.

First of all, let's add tiles of those applications that we need to the Start menu. Call the search "Win + s", find the desired application, right-click on it and select "Pin to Start Screen".

I have pinned the following apps:

• Notebook
• Calculator
• Internet Explorer
• Paint
• WordPad
• Parameters
• Windows security

The last two attachments have been pinned. there are simply no other universal applications in the standard LTSC distribution. Note that desktop app tiles refer to shortcuts. Now, by dragging the tiles directly into the start menu, I'll separate the pinned tiles into two groups. To create a new group of tiles, drag a tile significantly above or below other tiles, and the intuitive separator will be highlighted. You can name the groups at your discretion, to do this, place the mouse cursor above the group, and when the inscription “Name the group” appears, left-click. I'll call the first group "Settings", it will include the "Settings" and "Windows Security" tiles. The second group I will call "Office Applications", which will include all the other tiles. By the way, you can move entire groups of tiles by dragging them by the two bars that are located at the top right of the group name.

Because Because the Windows Security tile doesn't fit the entire title, I'll resize it to Wide. To resize a tile, right-click on the tile and select Resize.

After setting, we export the current state, execute the command in the PowerShell environment - "Export-StartLayout - path C: SysprepStartLayout.xml".

Further, the easiest way is not to create the settings file yourself, but take an example file from here settings - click on the "Copy" button, paste the contents into notepad and save as "MultiAppKiosk.xml". Now we change the settings to our own. To change the settings of the attached tiles, copy the entire "StartLayoutCollection" block from "StartLayout.xml" to "MultiAppKiosk.xml". To add applications to the allowed ones, you must insert the universal application identifiers in the "AllowedApps" section and add the full path to the desktop application executable files, which is specified in the properties of the shortcuts referenced by the tiles, to the same block. To quickly navigate to a shortcut, right-click on a pinned tile and go to the menu "More > Go to file location". Note that the "AppUserModelId" parameter is used to specify the generic app ID, and the "DesktopAppPath" parameter is used to specify the full path to the desktop app. And one more little nuance, if you plan to use IE on an x64 system, then in the list of allowed applications you must specify two paths for the executable file "Program FilesInternet Exploreriexplore.exe" and "Program Files (x86)Internet Exploreriexplore.exe".

I will not give access to folders, so I delete the “FileExplorerNamespaceRestrictions” section.

Displaying the taskbar will not bother me, so I leave everything as it is in the “Taskbar” section.

The example contains two profiles, but I will have only one profile, so the section with the second profile can be deleted. Before deleting, pay attention to the example of automatically starting an application with arguments.

In the "Configs" section, accounts are linked to profiles, please note that many accounts can be linked to one profile. But since I am only interested in one account, then I will remove all bindings except the first one - the "Config" blocks. In the remaining binding, I will write the username "User".

I got this file with parameters

MultiAppKiosk.xml

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration 
  xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
  xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
  >
  <Profiles>
      <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
          <AllAppsList>
              <AllowedApps>
                  <App AppUserModelId="WINDOWS.IMMERSIVECONTROLPANEL_CW5N1H2TXYEWY!MICROSOFT.WINDOWS.IMMERSIVECONTROLPANEL" />
                  <App AppUserModelId="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy!SecHealthUI" />
                  <App DesktopAppPath="%windir%system32notepad.exe" />
                  <App DesktopAppPath="C:Program FilesInternet Exploreriexplore.exe" />
                  <App DesktopAppPath="%windir%system32win32calc.exe" />
                  <App DesktopAppPath="%windir%system32mspaint.exe" />
                  <App DesktopAppPath="%ProgramFiles%Windows NTAccessorieswordpad.exe" />
              </AllowedApps>
          </AllAppsList>
          <StartLayout>
              <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
                    <LayoutOptions StartTileGroupCellWidth="6" />
                    <DefaultLayoutOverride>
                      <StartLayoutCollection>
                        <defaultlayout:StartLayout GroupCellWidth="6">
                          <start:Group Name="Настройки">
                            <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="WINDOWS.IMMERSIVECONTROLPANEL_CW5N1H2TXYEWY!MICROSOFT.WINDOWS.IMMERSIVECONTROLPANEL" />
                            <start:Tile Size="4x2" Column="2" Row="0" AppUserModelID="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy!SecHealthUI" />
                          </start:Group>
                          <start:Group Name="Офисные приложения">
                            <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationLinkPath="%ALLUSERSPROFILE%MicrosoftWindowsStart MenuProgramsAccessoriesWordpad.lnk" />
                            <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%MicrosoftWindowsStart MenuProgramsAccessoriesNotepad.lnk" />
                            <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%MicrosoftWindowsStart MenuProgramsAccessoriesCalculator.lnk" />
                            <start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="%ALLUSERSPROFILE%MicrosoftWindowsStart MenuProgramsAccessoriesPaint.lnk" />
                            <start:DesktopApplicationTile Size="2x2" Column="4" Row="0" DesktopApplicationLinkPath="%APPDATA%MicrosoftWindowsStart MenuProgramsAccessoriesInternet Explorer.lnk" />
                          </start:Group>
                        </defaultlayout:StartLayout>
                      </StartLayoutCollection>
                    </DefaultLayoutOverride>
                  </LayoutModificationTemplate>
              ]]>
          </StartLayout>
          <Taskbar ShowTaskbar="true"/>
      </Profile>
  </Profiles>
  <Configs>
      <Config>
          <Account>User</Account>
          <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
      </Config>
  </Configs>
</AssignedAccessConfiguration>

When you make your customization XML files, do not forget that each profile must have a unique ID, and not only within one XML file, but within one OS. Those. ideally, in order not to get confused, you can create a new identifier each time, this can be done in the PowerShell environment using the “[guid]::NewGuid()” command. And be sure to save the file in UTF-8 encoding, if the file is saved in ANSI encoding, then when building the preparation package, you will receive an error if the XML file contains Cyrillic.

Step 6 - Apply Multikiosk Settings

Let's consider two ways to apply the settings described in the configuration file. The first is through a provisioning package that needs to be created in the ICD. For someone, perhaps, this method will be more familiar. The second - using the "MDM Bridge WMI Provider", this method seemed to me more convenient.

Method # 1

Who does not have an ICD download ADK and install. Installing the ADK is very simple, you can leave the set of components by default.

We launch ICD, click on the "Additional preparation" tile, specify the name and folder of the project and click "Next". In the next window, select "All editions of Windows for desktop computers" and click "Next". You can skip importing the preparation package, click "Finish".

Expand the Runtime Settings drop-down menu, then expand the AssignedAccess submenu and select the MultiAppAssignedAccessSettings item. In the upper part of the middle section of the ICD window, click the "Browse" button and specify the location of the XML file with the settings. Just in case, you can save the project by pressing "Ctrl + s". In the upper left part of the ICD, select "Export" in the drop-down menu, select the "Provisioning Package" item. As the owner, select "IT Administrator" all other questions can be skipped by clicking "Next" and at the end click "Build" and "Finish".

In the installed system, do not forget to create the “User” user, it cannot be added to the “Administrators” group, otherwise the multikiosk will not work. I created a user in Computer Management with an unlimited password.

Now we run the preparation package on the previously installed system. After applying the provisioning package, the start menu and the administrator will also change. In the left column of the start, the buttons should disappear: "Documents", "Image", "Options". If the start menu has not changed, then something went wrong. An installed package can be removed by opening the "Settings > Accounts > Work or school account access > Add or remove a provisioning package" window.

If the start menu has changed, then the settings have been applied to the system, log in as the user for whom the multikiosk is configured and look at the result.

Method # 2

Applying settings using "MDM Bridge WMI Provider" described here. The convenience of this method is in the flexibility of use and the ability to get rid of many manual operations that are needed to create a preparation package. Here, everyone can make a decision for themselves that will be convenient for him. I made a couple of scripts for myself.

MiltiKiosk.bat - script to run

@echo off
chcp 1251>nul

if not exist "%~dp0psexec.exe" call :ShowMessage "‡‡‡‡‡‡‡‡‡‡‡‡‡Для работы скрипта необходим файл psexec.exe‡‡Для завершения работы скрипта нажмите любую клавишу"&pause>nul&exit

net session>nul 2>nul
if %errorLevel% neq 0 (powershell -command "Start-Process "%~s0" -Verb RunAs"&exit)

for /f "tokens=2 delims==" %%i in ('wmic useraccount where "Name='%UserName%'" get SID /value^|find "SID"') do set SID=%%i
reg add HKU%SID%SoftwareSysinternalsPsExec /v EulaAccepted /t REG_DWORD /d 1 /f

for /f %%i in ('dir "%~dp0%~n0*.ps1" /b /o:n') do set PSFilePath=%~dp0%%i
if not defined PSFilePath (echo Не найдено PS файлов с началом названия - "%~n0"&pause&exit)
set PSFilePath=%PSFilePath: =` %
"%~dp0psexec.exe" -i -s powershell -command "Start-Process powershell.exe -ArgumentList '-ExecutionPolicy Unrestricted -Command %PSFilePath%'"

exit

:ShowMessage
    setlocal enabledelayedexpansion
    set String=%~1
    if not defined String (echo.&setlocal disabledelayedexpansion&goto :eof)
    set /a ConCols=120 & set /a Num=1
    set "String[!Num!].str=%String:‡=" & set /a Num+=1 & set "String[!Num!].str=%"
    for /l %%a in (1,1,%Num%) do (
        for /l %%b in (0,1,%ConCols%) do if "!String[%%a].str:~%%b!" == "" (set "String[%%a].str= !String[%%a].str! "&set /a String[%%a].len-=1) else (set /a String[%%a].len+=0||set /a String[%%a].len=0)
        if not defined String[%%a].str (set String[%%a].str= )
        if not !String[%%a].len! equ 0 (call set String[%%a].str=%%String[%%a].str:~,!String[%%a].len!%%)
        if "!String[%%a].str: =!"=="" (echo.) else (echo !String[%%a].str!))
    setlocal disabledelayedexpansion
goto :eof

MiltiKiosk_Ver.12.ps1 - main script

Function ConvertEncoding ([string]$From, [string]$To) {
    Begin{$encFrom = [System.Text.Encoding]::GetEncoding($From);$encTo = [System.Text.Encoding]::GetEncoding($To)}
    Process{$bytes = $encTo.GetBytes($_);$bytes = [System.Text.Encoding]::Convert($encFrom, $encTo, $bytes);$encTo.GetString($bytes) -replace [char]0, ''}
}

Function ShowMessage ($Message='', $Align=0) {
    Try {$Align = [decimal]$Align} Catch {Return 'Для параметра Align может быть указано только число' | ConvertEncoding 'windows-1251' -To 'UTF-16'}
    if ($Message -is [int]) {for ($i=1; $i -le $Message; $i++) {Write-Host}; Return}
    if ([System.Text.Encoding]::Default.WindowsCodePage -eq 1252) {$Message = $Message | ConvertEncoding 'windows-1251' -To 'UTF-16'}
    if ($Message -is [string]) {[array] $Message = $Message}
    foreach ($String in $Message) {
        Try {$String = [int]$String} Catch {}
        if ($String -is [int]) {for ($i=1; $i -le $String; $i++) {Write-Host}; continue}
        if ($Host.UI.RawUI.BufferSize.Width -gt $String.Length) {
            if ($Align -eq 0) {Write-Host $String
            } else {Write-Host ("{0}{1}" -f (' ' * (([Math]::Max(0, $Host.UI.RawUI.BufferSize.Width / $Align) - [Math]::Floor($String.Length / $Align)))), $String)}
        } else {Write-Host $String}
    } 
}

$script:NameSpace="rootcimv2mdmdmmap"
$script:ClassName="MDM_AssignedAccess"
$script:MultiAppKiosk = Get-CimInstance -Namespace $NameSpace -ClassName $ClassName
if (-not $MultiAppKiosk) {ShowMessage -Message (3, 'Ошибка получения объекта настроек', 2, 'Нажмите "Enter" для завершения рабты скрипта') -Align 2; Read-Host; Exit}

Function MainMenu() {
    ShowMessage (13, ' 0 - Выход', ' 1 - Выбрать XML-файл для установки', ' 2 - Показать текущую конфигурацию мультикиоска', ' 3 - Удалить настройки мультикиоска', 1)
    $local:PromptText = 'Выберите действие'
    if ([System.Text.Encoding]::Default.WindowsCodePage -eq 1252) {$PromptText = $PromptText | ConvertEncoding 'windows-1251' -To 'UTF-16'}

    $local:Selections = 1..2
    While ($true) {
        $Select = Read-Host -Prompt $PromptText
        Switch ($Select) {
            0 {exit}
            1 {XMLSelection}
            2 {ShowMessage -Message (1, 'Начало конфигурации') -Align 2; Write-Host $MultiAppKiosk.Configuration; ShowMessage -Message ('Конец конфигурации', 1, 'Для возврата в меню нажмите "Enter"', 1) -Align 2; Read-Host}
            3 {$MultiAppKiosk.Configuration = $Null; Set-CimInstance -CimInstance $MultiAppKiosk; ShowMessage -Message (1, 'Выполнена команда удаления настроек', 1) -Align 2}
            DEFAULT {ShowMessage 'Выбрано недопустимое значение'}
        }
        if ($Selections -contains $Select) {Clear-Host; ShowMessage (15, ' 0 - Выход', ' 1 - Выбрать XML-файл для установки', ' 2 - Показать текущую конфигурацию мультикиоска', ' 3 - Удалить настройки мультикиоска', 1)}
    }
}

Function XMLSelection() {
    Clear-Host

    if (!(Test-Path -Path $PSScriptRoot'XML')) {ShowMessage -Message (13, 'Не найден каталог', $('"'+$PSScriptRoot+'XML"'), 1, 'Нажмите "Enter" для возврвта в предыдущее меню') -Align 2; Read-Host; Return}

    $local:XMLList = @()
    $XMLList += Get-ChildItem -Path $PSScriptRoot'XML' -name -filter '*.xml'
    if ($XMLList.Count -eq  0) {ShowMessage -Message (13, 'Не найдено XML-файлов в каталоге', $('"'+$PSScriptRoot+'XML"'), 1, 'Нажмите "Enter" для возврвта в предыдущее меню') -Align 2; Read-Host; Return}

    [int]$local:Indent = 13 - $XMLList.Count / 2; if ($Indent -lt 1) {$Indent = 1}
    ShowMessage ($Indent, ' 0 - Вернуться в предыдущее меню')
    for ($i=0; $i -le $XMLList.GetUpperBound(0); $i++) {Write-Host $(' '+($i+1)+' - '+$XMLList[$i])}
    Write-Host
    $local:PromptText = 'Выберите файл для установки'
    if ([System.Text.Encoding]::Default.WindowsCodePage -eq 1252) {$PromptText = $PromptText | ConvertEncoding 'windows-1251' -To 'UTF-16'}

    $local:Selections = 1..$XMLList.Count
    $local:BackToPrevMenu = 0
    While ($BackToPrevMenu -eq 0) {
        $Select = Read-Host -Prompt $PromptText
        Switch ($Select) {
            0 {$BackToPrevMenu = 1}
            {$Selections -contains $Select} {ShowMessage $('Дана команда на применение настроек из файла '+$XMLList[$Select-1]);
                $local:Config = (Get-Content -encoding UTF8 -path $($PSScriptRoot+'XML'+$XMLList[$Select-1]) -Raw).Trim()
                $local:GUIDs = [regex]::matches($Config, '{.+?}') | select -ExpandProperty Value | Get-Unique
                foreach ($GUID in $GUIDs) {$Config = $Config -replace $(''+$GUID),$('{'+[guid]::NewGuid()+'}')}
                $Config = $Config -replace '&','&' -replace '<','<' -replace '>','>' -replace "'",''' -replace '"','"'
                $MultiAppKiosk.Configuration = $Config
                Set-CimInstance -CimInstance $MultiAppKiosk
            }
            DEFAULT {ShowMessage ('Выбрано недопустимое значение')} 
        }
    }
}

MainMenu

If you want to use my solution, then save the above scripts with their original names in one folder and put the PsExec.exe file in the same folder. In the same folder, create an "XML" folder and copy the XML files to it to configure the multikiosk. I will use the same file as in the first method.

MultiAppKiosk.xml

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration 
  xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
  xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
  >
  <Profiles>
      <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
          <AllAppsList>
              <AllowedApps>
                  <App AppUserModelId="WINDOWS.IMMERSIVECONTROLPANEL_CW5N1H2TXYEWY!MICROSOFT.WINDOWS.IMMERSIVECONTROLPANEL" />
                  <App AppUserModelId="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy!SecHealthUI" />
                  <App DesktopAppPath="%windir%system32notepad.exe" />
                  <App DesktopAppPath="C:Program FilesInternet Exploreriexplore.exe" />
                  <App DesktopAppPath="%windir%system32win32calc.exe" />
                  <App DesktopAppPath="%windir%system32mspaint.exe" />
                  <App DesktopAppPath="%ProgramFiles%Windows NTAccessorieswordpad.exe" />
              </AllowedApps>
          </AllAppsList>
          <StartLayout>
              <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
                    <LayoutOptions StartTileGroupCellWidth="6" />
                    <DefaultLayoutOverride>
                      <StartLayoutCollection>
                        <defaultlayout:StartLayout GroupCellWidth="6">
                          <start:Group Name="Настройки">
                            <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="WINDOWS.IMMERSIVECONTROLPANEL_CW5N1H2TXYEWY!MICROSOFT.WINDOWS.IMMERSIVECONTROLPANEL" />
                            <start:Tile Size="4x2" Column="2" Row="0" AppUserModelID="Microsoft.Windows.SecHealthUI_cw5n1h2txyewy!SecHealthUI" />
                          </start:Group>
                          <start:Group Name="Офисные приложения">
                            <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationLinkPath="%ALLUSERSPROFILE%MicrosoftWindowsStart MenuProgramsAccessoriesWordpad.lnk" />
                            <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%MicrosoftWindowsStart MenuProgramsAccessoriesNotepad.lnk" />
                            <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%MicrosoftWindowsStart MenuProgramsAccessoriesCalculator.lnk" />
                            <start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="%ALLUSERSPROFILE%MicrosoftWindowsStart MenuProgramsAccessoriesPaint.lnk" />
                            <start:DesktopApplicationTile Size="2x2" Column="4" Row="0" DesktopApplicationLinkPath="%APPDATA%MicrosoftWindowsStart MenuProgramsAccessoriesInternet Explorer.lnk" />
                          </start:Group>
                        </defaultlayout:StartLayout>
                      </StartLayoutCollection>
                    </DefaultLayoutOverride>
                  </LayoutModificationTemplate>
              ]]>
          </StartLayout>
          <Taskbar ShowTaskbar="true"/>
      </Profile>
  </Profiles>
  <Configs>
      <Config>
          <Account>User</Account>
          <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
      </Config>
  </Configs>
</AssignedAccessConfiguration>

A little about the features of the script. The script is designed to use XML files with "UTF8" encoding, if you want to use "ANSI" encoding, then remove the "encoding UTF8" parameter from the file reading parameter. It is necessary to place XML files in the "XML" folder without replacing characters, the script itself will replace the special characters with the appropriate designations. In order not to get confused in the GUIDs of linking users to profiles, you can simply specify the number or username in curly braces, all content in curly braces will be replaced with GUIDs.

Using the script is very simple, run and select the desired item. To change the current configuration to a new one, it is not necessary to delete the current one, it will be overwritten. Do not forget to create users that are specified in the configuration file.

When viewing the current multikiosk configuration in the same session in which it was applied, instead of special characters, combinations of replacement characters will be displayed. After changing the session (restarting the script), all special characters will be displayed in their original form.

Step 7 - Sealing the System

The multikiosk works, well, that's all, it would seem ...

If everything is going according to plan, then you are missing something.

Do not forget that we still need to transfer the system from audit mode to welcome mode. Well, we are ready for this, we launch "Sysprep.bat", select item 2, the system is sealed. We turn on the device, the system boots up, we enter the user account for which the multikiosk is configured and we cannot log in. After the inscription "Welcome" appears the inscription "Logout".

At first I wanted to describe only the solution to the problem, but later I decided to describe the steps to identify the problem and find the simplest solution. surely many readers will be tormented by vague doubts - "And if like this ...". I think that the description of various experiments will save you a significant part of the time when you want to find another solution. In order for the information to be as accurate as possible, and in order to once again make sure that there are no errors, I will describe the experiments in the “done - recorded” format. Those. I will do the described experiments again.

Experiments

What did we get. The system has two accounts:

"Admin" - in the "Administrators" group
"User" - in the "Users" group
In the audit mode, the multikiosk worked, sealed - it does not work.

Experiment 1

We delete the installed preparation package, in the "Computer Management" snap-in, delete the "User" user and create a new user with the name "User", apply the preparation package, go to the "User" account - it does not work. We go under the name "Admin", delete the user "User" from the "Users" group, add it to the "Administrators" group, go under the name "User" - it does not work. We go under the name “Admin”, delete the multikiosk preparation package, go under the name “User” - we managed to enter, but of course the multikiosk mode does not work. the provisioning package has been removed.

Experiment 2

We fill in the image of the system - Russified in the audit mode.

The OS has loaded, press "Win + r", because. the sysprep window has closed, we automatically execute the “sysprep” command, in the window that opens, run “sysprep”. sysprep'a settings in the window: "Go to the system welcome window (OOBE)", "Preparation for use", "Reboot". Click "OK" and wait for the OS greeting. We answer questions at the first boot of the system: “Continue in selected language?” - "Russian"; region - Russia; keyboard layout - Russian; add a second keyboard layout - skip; "Let's connect you to the network" - "Skip for now"; connect to the internet - no; license agreement - accept; "Who will use this computer" - "Test"; create a password - leave the field empty; convenient work on different devices - no; privacy settings - accept. The OS has loaded, in the "Computer Management" snap-in, create a user named "User", add the preparation package. The result is not working.

Experiment 3

We fill in the image of the system - Russified in the audit mode.

The OS has booted up, we connect the system to the Internet, we execute the command "gpedit.msc" and in the "Windows Update" section we turn on the "Enable recommended updates through automatic updates" option, just in case we reboot. In the update center, click "Check for updates" and reboot until all updates are installed. We disconnect the system from the Internet. We run "sysprep" in graphical mode and repeat all the steps that are described in the previous step from running the "sysprep" utility to adding the provisioning package. The result is not working.

Experiment 4

We fill in the image of the system - English in audit mode.

We run "sysprep" in graphical mode, seal the OS with the same parameters as during experiment 2. At the first boot of the system, we select the same parameters as in experiment 2, except for the regional and language parameters. there is no Russian language. In the same way, we create the user "User" and add the provisioning package. Result - it works. Those. The problem is with localization.

Experiment 5

We fill in the image of the system - Russified in the audit mode.

In the "Computer Management" snap-in, we create the "User" user, add the preparation package, go to the "User" account, the multikiosk works.

We log out of the account, go under the "Admin" account. We start PowerShell with administrator rights, execute the command "Dism /online /Get-Intl" and we see "Default user interface language: en-US".

We boot from the flash drive into WinPE, the deployed OS is on my E drive. We execute the command “Dism / image: E: / Set-UILang: ru-ru”. We look at the result, execute "Dism /image:E: /Get-Intl" and see "Default system UI language: ru-RU".

We boot into the system, log into the “User” account, the multikiosk does not work.

To clearly fix the cause-and-effect relationship of the appearance of the problem, let's try again to make the multikiosk working and non-working.

We boot from a flash drive into WinPE, the deployed OS is on my E drive. We execute the command “Dism / image: E: / Set-UILang: en-us”. We look at the result, execute "Dism /image:E: /Get-Intl" and see "Default system UI language: en-US".

We boot into the system, log into the “User” account, the multikiosk works.

We boot from the flash drive into WinPE, the deployed OS is on my E drive. We execute the command “Dism / image: E: / Set-UILang: ru-ru”. We look at the result, execute "Dism /image:E: /Get-Intl" and see "Default system UI language: ru-RU".

We boot into the system, log into the “User” account, the multikiosk does not work.

Those. you can see a clear dependency of kiosk health on the default UI language setting. Maybe there are some other factors that affect the performance of the multikiosk?

Experiment 6

For the purity of the experiment, we reload the system. We fill in the image of the system - Russified in the audit mode.

We run “sysprep” in graphical mode, seal the OS with the same parameters as during experiment 2. We are waiting for the OS greeting and answering the questions: “Continue in selected language?” – “English (United States)”; region - Russia; keyboard layout - Russian. Further, all parameters are chosen as in experiment 2.

We look at the parameters of the default user interface language value. We execute the command "Dism / online / Get-Intl" and see "Default system UI language: en-US". In the "Computer Management" snap-in, we create the "User" user, add the preparation package, go to the "User" account, the multikiosk works.

Trying to break the kiosk by changing the default UI language. We go into the “Test” user, which was created at the first boot of the system and enable automatic login for it so that the system does not boot into the “User” account immediately. We execute “netplwiz”, select the user “Test”, uncheck the box “Require username and password” and apply the parameters.

Booting from a flash drive into WinPE. We execute the command "Dism / image: E: / Set-UILang: ru-ru". We look at the result, execute "Dism /image:E: /Get-Intl" and see "Default system UI language: ru-RU".

We boot into the system, try to log into the “User” account, the multikiosk is working. Those. it cannot be broken. Is it possible to make it work this way?

Experiment 7

We fill in the image of the system - Russified in the audit mode.

We launch “Sysprep.bat”, select item 2. We boot into the system, in the “Computer Management” snap-in we create the user “User”, add the preparation package, go to the “User” account, the multikiosk does not work.

Booting from a flash drive into WinPE. We execute the command "Dism / image: E: / Set-UILang: en-us". We look at the result, execute "Dism /image:E: /Get-Intl" and see "Default system UI language: en-US".

We boot into the system, we try to enter the “User” account, the multikiosk does not work.

It turns out that by changing the default user interface language setting, you can only affect the performance of the multikiosk when the system is in audit mode or at the first boot after the system is sealed. And this means that you will have to seal the system with a response file in which the system language will be English, and then change the system settings so that the interface is Russian. Not a very good solution. Can the problem be solved by installing a language pack or installing additional language packs?

Experiment 8

We fill in the image of the system - English in audit mode.

We connect to the Internet, in the system parameters we go to the "Language" section, select "Add language", select the language "Russian", click "Next", leave the installation options by default, click "Install", after installing the language pack, reboot the system, now on Russified. We disconnect the system from the Internet, run "Sysprep.bat", select item 2.

After loading the system in the "Computer Management" snap-in, we create the "User" user, add the preparation package, go to the "User" account, the multikiosk does not work.

Experiment 9

Let's try to Russify the system before installation, in offline mode. At the same time there will be a brief educational program on the localization of the distribution.

I take a flash drive with a clean original distribution kit - X21-96381. It will be the "E" drive. To mount images, I create folders: “c: MountInstall”, “c: MountWinre”, “c: MountBoot”. I take a set of localization packages - X21-87814. And I copy packages from it to the “c: Mount” folder: “Microsoft-Windows-Client-Language-Pack_x86_ru-ru.cab”, “lp.cab”, “WinPE-Setup_ru-ru.cab”. I launch the console with administrator rights. I think that further commands will be clear without comments.

Localization Commands

cd c:mount
dism /Mount-Wim /WimFile:e:sourcesinstall.wim /index:1 /MountDir:Installcode
dism /Image:Install /Add-Package /PackagePath:Microsoft-Windows-Client-Language-Pack_x86_ru-ru.cabcode
dism /Image:Installcode /Set-AllIntl:ru-ru
dism /Image:Install /Set-TimeZone:"Russian Standard Time"code

dism /Mount-Wim /WimFile:InstallWindowsSystem32RecoveryWinre.wim /index:1 /MountDir:Winrecode
dism /Image:Winre /Add-Package /PackagePath:lp.cabcode
dism /Image:Winrecode /Set-AllIntl:ru-ru
dism /Image:Winre /Set-TimeZone:"Russian Standard Time"code
dism /Unmount-Image /MountDir:Winre /Commitcode

dism /Image:Install /Gen-LangINI /distribution:E: /Set-AllIntl:ru-RUcode
dism /image:Install /Set-SetupUILang:RU-ru /distribution:E:code
dism /Unmount-Image /MountDir:Install /Commitcode

dism /mount-wim /wimfile:e:sourcesboot.wim /index:1 /mountdir:Bootcode
dism /Image:Boot /Add-Package /PackagePath:lp.cabcode
dism /Image:Bootcode /Set-AllIntl:ru-ru
copy e:sourceslang.ini Bootsourceslang.inicode
dism /Unmount-Image /MountDir:Boot /Commitcode

dism /mount-wim /wimfile:e:sourcesboot.wim /index:2 /mountdir:Bootcode
dism /Image:Boot /Add-Package /PackagePath:lp.cabcode
dism /Image:Boot /Add-Package /PackagePath:WinPE-Setup_ru-ru.cabcode
dism /Image:Bootcode /Set-AllIntl:ru-ru
copy e:sourceslang.ini Bootsourceslang.ini /ycode
dism /Unmount-Image /MountDir:Boot /Commit

We boot from the flash drive, select the Russian language and put the system on a blank disk. When the system asks to select a region, press "Ctrl + Shift + F3". In the "Computer Management" snap-in, we create the "User" user, add the preparation package, go to the "User" account, the multikiosk does not work.

Booting from a flash drive into WinPE. We execute the command "Dism / image: E: / Set-UILang: en-us".

We boot into the system, try to log into the “User” account, the multikiosk works.

Apparently it's not about the methods of adding the package, let's try to add additional packages.

Experiment 10

We take the flash drive that we prepared in the previous step.

We take the package "Feat on Demand" - X21-87815. I copy packages from it to the “c: Mount” folder: «Microsoft-Windows-LanguageFeatures-Basic-ru-ru-Package~31bf3856ad364e35~x86~~.cab», «Microsoft-Windows-LanguageFeatures-OCR-ru-ru-Package~31bf3856ad364e35~x86~~.cab», «Microsoft-Windows-LanguageFeatures-Handwriting-ru-ru-Package~31bf3856ad364e35~x86~ ~.cab», «Microsoft-Windows-LanguageFeatures-TextToSpeech-ru-ru-Package~31bf3856ad364e35~x86~~.cab».

Берем пакет «Feat on Demand RDX Updt» – X21-99781. В папку «c:Mount» копирую из него пакеты: «Microsoft-Windows-RetailDemo-OfflineContent-Content-Package~31bf3856ad364e35~x86~~.cab», « Microsoft-Windows-RetailDemo-OfflineContent-Content-ru-ru-Package~31bf3856ad364e35~x86~~.cab».

We launch the console with administrator rights and execute the commands:

commands

cd c:mount
dism /Mount-Wim /WimFile:e:sourcesinstall.wim /index:1 /MountDir:Install
dism /Add-Package /Image:Install /PackagePath:Microsoft-Windows-LanguageFeatures-Basic-ru-ru-Package~31bf3856ad364e35~x86~~.cab
dism /Add-Package /Image:Install /PackagePath:Microsoft-Windows-LanguageFeatures-OCR-ru-ru-Package~31bf3856ad364e35~x86~~.cab
dism /Add-Package /Image:Install /PackagePath:Microsoft-Windows-LanguageFeatures-Handwriting-ru-ru-Package~31bf3856ad364e35~x86~~.cab
dism /Add-Package /Image:Install /PackagePath:Microsoft-Windows-LanguageFeatures-TextToSpeech-ru-ru-Package~31bf3856ad364e35~x86~~.cab
dism /Add-Package /Image:Install /PackagePath:Microsoft-Windows-RetailDemo-OfflineContent-Content-Package~31bf3856ad364e35~x86~~.cab
dism /Add-Package /Image:Install /PackagePath:Microsoft-Windows-RetailDemo-OfflineContent-Content-ru-ru-Package~31bf3856ad364e35~x86~~.cab
dism /Unmount-Image /MountDir:Install /Commit

We boot from the flash drive, select the Russian language and put the system on a blank disk. When the system asks to select a region, press "Ctrl + Shift + F3". In the "Computer Management" snap-in, create the user "User", add the preparation package, go to the "User" account. I got a black screen that hung for a long time, so I did a hot boot of the system.

We delete the preparation package, go under the user "User", reboot the system, add the preparation package, the multikiosk does not work.

Booting from a flash drive into WinPE. We execute the command "Dism / image: E: / Set-UILang: en-us".

We boot into the system, try to log into the “User” account, the multikiosk works.

Workaround

normal heroes. Always go around!

Various methods of installing localization packs did not solve the problem, which means that you will have to install the “en-us” language on the first boot after sealing, and change the language settings after the first boot.

We fill in the image of the system - Russified in the audit mode.

In the “Unattend.xml” file, enter “en-US” in the parameter, run “Sysprep.bat”, select item 2 and see what we got. Welcome screen in English, multikiosk - works. So you need to add a command to change the greeting language to "Unattend.xml". And for this, you need to execute the command "control intl.cpl,, / f:" indicating the configuration file, which will copy the current settings to the welcome screen. The contents of the configuration file will look like this.

<gs:GlobalizationServices xmlns:gs="urn:longhornGlobalizationUnattend">
      <gs:UserList>
        <gs:User UserID="Current" CopySettingsToSystemAcct="true"/> 
    </gs:UserList>
</gs:GlobalizationServices>

Because will copy the settings of the current user, then you need to execute the command after the user logs into the system, which means that we will need it. There is one small “but”, the execution will be after the login of a user with administrator rights. And I would not like to create an additional file that will be necessary for the successful execution of the command. It is better to implement the whole solution in a single file - "Unattend.xml". To do this, you will simply need to run a command that creates a configuration file. I think I'll create a configuration file using the "echo" command in the "cmd" environment, but in it you need to escape the angle brackets with a circumflex. Those. to create a configuration file, the following command is obtained.

echo ^<gs:GlobalizationServices xmlns:gs="urn:longhornGlobalizationUnattend"^>^<gs:UserList^>^<gs:User UserID="Current" CopySettingsToSystemAcct="true"/^>^</gs:UserList^>^</gs:GlobalizationServices^>>Config.xml

But we need to put this command in XML, which has its own requirements for using special characters:

Special character
replacement value

>
>

<
<

&
&

'
'

"
"

As a result, to create a configuration file, we got the following command for "FirstLogonCommands".

cmd.exe /c echo ^<gs:GlobalizationServices xmlns:gs="urn:longhornGlobalizationUnattend"^>^<gs:UserList^>^<gs:User UserID="Current" CopySettingsToSystemAcct="true"/^>^</gs:UserList^>^</gs:GlobalizationServices^>>"%TMP%Config.xml"

Next, we execute the command using the configuration file.

control intl.cpl,,/f:"%TMP%Config.xml"

Next, delete the previously created file and reboot the system. The changes will take effect after a reboot.

cmd.exe /c del "%TMP%Config.xml" /q&shutdown /r /f /t 00

As a result, I got the following answer file for sysprep.

unattend.xml

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
        <component name="Microsoft-Windows-Deployment" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Path>reg add HKLMSoftwareMicrosoftWindowsCurrentVersionSetupOOBE /v SetupDisplayedProductKey /t REG_DWORD /d 1 /f</Path>
                    <Order>1</Order>
                    <Description>Dont show key page</Description>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Path>reg add HKLMSoftwareMicrosoftWindowsCurrentVersionSetupOOBE /v UnattendCreatedUser /t REG_DWORD /d 1 /f</Path>
                    <Order>2</Order>
                    <Description>Dont make account</Description>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Path>cmd.exe /c rd %systemdrive%Sysprep /s /q</Path>
                    <Order>3</Order>
                    <Description>Del Folder</Description>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <AutoLogon>
                <Enabled>true</Enabled>
                <Username>Admin</Username>
            </AutoLogon>
        </component>
    </settings>
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-International-Core" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <InputLocale>en-US; ru-RU</InputLocale>
            <SystemLocale>ru-RU</SystemLocale>
            <UILanguage>en-US</UILanguage>
            <UILanguageFallback></UILanguageFallback>
            <UserLocale>ru-RU</UserLocale>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <HideLocalAccountScreen>true</HideLocalAccountScreen>
                <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
                <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
                <ProtectYourPC>1</ProtectYourPC>
            </OOBE>
            <FirstLogonCommands>
                <SynchronousCommand wcm:action="add">
                    <CommandLine>cmd.exe /c echo ^&lt;gs:GlobalizationServices xmlns:gs=&quot;urn:longhornGlobalizationUnattend&quot;^&gt;^&lt;gs:UserList^&gt;^&lt;gs:User UserID=&quot;Current&quot; CopySettingsToSystemAcct=&quot;true&quot;/^&gt;^&lt;/gs:UserList^&gt;^&lt;/gs:GlobalizationServices^&gt;&gt;&quot;%TMP%Config.xml&quot;</CommandLine>
                    <Description>CreateConfig</Description>
                    <Order>1</Order>
                </SynchronousCommand>
                <SynchronousCommand wcm:action="add">
                    <CommandLine>control intl.cpl,,/f:&quot;%TMP%Config.xml&quot;</CommandLine>
                    <Description>UseConfig</Description>
                    <Order>2</Order>
                </SynchronousCommand>
                <SynchronousCommand wcm:action="add">
                    <CommandLine>cmd.exe /c del &quot;%TMP%Config.xml&quot; /q&amp;shutdown /r /f /t 00</CommandLine>
                    <Description>DelConfig</Description>
                    <Order>3</Order>
                </SynchronousCommand>
            </FirstLogonCommands>
        </component>
    </settings>

Checking...

We fill in the image of the system - Russified in the audit mode.

We change the Unattend.xml file to a new one, run "Sysprep.bat", select item 2 and see what we got. When you first boot the welcome screen in English, the system reboots. Welcome screen in Russian, multikiosk works.

If you have any questions about setting up and licensing Windows 10 IoT Enterprise, please contact [email protected] or on the site quarta-embedded.com.
You can find answers to some questions in our wiki or on ours YouTube channel

Author of the article: Borisenkov Vladimir, technical expert of the company Quarta Technologies.

Source: habr.com