Do you have computers that should really be running one application? Whether their kiosk machines or clients needing just a web browser, Group Policy Kiosk Mode can your lock your machines down. With just a few administrative templates and loopback, users will get the one application they need and nothing else. Simplicity at its best! To show you what I mean, the picture below is a kiosk machine running only a web browser. The computer automatically starts in the morning, logs in as the kiosk user, and launches the needed application. No Explorer, No Start bar, No way for a user to mess it up!
Merge or Replace?
You can probably guess that we are going to use Loopback Policy Processing to deal with this. If you are unsure about Loopback (or need a little background, read this article first. You will need to decide if you are going to use merge mode or replace mode. If the computer is going to be a dedicated machine, you will want to use Loopback in Replace mode. Example scenarios include: print release stations, check out stations, time clock stations, etc. In all of these cases, we do not care what users uses the machine and we do not want our users to have any of their normal Group Policy settings.
If your users will need their Group Policy settings to following them to your kiosk machines, you will need to use Loopback in Merge mode. For example, your users might need their Folder Redirection settings, Internet Explorer settings, drive mappings, etc. We are going to cover both Loopback modes but we will start with merge as it is a bit easier.
Kiosk Mode with Merge
Here is our predicament. We have dedicated labs where users will only need access to one application such as a browser. If the browser needs to launch a secondary application, such as Explorer’s Save As Window, it should be allowed. Knowing this, white listing with just AppLocker is out of the question. We are going to need several puzzle pieces to make this fit.
Create a new GPO and name it something like Kiosk_YOURAPPLICATION. If you haven’t enabled Loopback Policy Processing in any higher GPOs, do so now. Navigate to User Configuration\Policies\Administrative Templates\System. Enable Custom User Interface and type in your application’s file path. For Internet Explorer type, c:\Program Files\Internet Explorer\iexplore.exe
Next, go to System\CTRL+ALT+DEL Options and enable Remove Task Manager. This will stop our users from using Task Manager’s Open command. If you are setting your computers to only launch Internet Explorer, you’ll probably want to set a custom home page. Go to Windows Components\Internet Explorer. Enable “Disable changing home page settings” and set your new home page. All that is left is to link this GPO to an OU containing the kiosk computers.
Kiosk Mode with Replace
Using replace mode is a little trickier because you will have additional computer side settings. Most of the time, computers using this mode will be automatically powered on and logged in before your users need to use it. As a practical example, we have kiosk machines set up like this in our media centers that are used to search for books.
Create GPO and set the three User Side settings from above. Then expand the Computer Configuration\Preferences\Windows Settings\Registry. Create three new registry items named: DefaultUserName, DefaultPassword, and AutoAdminLogon.
Each key should be in the HKEY_Local_Machine Hive and be placed under Software\Microsoft\Windows NT\CurrentVersion\Winlogon. After you’ve finished editing the GPO and have it linked, reboot your machines twice. The first reboot (or GPUpdate) will set the automatic login registry keys. On the second reboot, the computer should automatically login. If needed, here is some additional information on setting those keys.
No matter the route you chose, your end result should be nearly the same! Your users will only start with the application that you specify and allow. If you set this up in your environment, let me know! I am very interested to see how you
lock down protect your users from distractions. 🙂