SteadyState: Post Image Configurations – Kiosk
These are my post-image configuration steps I use when configuring Kiosks.
A bit about the image;
My Kiosk image uses; Vista SP1 with a KMS license, configured to operate on one hardware platform, has predefined local users, and is preloaded with desired applications.
1. Ensure the computer is in the proper Active Directory Group
2. Log on as local administrator
3. Run Patch script as administrator
This script reloads the anti-virus program and preps the firewall to use domain settings. Although this script can be run using features in the Ghost console or the runonce options in AIK, I’m just not there yet as this is my first Vista image.
4. Add a local printer, if applicable
5. Log off
6. Log On as local Kiosk user
7. Launch applications;
I have found it’s useful to run each accessible application after the image process. As the image process resets such items as the SID, causing some applications to want to re-install themselves.
8. Set/Check Default Printer, if applicable
9. Log off
10. Log on as local administrator
11. Open SteadyState
Set User Restrictions for Kiosk user (not General Settings or Session Timers)
(On = Checked, Off = Unchecked)
Windows Restrictions Start Menu Restrictions On Prevent right-click in the Start menu On Allow only Classic Start menu On Remove the control Panel, Printer and Network Settings from the Classic Start menu On Remove the My Documents icon On Remove the My Recent Documents icon On Remove the My Pictures icon On Remove the My Music icon On Remove the Favorites icon On Remove the My Network Places icon On Remove the Frequently Used Program list On Prevent the program in the All Users folder from appearing On Remove the Control Panel icon On Remove the Set Program Access and Default icon On Remove the Network Connections (Connect To) icon On Remove the Printers and Faxes icon On Remove the Search icon (Windows XP only) On Remove the Run icon On Remove the Shut Down button On Remove the Help and Support icon
General Restrictions On Prevent right-click in Windows Explorer Off Prevent AutoPlay on CD, DVD, and USB drives On Prevent access to Windows Explorer features: Folder Options, Customize Toolbar, and the Notification Area On Prevent changes to Explorer’s advanced registry settings Off Use Control Panel Classic View On Prevent access to the taskbar On Prevent access to the command prompt On Prevent access to the registry editor On Prevent access to the Task Manager On Prevent access to Microsoft Management Console utilities On Prevent users from adding or removing printers On Prevent users from locking the computer On Prevent password changes (also requires the Control Panel icon to be removed) On Remove CD and DVD burning features On Disable keyboard shortcuts that use the Windows Logo key On Allow only programs in the Program Files and Windows folders to run On Disable System Tools and other management programs Off Disable Notepad and WordPad Off Remove the Recycle Bin icon Off Prevent users from saving files to the desktop
Restrict all drives except; A, B, D, E, F (ensure drive C is restricted)
Feature Restrictions Internet Explorer restrictions Off Prevent Internet access (except Web sites below) On Prevent changes to Internet Explorer registry settings Off Prevent right-click in Internet Explorer Off Prevent printing Off Do not allow access to Favorites On Disable AutoComplete On Empty the Temporary Internet Files folder when Internet Explorer is closed On Disable RSS Feeds (Internet Explorer 7 only)
Menu Options On Remove View Source On Remove Find Files On Remove Theater Mode On Remove Help menu On Remove Internet Options On Remove expanded New menu On Remove General tab in Internet Options On Remove Security tab in Internet Options On Remove Privacy tab in Internet Options On Remove Content tab in Internet Options On Remove Connections tab in Internet Options On Remove Programs tab in Internet Options On Remove advanced tab in Internet Options On Remove New Window menu option
Toolbar options On Search (Internet Explorer 6 only) On Folders (Internet Explorer 6 only) On Edit On Discussions (Internet Explorer 6 only) On Encoding On Size On Full Screen On Media (Internet Explorer 6 only) Off Print On History (Internet Explorer 6 only) On Tools (Internet Explorer 6 only) Off Third party extension buttons [uncheck to run; flash player-ish items] Off Command Bar (Internet Explorer 7 only)(This allows Print to show)
Microsoft Office restrictions On Prevent use of Visual Basic for Applications On Disable macro shortcut keys On Disable Macro menu items in the Tools menu Off Disable Add-ins On Disable the Web toolbar (Office 2003/200/XP only) On Disable the Location box (Office 2007 only) On Disable the Detect and Repair command in the Help menu On Prevent changes to Clip Organizer contents in Office 2007/2003/XP
Set Internet Explorer home page
Block Programs (Blocked Programs) [Block the programs you don’t want the account to access. Do not block all programs then allow the programs you want, you’ll likely miss some partner apps.] Windows…; Calendar, Contacts, Mail, Movie Maker, Photo Gallery, Sidebar
12. Run as administrator; gpupdate /force /boot
13. Log off (if step 12 may automatically restart, if so skip this)
14. Log on as local kiosk user
15. Answer any pop-ups
16. Delete from Desktop; Kiosk and Internet Explorer shortcuts
17. Arrange Desktop
You will find some items have been added to the desktop. Delete/Add item and arrange the desktop to appear the way you want.
18. Log off
19. Log on as local administrator
20. Open SteadyState
a. Set General and Session user settings, for KIOSK user
General Settings On Lock profile to prevent the user from making permanent changes
Session Timers Off Log off after XX minutes of use On Log off after 10 minutes idle Off Always display the session countdown On Restart computer after log off
b. Set Computer Updates, for Computer Settings
Schedule Updates
On Use Windows SteadyState to automatically download and install updates:
Daily at 03:00
Off Do not use Windows SteadyState to download and install updates.
Select Updates Off Security Program Updates [n/a] Off Custom Updates
21. Log off
22. Log on as local kiosk user
23. Test applications
I do this one last time to ensure everything looks and operates properly
Note: Drive C: is locked. You may receive an error but the main execution will continue.
24. Log off (computer will restart)
25. Log on as local administrator
26. Run AutoLogOn script, as administrator
This script modifies the registry to automatically logon as a particular user. The script is below and there is a more detailed information in its own post;
@echo off REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "DefaultDomainName" /d "%ComputerName%" REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "DefaultUserName" /d "user" REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "DefaultPassword" /d "password" REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "AltDefaultDomainName" /d "%ComputerName%" REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "AltDefaultUserName" /d "user" REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "AutoAdminLogon" /d "1" REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "ForceAutoLogon" /d "1"
27. Open SteadyState
a. Set Computer Restrictions
Privacy Settings On Do not display user names in the “Log On to Windows” dialog box On Prevent locked or roaming user profiles that cannot be found on the computer from logging on On Do not cache copies of locked or roaming user profiles for users who have previously logged on to this computer
Security Settings On Remove the Administrator user name from the Windows screen [If enabled] On Remove the Shut Down and Turn Off options from the “Log On to Windows” dialog box and the Welcome screen On Do not allow Windows to compute and store password using LAN Manager Hash values On Do not store user names or passwords used to log on to Windows Live ID or the domain On Prevent users from creating folders and file on drive C: [On for Kiosk/Off for Labs] Off Prevent users from opening Microsoft Office documents from within Internet Explorer Off Prevent write access to USB storage devices
Other Settings Off Turn on the Windows screen (Windows XP onLy)
b. Set Protect Hard Drive
Protect the Hard Disk Off Off On On On Remove all changes at restart Off Retain changes temporarily Off Retain all changes Off Do not warn the administrator about losing changes before log off, restart, or shut down.
28. Restart the computer
After restart, the computer should automatically log on as the kiosk user.
[END]