Hi there,
my colleagues started to deploy a new MSP application, mainly as a ticket system and for endpoint management. The configuration itself is mostly done, it just needs a bit of fine-tuning.
One of the things they wanted, was a big display where they can monitor all new tickets that come in. So basically a client that has the website open in full screen. The Kiosk Mode in Windows would be perfect for this, but it does not save the last session. So every time we reboot the PC, we have to get the MFA code to login into the website.
This gets very tedious very quickly. So, a better solution was needed.
There would be a simple way to achieve this. Just auto login a user and put firefox, with the URL and fullscreen mode, in the auto start. This creates another problem though. You can get out of firefox very easily, which would give you access to the whole system.
Security isn’t really an issue in this case since it will be in our office, but still. We didn’t want to leave it like this. What we ended up with isn’t exactly high security, but it’s better than nothing.
So, here is how we got a pretty good result.
Creating the custom “Kiosk Mode”
Creating the User
First, we need to create a user. At work, we used a domain user but for this, I will create a local one. Also, the screenshots are from a Windows 11 virtual machine, because I don’t have a fresh Windows 10 installation at the time of writing. The steps are identical though.
Search for and open “Computer Management”.
Navigate to “Local Users and Groups” -> “Users” and create a new user.
I set the username to “Monitor”.
Change the settings as you see fit. I removed the “User must change his password” and selected “Password never expires”.
Once that’s done, log out and log into the newly created user.
Setting the auto logon
Here you will run “Registry Editor” as an administrator.
We couldn’t really find a better way than this for the auto logon. The next step requires a clear-text password within the registry. I will update this if I ever find a better solution.
In the “Registry Editor” go to.:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Here you need to create 3 new “String Value” entries. If you use a domain user, enter the username with the domain like this “youdomain.local\username”.
AutoAdminLogon: 1
DefaultUserName: Monitor
DefaultPassword: YourSecretPassword
Setting the custom shell
That’s it for the auto logon. Next, we will change the shell to start our application on login instead of “explorer.exe”.
First, we need to find the SID for the “monitor” user.
For this, open the “Command Prompt” and input this command.:
/home/user> wmic useraccount get name,sid Name SID admin S-1-5-21-3680040440-2024005519-3407374999-1001 Administrator S-1-5-21-3680040440-2024005519-3407374999-500 DefaultAccount S-1-5-21-3680040440-2024005519-3407374999-503 Guest S-1-5-21-3680040440-2024005519-3407374999-501 Monitor S-1-5-21-3680040440-2024005519-3407374999-1002
This will give us the ID of every user. Locale the one you created and keep a mental note of the last digits.
Now switch to “HKEY_USERS” In the “Registry Editor” and look for the ID that belongs to the newly created user. You can verify it, by expanding the ID and clicking on “Volatile Environment”. Here you can check the “USERNAME” entry.
Once you found the user, go to.:
Computer\HKEY_User\ID\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
And create another “String Value” called “Shell”. Enter the application you want to start in place of explorer.exe. In my case, it will be firefox in kiosk mode.
Shell: “C:\Program Files\Mozilla Firefox\firefox.exe” “https://random-it-blog.de/” -kiosk
Once that’s done, you can reboot the system. It will automatically login to the “Monitor” user and open the firefox browser in kiosk mode.
Removing “Task Manager” from the CTRL+ALT+DEL menu.
One issue remains though. Anyone could start explorer.exe from the “Task Manager”. So we want to disable that one as well.
Open the “Local Group Policy Editor” as administrator and navigate to
“User Configuration” -> “Administrative Templates” -> System” -> “Ctrl + Alt + Del Options“.
Here you can remove options like changing password, logoff and the task manager.
Double click on “Remove Task Manager” and set it to “Enabled”.
If you are wondering about the shortcuts like “CTRL + SHIFT + ESC” or “WIN + R”. They don’t work when replacing the “explorer.exe” startup (at least in my case).
To disable the Autologin just set the “AutoAdminLogon” value to 0.
That’s it. There might still be ways to get around this makeshift kiosk mode, but I can’t think of any right now. Anyway, it is a simple solution to a problem we had.
Till next time.