Do you have computers that should really be running one application? Whether their kiosk machines or clients needing just a web browser, Group Policy Kiosk Mode can your lock your machines down. With just a few administrative templates and loopback, users will get the one application they need and nothing else. Simplicity at its best! To show you what I mean, the picture below is a kiosk machine running only a web browser. The computer automatically starts in the morning, logs in as the kiosk user, and launches the needed application. No Explorer, No Start bar, No way for a user to mess it up!
Merge or Replace?
You can probably guess that we are going to use Loopback Policy Processing to deal with this. If you are unsure about Loopback (or need a little background, read this article first. You will need to decide if you are going to use merge mode or replace mode. If the computer is going to be a dedicated machine, you will want to use Loopback in Replace mode. Example scenarios include: print release stations, check out stations, time clock stations, etc. In all of these cases, we do not care what users uses the machine and we do not want our users to have any of their normal Group Policy settings.
If your users will need their Group Policy settings to following them to your kiosk machines, you will need to use Loopback in Merge mode. For example, your users might need their Folder Redirection settings, Internet Explorer settings, drive mappings, etc. We are going to cover both Loopback modes but we will start with merge as it is a bit easier.
Kiosk Mode with Merge
Here is our predicament. We have dedicated labs where users will only need access to one application such as a browser. If the browser needs to launch a secondary application, such as Explorer’s Save As Window, it should be allowed. Knowing this, white listing with just AppLocker is out of the question. We are going to need several puzzle pieces to make this fit.
Create a new GPO and name it something like Kiosk_YOURAPPLICATION. If you haven’t enabled Loopback Policy Processing in any higher GPOs, do so now. Navigate to User Configuration\Policies\Administrative Templates\System. Enable Custom User Interface and type in your application’s file path. For Internet Explorer type, c:\Program Files\Internet Explorer\iexplore.exe
Next, go to System\CTRL+ALT+DEL Options and enable Remove Task Manager. This will stop our users from using Task Manager’s Open command. If you are setting your computers to only launch Internet Explorer, you’ll probably want to set a custom home page. Go to Windows Components\Internet Explorer. Enable “Disable changing home page settings” and set your new home page. All that is left is to link this GPO to an OU containing the kiosk computers.
Kiosk Mode with Replace
Using replace mode is a little trickier because you will have additional computer side settings. Most of the time, computers using this mode will be automatically powered on and logged in before your users need to use it. As a practical example, we have kiosk machines set up like this in our media centers that are used to search for books.
Create GPO and set the three User Side settings from above. Then expand the Computer Configuration\Preferences\Windows Settings\Registry. Create three new registry items named: DefaultUserName, DefaultPassword, and AutoAdminLogon.
Each key should be in the HKEY_Local_Machine Hive and be placed under Software\Microsoft\Windows NT\CurrentVersion\Winlogon. After you’ve finished editing the GPO and have it linked, reboot your machines twice. The first reboot (or GPUpdate) will set the automatic login registry keys. On the second reboot, the computer should automatically login. If needed, here is some additional information on setting those keys.
Final Result
No matter the route you chose, your end result should be nearly the same! Your users will only start with the application that you specify and allow. If you set this up in your environment, let me know! I am very interested to see how you lock down protect your users from distractions. 🙂
I figured out the AutoLogon part. I have a question. When I test the Kiosk and pretend like the application fails, the background becomes the application with blank logon fields. If I create a GPO for wallpaper will that be able to override this? They want the Kiosk to display a QR code and note instead.
The AutoLogon part does not work for me.
so I enabled the Custom user interface on local group policy. Now, whenever I login to any local account, it’s only show the app that I set it to. How do I revert it?
Thank You very much for the tutorial. Really appreciate it.
Hi, thanks for the tutorial!
We’re trying to put together a browser kiosk. I used your tutorial, and I even used AutoHotKey to disable Alt+F4. At first, this method looked like our solution, but now I’m wondering about some of the small details.
Since we’re running a custom user interface instead of the Windows shell, it appears that all Windows features are locked out (such as screensaver, Windows updates, etc). I did find a GPO setting to force screensaver, but I’m not sure about updates.
We had been considering keeping these kiosks OFF the domain for added security (I’ve been using the Local GPO settings so far). But we would need the local machine to set its own updates, since we would not be able to manage updates centrally.
It seems to me the two primary kiosk options are to either run a custom shell and have to manually add other features (as you describe), or run the Windows shell and have to manually restrict certain features (taskbar, start menu, etc.). I am stuck between the two.
Can you confirm whether Windows updates will run on the local machine if the Windows shell is not running? We want to make sure iexplore would be getting the proper updates.
Do you think it would be better to just them put the machines on the domain so we could control updates centrally? How do you handle Windows updates on a kiosk?
Thanks!
Running into an issue using a similar setup.
Using Windows 8.1 tablets as time clocks for our facilities.
We set up a GP using the Custom User Interface to launch our time clock site in kiosk mode.
We have also set the Auto Login keys, in case the tablet would need restarted in a remote location.
We cannot seem to get on screen keyboard to popup when using the auto login keys.
If we log in with a standard domain account, we have no problem running a batch file that launches the website in full screen and set the on screen keyboard on a loop, in case the user would close it.
This is where we are stuck with deploying these tablets to 8 locations.
Hi,
Thank you for the guide, it works well in my environment.
Just one thing…. our users can click the red X in their one allowed application (or choose File/Close) and it will close the app and leave them with a blank screen with no way to restart the app. At this point we have to restart the PC, then it does its auto login and starts the app again…
Is there a way to stop the users from closing the app?
Thanks
Andy
Not that I know of – you can set up a logon script though to either log them off if the app is closed or to relaunch the app every X seconds if it sees that the app is closed.
Hello,
I have 120 dell tablets that are running Win 10 Pro that only need to run a single webpage. I’m trying to work through your steps but I can’t seem to find where I can create a new GPO. I’ve found where to edit the existing default GPO but that is it.
Thanks in advance.
Regards,
Matt
Hi Matt – you can right click on Group Policy objects in the Group Policy Management console to do this.
Joseph,
I am going to assume that this must be and Enterprise or Education feature because I was just in the Programs & features for win 10 Pro and there isn’t anything that would allow me to access the Management console. I have a working procedure to get what I want (sort of)… but it unfortunately still relies on the users to be trustworthy. I have IE running the “-k” switch to put it in Kiosk mode but the users can still access the start menu on the tablet.
Thanks,
Matt
No. The Group Policy Management Console is a part of the RSAT toolset. You can download RSAT for Windows 10 here: https://www.microsoft.com/en-us/download/details.aspx?id=45520
I took a look at our current AD and I do not see the System\CTRL-ALT-DEL item. Where did you get the .adm file for this setup?
Make sure you have your GPMC set to use the central store: https://deployhappiness.com/creating-the-group-policy-central-store-updated-for-windows-8-12012r2/
If you haven’t enabled Loopback Policy Processing in any higher GPOs, do so now. Navigate to User Configuration\Policies\Administrative Templates\System. Enable Custom User Interface and type in your application’s file path. For Internet Explorer type:
c:\Program Files\Internet Explorer\iexplore.exe -k http://www.schoolexam.com
This is a better solution than changing the homepage for the internet explorer.
Are there any ways that you know of to allow navigation buttons while in kiosk mode? Are keyboard shortcuts the only way for users to be able to navigate, refresh, print?
I don’t Joe – let me know if you find a solution though.
For my application, I was able to get by with an AutoHotKey script (as custom user interface) to call iexplore.exe in standard mode, and then pass an {F11} keystroke. The keystroke fullscreen is a bit different than a GPO assigned fullscreen mode as it will allow navigation buttons. I know this can be risky in certain applications, but for me, it’s not much of a concern because these are private, associate only kiosks. Like you mentioned in another comment, I also called a script that watches for IE to close, and relaunches it. Thanks for your help.
No problem Joe!
Waleed Abdelaziz says
February 10, 2015 at 1:51 pm
I love your post. Works great, the only issue I have is if a user try to close the Internet Explorer they will be getting a black screen.. no icon or no way to start the internet explorer again. Must shutdown the pc.
Any help?
You could create a batch file that runs on startup. If iexplore is closed, it launches it.
No just do ctrl alt del this and log off them log back in when you are ready!!
Good solution as well Jose!
Should these Kiosk machines still be added to active directory. For example I’m creating a machine to only be used as a sign in to the library using a Google Form
They should be. Adding them to AD makes them much easier to manage.
Hi
Thanks for the article – very helpfull!
I seem to have a problem in that when I lockdown the users tablet to IE, he cannot open the onscreen keyboard/inputpanel to type text into e.g. a searchbox on the webpage.
How would you go around this problem?
Thanks!
I would change the custom user interface value to a batch file. The first line would start internet explorer and the second line would start the onscreen keyboard exe.
Let me know how it goes!
Interesting post. On a somewhat related note, I’d be interested in a blog post about how you handle conference room and other public access machines if you’d be up to it and had some thoughts to share. I’ve been looking through Spiceworks and got a few recommendations, but I’d be curious to hear how you manage workstations like these in your environment.
Thanks for the suggestion James – I will add it to the draft list. Anything specific that you would be interested in? I would imagine: autologins, assigned access, power options.
Yup, yup…Here are a few other things I’ve been debating on how to handle:
1. Put these machines on production network? Or a guest network with limited access? In our environment, we have outside guests coming in all the time to do presentations and security really worries me. I’m worried about putting these PCs on the production network and I’m leaning toward a suggestion I heard of building the machine, join to the domain, let it get GPOs to do the initial configuration and then move it to a guest network when it’s in our conference rooms.
2. Since SteadyState died with XP, I’m thinking of using a local mandatory profile. The machines will autologin with a generic domain account whose AD settings point to a local mandatory profile.
3. Staff access to internal resources? Any or do they just put what they need on a jump drive and bring it with them?
Just some things bouncing around my head about how to handle our machines, would love to know how you approach it. Thanks and Happy Thanksgiving!
Thanks for the post. I didn’t know about the Enable Custom User Interface option. Just be sure to lock down other features to ensure users don’t get access to more than you want for each specific situation. For example, it’s not hard to launch Explorer by typing C: into the url bar which opens the door to other files, programs, etc. Keep up the good work.
You are absolutely right! As techs, we have to balance the need for security (locking down) with time available. The best way to limit unapproved applications from being run is to use a whitelist in AppLocker. Then only your approved application can be started.
Would I need to add thinks like AV and Windows Updates to the whitelist, or would AppLocker ignore those?
You would want to create the default Windows folder rule. This will allow applications in Windows to run plus your specified applications.
if you don’t have the ultimate or enterprise versions of windows and hence, no applocker, then ensure you set User Configuration -> Policies -> Administrative Templates -> Start Menu and Taskbar -> Remove Run from Start Menu. This should disable the user being able to type UNC paths, C:\ and other directory locations into internet explorer.
If you haven’t, you might also want to look at restricting access to the CTRL + O key – this brings up an open dialog in IE.