Automatic Cleanup of Downloads and Desktop in Kiosk Mode

-

This PowerShell script is intended for kiosk environments deployed using Windows Autopilot and Microsoft Intune.

📌 What This Script Does

The script automatically empties all standard user libraries for a specified kiosk user (default: kioskuser0):

  • Downloads
  • Desktop
  • Documents
  • Pictures
  • Music
  • Videos

It is designed to work reliably even in offline, restricted, or library/public kiosk environments where cloud-based or user-scoped cleanup policies may fail.

🛡️ Key Capabilities (Summary)

  • A dedicated cleanup script is stored in C:\ProgramData
  • A scheduled task runs daily at 20:30 as SYSTEM
  • All cleanup actions are logged for traceability
  • Supports simulation mode (WhatIf), install-only, and manual execution

⚠️ Purpose

The purpose of this script is to ensure that all common user libraries are cleared regularly on kiosk devices, preventing data accumulation, protecting user privacy, and maintaining a clean and predictable kiosk experience.

Below is the script exactly as used in the deployment.

PowerShell – Local Kiosk Wallpaper Manager 

# ================================
#  KioskCleanup - Tömningsschema för flera mappar
#  Mappar: Downloads, Desktop, Documents, Pictures, Music, Videos
#  Användare: kioskuser0 (kan ändras via -UserName)
# ================================

param(
    [string]$UserName = "kioskuser0",
    [switch]$InstallOnly,     # Skapar/uppdaterar bara schemat, kör ej städning nu
    [switch]$RunNow,          # Kör städning direkt efter skapad uppgift
    [switch]$WhatIf           # Kör i simuleringsläge
)

$taskName   = "KioskCleanup-AllUserLibraries"
$scriptPath = "C:\ProgramData\KioskCleanup-AllUserLibraries.ps1"
$logDir     = "C:\ProgramData\KioskDownloadsCleanup"

# Säkerställ loggmapp
New-Item -ItemType Directory -Path $logDir -Force | Out-Null

# ----------------
# Själva rensningsskriptet (sparas till disk och anropas av schemalagd uppgift)
# ----------------
$cleanupScript = @'
param(
    [string]$UserName = "kioskuser0",
    [switch]$WhatIf
)

$ErrorActionPreference = "Continue"

function Write-Log([string]$msg) {
    $global:LogPath = "C:\ProgramData\KioskDownloadsCleanup"
    New-Item -ItemType Directory -Path $global:LogPath -Force -ErrorAction SilentlyContinue | Out-Null
    $log = Join-Path $global:LogPath ("Cleanup_{0:yyyyMMdd_HHmmss}.log" -f (Get-Date))
    $msg | Tee-Object -FilePath $log -Append
}

function Clear-FolderContent {
    param(
        [Parameter(Mandatory=$true)][string]$Path,
        [switch]$WhatIf
    )
    if (-not (Test-Path -LiteralPath $Path)) {
        Write-Log "Saknas/otillgänglig: $Path (hoppar över)"
        return
    }

    # Rensa filer först
    Get-ChildItem -LiteralPath $Path -File -Force -Recurse -ErrorAction SilentlyContinue |
        Remove-Item -Force -ErrorAction SilentlyContinue -WhatIf:$WhatIf.IsPresent

    # Rensa mappar (innerst först)
    Get-ChildItem -LiteralPath $Path -Directory -Force -Recurse -ErrorAction SilentlyContinue |
        Sort-Object FullName -Descending |
        ForEach-Object {
            try {
                # Undvik att jaga junctions/reparse-points
                if (($_.Attributes -band [IO.FileAttributes]::ReparsePoint)) {
                    Write-Log "Hoppar över reparse/junction: $($_.FullName)"
                } else {
                    Remove-Item -LiteralPath $_.FullName -Force -ErrorAction SilentlyContinue -Recurse `
                        -WhatIf:$WhatIf.IsPresent
                }
            } catch {
                Write-Log "Fel vid borttagning: $($_.FullName) - $($_.Exception.Message)"
            }
        }
}

try {
    $profilePath = Join-Path -Path "C:\Users" -ChildPath $UserName

    $targets = @(
        (Join-Path $profilePath "Downloads"),
        (Join-Path $profilePath "Desktop"),
        (Join-Path $profilePath "Documents"),
        (Join-Path $profilePath "Pictures"),
        (Join-Path $profilePath "Music"),
        (Join-Path $profilePath "Videos")
    )

    Write-Log "=== KioskCleanup startar för användare: $UserName ==="

    foreach ($t in $targets) {
        Write-Log "Rensar: $t"
        Clear-FolderContent -Path $t -WhatIf:$WhatIf.IsPresent
    }

    Write-Log "Rensning klar."
    exit 0
}
catch {
    Write-Log "Fel vid rensning: $($_.Exception.Message)"
    exit 1
}
'@

# Skriv ned rensningsskriptet till disk
$cleanupScript | Set-Content -Path $scriptPath -Encoding UTF8 -Force

if ($InstallOnly) {
    Write-Host "Endast installerat rensningsskriptet på $scriptPath"
    exit 0
}

# ----------------
# Skapa/uppdatera schemalagd uppgift (dagligen 20:30 som SYSTEM)
# ----------------
# Ta bort ev. tidigare version för samma namn
if (Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue) {
    Unregister-ScheduledTask -TaskName $taskName -Confirm:$false
}

$action = New-ScheduledTaskAction `
    -Execute "powershell.exe" `
    -Argument "-NoLogo -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$scriptPath`" -UserName $UserName"

$trigger   = New-ScheduledTaskTrigger -Daily -At 20:30
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest
$settings  = New-ScheduledTaskSettingsSet -StartWhenAvailable -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries

Register-ScheduledTask `
    -Action $action `
    -Trigger $trigger `
    -Principal $principal `
    -Settings $settings `
    -TaskName $taskName `
    -Description "Tömmer Downloads, Desktop, Documents, Pictures, Music, Videos för $UserName dagligen kl. 20:30"

Write-Host "Schemalagd uppgift '$taskName' skapad/uppdaterad."
Write-Host "Rensningsskript: $scriptPath"
Write-Host "Loggmapp: $logDir"

if ($RunNow) {
    Start-ScheduledTask -TaskName $taskName
    Write-Host "Startade rensning direkt (RunNow)."
}>

Kommentarer

Skicka en kommentar

Populära inlägg i den här bloggen

🚀 Force Reinstallation of an Intune App

-
Bild
  – When Intune refuses to reinstall a program you’ve already removed Sometimes an application deployed through Microsoft Intune won’t reinstall even after you’ve manually uninstalled it. That’s because Intune tracks installation status using both registry entries and detection rules to decide whether an app is already present. Here’s how to fully reset that state and force a reinstallation — step by step. 💡 Why Intune won’t reinstall the app When a Win32 app is deployed via Intune, the Intune Management Extension stores app metadata in the Windows registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps This registry data tells Intune which apps are installed, when, and by which user. On every policy sync, Intune checks the detection rule defined for the app. If the detection rule still reports the app as “installed” — even though you removed it — Intune will skip reinstallation . 🔧 Step-by-Step Guide 1️⃣ Uninstall the App F...
Read more »

🔵Troubleshooting Intune Device Enrollments: Understanding GUIDs, Registry Paths, and EnterpriseMgmt Tasks

-
Bild
This guide explains how to diagnose Intune MDM issues on a Windows device by using two key locations: Task Scheduler → EnterpriseMgmt Registry → HKLM\SOFTWARE\Microsoft\Enrollments These two locations always contain matching GUID folders , and together they show the full state of the device’s MDM enrollment. 📌 Introduction: Why do these GUID folders exist? When a Windows device enrolls into Intune (MDM) , Windows generates a unique GUID folder for that enrollment. That GUID is used in two places: 🔹 1. Task Scheduler Task Scheduler → Microsoft → Windows → EnterpriseMgmt → {GUID} This folder contains scheduled jobs that handle: MDM sync certificate renewal policy retrieval push notification handling 🔹 2. Registry HKLM\SOFTWARE\Microsoft\Enrollments\{GUID} This folder contains detailed information: tenant ID enrollment type certificate thumbprints renewal status MDM server URLs device identity 👉 Both folders describe the same en...
Read more »

🚀 Windows Autopilot Self-Deploying Mode — Zero-Touch Setup That Feels Like Magic

-
Bild
Just imagine this: You unwrap a brand-new PC or reinstall Windows 11 from scratch… and before you even touch the keyboard, the device automatically: ✅ Joins Microsoft Entra ID (Azure AD) ✅ Syncs all Intune apps, settings, and policies ✅ Lands straight on the sign-in screen — ready for the user No technician. No clicks. No wasted time. That’s Windows Autopilot Self-Deploying Mode — effortless, hands-free provisioning that just works. The only prerequisite? Register the device’s Hardware Hash (HWID) in Intune first. Here’s the cleanest 10-minute setup guide to make it happen — perfect for brand-new or freshly reinstalled devices. ⚡ Step-by-Step: Configure Windows Autopilot Self-Deploying Mode in Under 10 Minutes 1️⃣ Start Fresh Use a new PC or perform a clean Windows 11 installation (OOBE stage). 2️⃣ Insert a USB Drive 3️⃣ Identify the Drive Letter Press Shift + F10 , open PowerShell, and run: Get-Volume Find your USB drive letter (e.g., E:). 4️⃣ Run the Script Execute: .\auto...
Read more »