Automating Kiosk Mode in Windows

I was recently tasked with setting up a line of “Kiosk” machines (running Windows 10) to serve just internet explorer to users, with no access to other applications.

There are a few approaches to this however here are the issues i found with them:

  1.  From Windows 8.1 onward you can use Assigned Access  . Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. Microsoft Edge is not supported for assigned access.
  2. AppLocker could be used to lock down a machine and restrict access to only specific programs, however setup for this is tedious and there are simply too many variables to lock down.
  3. Internet Explorer can be run in “Kiosk Mode” (iexplore -k). This is fine if you were using the Kiosk for a single website however does not allow users to easily navigate to other sites. This approach would work fine for a Library catalogue machine or similar.
  4. Create a provisioning package for a kiosk app.

The approach i ended up taking was to take advantage of a group policy setting called “Custom User Interface“. This is located in User>Admin Templates>System.

This policy takes advantage of :

Key path: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name: Shell
Value type: REG_SZ
With this approach you can replace explorer.exe with iexplore.exe and you are away, of course you would need to lock the machine down with settings like “Remove Task Manager” etc but this approach works well.
Within a Kiosk environment i would like to prevent the users from being able to close Internet Explorer, because if they managed to there would be no way to restart it besides rebooting the machine.

The following Group Policy exists which is designed to prevent this:

File Menu: Disable closing the browser and Explorer Windows.  

There is one major issue i encountered with this policy, when users opened new tabs for webpages, it sometimes prevented the users from being able to close those tabs (users would receive a restriction error). This setting would not be suitable in a shared lab login environment. My thought was that this policy was initially designed before tabbed browsing was developed and has not been updated to be able to handle tabs. I faced an issue. I couldn’t allow IE to be closed at all, otherwise the end user would be left with nothing.

The solution was simple, build what under other circumstances would be the most annoying program ever.  “LoopIE” is simple, it will run as a hidden process and force open iexplore.exe every time its closed after a specified delay. After each loop it will simulate a key-press (SCOLL LOCK) to keep the machine from sleeping.

Download the executable and settings file and copy to machines local disk,  both files need to be placed into c:\Program Files\LoopIE. The settings file controls three options.
1. The URL to launch
2. Kiosk mode, on or off.
3. Interval in seconds.
Configure the below registry key (Or Custom User Interface GPO)
Key path: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name: Shell
Value type: REG_SZ
Value: c:\Program Files\LoopIE\LoopIE.exe
My client wanted their Kiosk machines to automatically log in to start LoopIE. Kiosks were to exist at each office and each office had its own Kiosk AD account. Kiosk accounts shared the same password and were limited to only log in locally to a kiosk device. To automate the process i extended the companies production SCCM Task Sequence. The high level steps of automation are:
0. Define which Kiosk account to use (UI++) – UI++ was used to dynamically assign different kiosk accounts to the variable of ‘KioskUName’ – this variable would be called later in the task sequence to configure automatic login.
1. Install (Copy) LoopIE files – LoopIE files placed into a simple SCCM  package (no program)
2. Copy automatic login – AutoLogon is a small utility from the Microsoft SysInternals suite. Autologon enables you to easily configure Windows’ built-in autologon mechanism. Instead of waiting for a user to enter their name and password, Windows uses the credentials you enter with Autologon (which are encrypted in the Registry) to log on the specified user automatically. The only time the Kiosk account password is exposed is within the SMSTS engine (and log). This is a risk the client was willing to take in this instance. If you take this approach, limit the local login of the Kiosk accounts to specific machines. 
Create a simple package for AutoLogon, define a step within the Task Sequence to copy AutoLogon to c:\Windows\System32
3. Run AutoLogon – Create a simple ‘Run Command Line’ step and configure the highlighted settings. Be sure to set the DOMAIN and KioskPassword. In this instance %KioskUName% will be gathered from the variable set via UI++.
4. Set Post Action Reboot – Create a ‘Set Task Sequence Variable’ step with the settings defined below, this will allow AutoLogon to start the session and the completion of the Task Sequence.
The end result will be a machine automatically logging in to the defined account and starting LoopIE. If a user closes the browser it will restart after the time you have defined in the settings file. Computers imaged for Kiosk mode should be placed in a OU with your Kiosk Group Policies configured.
The download for LoopIE can be found here. Due to the nature of the application (looping a process) some AntiVirus clients will flag it, it is completely safe to create an exclusion. The source code for LoopIE is below.
Cheers,
Dan

19 thoughts on “Automating Kiosk Mode in Windows

  1. “As a Windows noobie, if you make the GPO changes, is there a way to undo those changes?”

    Once applied, you would have to create another whole GPO to undo the changes.

    Like

  2. Or is it possible to set “adminautologon” = 0, and set no password to the IE user?
    So if rebooted, users has to login the “kiosk” user. and if adjustments and other stuff is needed to do with the computer. You could login with admin account…?

    Like

  3. Your file is detected as a trojan, specifically it is detected as Trojan:Win32/Rundas!plock. It flags as a dangerous program and executes commands from an attacker

    Like

  4. I am seeing the same behavior as well: Windows Defender flags it as the Trojan noted above. Probably incorrectly, since I've been using your program for a few months now. I'm guessing the behavior of scanning for another piece of software and then relaunching it if the task ends mirrors the behavior of this other Trojan.

    Like

  5. Hi,
    Is there any way to make the shell LoopIE hack only to be applied to certain users?
    I want to be able to configure other windows settings when login in as an admin which doesnt bring up the IE kiosk.

    Key path: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Value name: Shell
    Value type: REG_SZ

    Thanks
    /Henrik

    Like

  6. LoopIE will not run asks for me to work with the creator to find a version that will work with my PC, its the same as my desktop and it runs fine there

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s