Automating Kiosk Mode in Windows

I was recently tasked with setting up a line of “Kiosk” machines (running Windows 10) to serve just internet explorer to users, with no access to other applications.

There are a few approaches to this however here are the issues i found with them:

1.  From Windows 8.1 onward you can use Assigned Access  . Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. Microsoft Edge is not supported for assigned access.
2. AppLocker could be used to lock down a machine and restrict access to only specific programs, however setup for this is tedious and there are simply too many variables to lock down.
3. Internet Explorer can be run in “Kiosk Mode” (iexplore -k). This is fine if you were using the Kiosk for a single website however does not allow users to easily navigate to other sites. This approach would work fine for a Library catalogue machine or similar.
4. Create a provisioning package for a kiosk app.

You can see Microsoft’s guidance on Kiosk mode here – https://docs.microsoft.com/en-us/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions

The approach i ended up taking was to take advantage of a group policy setting called “Custom User Interface“. This is located in User>Admin Templates>System.

This policy takes advantage of :

Key path:	SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name:	Shell
Value type:	REG_SZ

With this approach you can replace explorer.exe with iexplore.exe and you are away, of course you would need to lock the machine down with settings like “Remove Task Manager” etc but this approach works well.

Within a Kiosk environment i would like to prevent the users from being able to close Internet Explorer, because if they managed to there would be no way to restart it besides rebooting the machine.

The following Group Policy exists which is designed to prevent this:

File Menu: Disable closing the browser and Explorer Windows.  

There is one major issue i encountered with this policy, when users opened new tabs for webpages, it sometimes prevented the users from being able to close those tabs (users would receive a restriction error). This setting would not be suitable in a shared lab login environment. My thought was that this policy was initially designed before tabbed browsing was developed and has not been updated to be able to handle tabs. I faced an issue. I couldn’t allow IE to be closed at all, otherwise the end user would be left with nothing.

The solution was simple, build what under other circumstances would be the most annoying program ever.  “LoopIE” is simple, it will run as a hidden process and force open iexplore.exe every time its closed after a specified delay. After each loop it will simulate a key-press (SCOLL LOCK) to keep the machine from sleeping.

Download the executable and settings file and copy to machines local disk,  both files need to be placed into c:\Program Files\LoopIE. The settings file controls three options.

1. The URL to launch

2. Kiosk mode, on or off.

3. Interval in seconds.

Configure the below registry key (Or Custom User Interface GPO)

Key path:	SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name:	Shell
Value type:	REG_SZ

Value: c:\Program Files\LoopIE\LoopIE.exe

My client wanted their Kiosk machines to automatically log in to start LoopIE. Kiosks were to exist at each office and each office had its own Kiosk AD account. Kiosk accounts shared the same password and were limited to only log in locally to a kiosk device. To automate the process i extended the companies production SCCM Task Sequence. The high level steps of automation are:

0. Define which Kiosk account to use (UI++) – UI++ was used to dynamically assign different kiosk accounts to the variable of ‘KioskUName’ – this variable would be called later in the task sequence to configure automatic login.

1. Install (Copy) LoopIE files – LoopIE files placed into a simple SCCM  package (no program)

2. Copy automatic login – AutoLogon is a small utility from the Microsoft SysInternals suite. Autologon enables you to easily configure Windows’ built-in autologon mechanism. Instead of waiting for a user to enter their name and password, Windows uses the credentials you enter with Autologon (which are encrypted in the Registry) to log on the specified user automatically. The only time the Kiosk account password is exposed is within the SMSTS engine (and log). This is a risk the client was willing to take in this instance. If you take this approach, limit the local login of the Kiosk accounts to specific machines. 

Create a simple package for AutoLogon, define a step within the Task Sequence to copy AutoLogon to c:\Windows\System32

3. Run AutoLogon – Create a simple ‘Run Command Line’ step and configure the highlighted settings. Be sure to set the DOMAIN and KioskPassword. In this instance %KioskUName% will be gathered from the variable set via UI++.

4. Set Post Action Reboot – Create a ‘Set Task Sequence Variable’ step with the settings defined below, this will allow AutoLogon to start the session and the completion of the Task Sequence.

The end result will be a machine automatically logging in to the defined account and starting LoopIE. If a user closes the browser it will restart after the time you have defined in the settings file. Computers imaged for Kiosk mode should be placed in a OU with your Kiosk Group Policies configured.

The download for LoopIE can be found here. Due to the nature of the application (looping a process) some AntiVirus clients will flag it, it is completely safe to create an exclusion. The source code for LoopIE is below.

https://gist.github.com/danjpadgett/435f8b43c36d740aad55fe23c014e499

Cheers,

Dan