Sep
10
2013

Building a Windows 7 Kiosk in 10 minutes

Right, so I can’t guarantee you it’ll only take 10 minutes, but after scouring the web for good ways to do it; I ultimately spent less time fixing it myself than banging my head against the desk trying everything I found.

It’s easy, and it doesn’t require any third-party apps or solutions.

My mission was this:

  • We were implementing a XenDesktop-solution, using Web Interface 5.4.
  • I had x number of thin clients, and x number of desktops.
  • The customer wanted the interface to be the same on all clients, and didn’t want to toss out the desktops. So we needed to repurpose them.

First of all, we have the following prerequisites:

  • Computers are running W7 (or in our case, Windows ThinPC)
  • They’re joined to the domain.
  • Citrix client, or whatever client you need, is deployed somehow. We did it in the image, using MDT; but gpos or scripts in AD can do the trick.
  • A user with logon rights to the computer; for auto-logon. Doesn’t need any special privileges, but you may want to set it with password never expires.

We need to set the following in GPO, and apply it to the computer; it’s not necessarily bulletproof, but you patch up the holes if you can find them, I haven’t found any:

Registry:

Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name: DefaultUserName
Value type: REG_SZ
Value data: domain\autologonuser

Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name: DefaultPassword
Value type: REG_SZ
Value data: (password to the autologonuser)

Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name: DefaultDomainName
Value type: REG_SZ
Value data: domain.corp

Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name: AutoAdminLogon
Value type: REG_SZ
Value data: 1

Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name: Autologoncount
Action: DELETE

Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name: Shell
Value type: REG_SZ
Value data: %programfiles%\Internet Explorer\iexplore.exe -k (url you want to autolaunch)

Key: HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions
Value name: NoBrowserClose
Value type: REG_DWORD
Value data: 1

User configuration administrative templates

System/Ctrl+Alt+Del Options – Enable the following:

  • Remove Change Password
  • Remove Lock Computer
  • Remove Logoff
  • Remove Task Manager

Windows Components/Internet Explorer/Toolbars

  • Lock all Toolbars

DONE!

Put the computer in that OU, reboot, and it’ll give you these features:

  • Autologon into Windows
  • Start Internet Explorer with the URL you choose, in Kiosk-mode (fullscreen)
  • Won’t let you close IE
  • Won’t let you run taskmanager, log off, change password or anything like that. You can shut off and reboot. That’s pretty much it.

You can expand on this to disallow right-clicks and a few other things, but if you can assume that your users won’t intentionally break anything; this will suffice. If they do manage to break anything, a reboot should put it back.

If you want to revert to a normal W7; you can simply create a new policy which reverts those keys. Essentially deleting them and setting the Shell-value to be explorer.exe.

That wasn’t so hard, eh?

About the Author: Kristoffer Birkenes

2 Comments + Add Comment

  • Thank you, Beautiful article… This help in setting up Windows ThinPC environment.

    Regards,
    Johnson

  • Thank you! I used your instructions and repurposed our old computers as XenApp thin clients.

Leave a comment

*