quenga.net - windows & application deployment – remote management – scripting & automation – and more…


January 28, 2009

SteadyState: Post Image Configurations – Kiosk


These are my post-image configuration steps I use when configuring Kiosks.

A bit about the image;
My Kiosk image uses; Vista SP1 with a KMS license, configured to operate on one hardware platform, has predefined local users, and is preloaded with desired applications.

1. Ensure the computer is in the proper Active Directory Group

2. Log on as local administrator

3. Run Patch script as administrator
This script reloads the anti-virus program and preps the firewall to use domain settings.  Although this script can be run using features in the Ghost console or the runonce options in AIK, I’m just not there yet as this is my first Vista image.

4. Add a local printer, if applicable

5. Log off

6. Log On as local Kiosk user

7. Launch applications;
I have found it’s useful to run each accessible application after the image process.  As the image process resets such items as the SID, causing some applications to want to re-install themselves.

8. Set/Check Default Printer, if applicable

9. Log off

10. Log on as local administrator

11. Open SteadyState
Set User Restrictions for Kiosk user (not General Settings or Session Timers)
(On = Checked, Off = Unchecked)

Windows Restrictions
Start Menu Restrictions
On  Prevent right-click in the Start menu
On  Allow only Classic Start menu
On  Remove the control Panel, Printer and Network Settings from the Classic Start menu
On  Remove the My Documents icon
On  Remove the My Recent Documents icon
On  Remove the My Pictures icon
On  Remove the My Music icon
On  Remove the Favorites icon
On  Remove the My Network Places icon
On  Remove the Frequently Used Program list
On  Prevent the program in the All Users folder from appearing
On  Remove the Control Panel icon
On  Remove the Set Program Access and Default icon
On  Remove the Network Connections (Connect To) icon
On  Remove the Printers and Faxes icon
On  Remove the Search icon (Windows XP only)
On  Remove the Run icon
On  Remove the Shut Down button
On  Remove the Help and Support icon
General Restrictions
On  Prevent right-click in Windows Explorer
Off Prevent AutoPlay on CD, DVD, and USB drives
On  Prevent access to Windows Explorer features: Folder Options, Customize Toolbar, and the Notification Area
On  Prevent changes to Explorer’s advanced registry settings
Off Use Control Panel Classic View
On  Prevent access to the taskbar
On  Prevent access to the command prompt
On  Prevent access to the registry editor
On  Prevent access to the Task Manager
On  Prevent access to Microsoft Management Console utilities
On  Prevent users from adding or removing printers
On  Prevent users from locking the computer
On  Prevent password changes (also requires the Control Panel icon to be removed)
On  Remove CD and DVD burning features
On  Disable keyboard shortcuts that use the Windows Logo key
On  Allow only programs in the Program Files and Windows folders to run
On  Disable System Tools and other management programs
Off Disable Notepad and WordPad
Off Remove the Recycle Bin icon
Off Prevent users from saving files to the desktop
Restrict all drives except; A, B, D, E, F (ensure drive C is restricted)
Feature Restrictions
Internet Explorer restrictions
Off Prevent Internet access (except Web sites below)
On  Prevent changes to Internet Explorer registry settings
Off Prevent right-click in Internet Explorer
Off Prevent printing
Off Do not allow access to Favorites
On  Disable AutoComplete
On  Empty the Temporary Internet Files folder when Internet Explorer is closed
On  Disable RSS Feeds (Internet Explorer 7 only)
Menu Options
On  Remove View Source
On  Remove Find Files
On  Remove Theater Mode
On  Remove Help menu
On  Remove Internet Options
On  Remove expanded New menu
On  Remove General tab in Internet Options
On  Remove Security tab in Internet Options
On  Remove Privacy tab in Internet Options
On  Remove Content tab in Internet Options
On  Remove Connections tab in Internet Options
On  Remove Programs tab in Internet Options
On  Remove advanced tab in Internet Options
On  Remove New Window menu option
Toolbar options
On  Search (Internet Explorer 6 only)
On  Folders (Internet Explorer 6 only)
On  Edit
On  Discussions (Internet Explorer 6 only)
On  Encoding
On  Size
On  Full Screen
On  Media (Internet Explorer 6 only)
Off Print
On  History (Internet Explorer 6 only)
On  Tools (Internet Explorer 6 only)
Off Third party extension buttons [uncheck to run; flash player-ish items]
Off Command Bar (Internet Explorer 7 only)(This allows Print to show)
Microsoft Office restrictions
On  Prevent use of Visual Basic for Applications
On  Disable macro shortcut keys
On  Disable Macro menu items in the Tools menu
Off Disable Add-ins
On  Disable the Web toolbar (Office 2003/200/XP only)
On  Disable the Location box (Office 2007 only)
On  Disable the Detect and Repair command in the Help menu
On  Prevent changes to Clip Organizer contents in Office 2007/2003/XP
Set Internet Explorer home page
Block Programs (Blocked Programs)
[Block the programs you don’t want the account to access.  Do not block all programs then allow the programs you want, you’ll likely miss some partner apps.]
Windows…; Calendar, Contacts, Mail, Movie Maker, Photo Gallery, Sidebar

12. Run as administrator; gpupdate /force /boot

13. Log off (if step 12 may automatically restart, if so skip this)

14. Log on as local kiosk user

15. Answer any pop-ups

16. Delete from Desktop; Kiosk and Internet Explorer shortcuts

17. Arrange Desktop
You will find some items have been added to the desktop.  Delete/Add item and arrange the desktop to appear the way you want.

18. Log off

19. Log on as local administrator

20. Open SteadyState

a. Set General and Session user settings, for KIOSK user

General Settings
On  Lock profile to prevent the user from making permanent changes
Session Timers
Off Log off after XX minutes of use
On  Log off after 10 minutes idle
Off Always display the session countdown
On  Restart computer after log off

b. Set Computer Updates, for Computer Settings

Schedule Updates
On  Use Windows SteadyState to automatically download and install updates:
    Daily at 03:00
Off Do not use Windows SteadyState to download and install updates.
Select Updates
Off Security Program Updates [n/a]
Off Custom Updates

21. Log off

22. Log on as local kiosk user

23. Test applications
I do this one last time to ensure everything looks and operates properly
Note: Drive C: is locked.  You may receive an error but the main execution will continue.

24. Log off (computer will restart)

25. Log on as local administrator

26. Run AutoLogOn script, as administrator
This script modifies the registry to automatically logon as a particular user.  The script is below and there is a more detailed information in its own post;

@echo off
REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "DefaultDomainName" /d "%ComputerName%"
REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "DefaultUserName" /d "user"
REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "DefaultPassword" /d "password"
REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "AltDefaultDomainName" /d "%ComputerName%"
REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "AltDefaultUserName" /d "user"
REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "AutoAdminLogon" /d "1"
REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "ForceAutoLogon" /d "1"

27. Open SteadyState

a. Set Computer Restrictions

Privacy Settings
On  Do not display user names in the “Log On to Windows” dialog box
On  Prevent locked or roaming user profiles that cannot be found on the computer from logging on
On  Do not cache copies of locked or roaming user profiles for users who have previously logged on to this computer
Security Settings
On  Remove the Administrator user name from the Windows screen [If enabled]
On  Remove the Shut Down and Turn Off options from the “Log On to Windows” dialog box and the Welcome screen
On  Do not allow Windows to compute and store password using LAN Manager Hash values
On  Do not store user names or passwords used to log on to Windows Live ID or the domain
On  Prevent users from creating folders and file on drive C: [On for Kiosk/Off for Labs]
Off Prevent users from opening Microsoft Office documents from within Internet Explorer
Off Prevent write access to USB storage devices
Other Settings
Off Turn on the Windows screen (Windows XP onLy)

b. Set Protect Hard Drive

Protect the Hard Disk
Off Off
On  On
On  Remove all changes at restart
Off Retain changes temporarily
Off Retain all changes
Off Do not warn the administrator about losing changes before log off, restart, or shut down.

28. Restart the computer
After restart, the computer should automatically log on as the kiosk user.


Sorry, the comment form is closed at this time.