Lock Down Kiosk Client Device

A computer running Windows 10 Enterprise, Windows 10 IoT, Windows 11 Enterprise/Pro, Windows 11 IoT can be locked down to prevent access to system components and prevent undesired keyboard short cut combinations.

Windows 10 Enterprise/Pro, Windows 10 IoT

Create Kiosk User account

Log in using an administrator account.
Put device in Tablet mode by going to Settings > System > Tablet mode and choose On.
Check that User Account Control (UAC) is turned on. Set to anything except "Never notify (Disable UAC)". in Control Pane\System Security\Security and Maintenance\Change user Account Control Settings
Create a standard windows user which will be used to run the Smart Guest Check-In application (name it kioskuser for example).
1. Go to Control Panel > Administrative Tools > Computer Management
2. In the Computer Management window go to System Tools > Local Users and Groups > Users
3. Right click in the middle pane and select New User
  1. Type in the Username
  2. Set a password
  3. Un-check User must change password at next logon
  4. Check User cannot change password and Password never expires
  5. Press Create button

Configuring OS settings

Enable the Device Lockdown Windows feature

Go to Control Panel > All Control Panel Items > Programs and Features and press Turn Windows features on or off.
Check the Device Lockdown feature and all its sub-features (Custom Logon, Keyboard Filter, Shell Launcher, Unbranded Boot, Unified Write Filter).
When prompted, restart the machine, log in as the Administrator account and continue the process.

Press Win+R and in the opened field type "gpedit.msc" to open the Local Group Policy Editor. In the Policy Editor set the following policies:

Recommended action	How to do it
Disable removable media	Go to Group Policy Editor > Computer Configuration > Administrative Templates\System\Device Installation\Device Installation Restrictions. Set “Prevent installation of removable devices” to Enabled. NOTE: To prevent this policy from affecting a member of the Administrators group, in Device Installation Restrictions, enable Allow administrators to override Device Installation Restriction policies.
Enable and schedule automatic updates	Go to Group Policy Editor > Computer Configuration > Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates, and select option 4 (Auto download and schedule the install) Note: Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.To schedule the automatic update, configure Schedule Install Day, Schedule Install Time, and Schedule Install Week.
Enable automatic restart at the scheduled time	Go to Group Policy Editor > Computer Configuration > Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time
Hide update notifications	Go to Group Policy Editor > Computer Configuration > Administrative Templates\Windows Components\Windows Update\Display options for update notifications
Hide Ease of access feature on the sign-in screen (optional)	Go to Group Policy Editor > Computer Configuration > Administrative Templates > System>Logon > Hide entry points for Fast User Switching and set to enabled.
Remove the power button from the sign-in screen	Go to Group Policy Editor > Computer Configuration > Windows Settings > Security Settings > Local Policies >Security Options > Shutdown: Allow system to be shut down without having to log on and select Disabled.
Turn off app notifications on the lock screen	Go to Group Policy Editor > Computer Configuration > Administrative Templates\System\Logon\Turn off app notifications on the lock screen and set to enabled.
Remove the Change Password, Lock Computer, Task Manager, Logoff buttons from the Ctrl-Alt-Del screen (optional)	Go to Group Policy Editor > User Configuration > Administrative Template > System > Ctrl-Alt-Del Options and enable the remove option for the buttons you want to be removed from the Ctrl-Alt-Del screen Note: Leaving the Logoff button visible will allow an admin to logoff the special kiosk user account and change the logged in account for maintenance.
Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate commands (optional)	Go to Group Policy Editor > Computer Configuration > Administrative Template > Start Menu and Taskbar and enable Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate commands policy;
Hide the Logoff button from the task bar (optional)	Go to Group Policy Editor >User Configuration > Administrative Templates > Start Menu and Taskbar and Enable the Remove Logoff on the Start menu policy.
Hide the Change User Settings button from the task bar (optional)	Go to Group Policy Editor > Computer Configuration > Administrative Templates > Control Panel > User Accounts and enable the Apply the default account picture to all users policy.

Press Win+R and in the opened field type "regedit.exe" to open the Registry Editor. In the Registry Editor set the following keys:

Recommended action

How to do it

Replace "blue screen" with blank screen for OS errors

Add a new registry value as DWORD (32-bit) type with a value of 1: HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled

Block the use of specific system keyboard shortcuts.

Go to HKLM\Software\Microsoft\Windows Embedded\KeyboardFilter key and disable the keyboard shortcuts you intend to make unavailable for the kiosk user. Review the keyboard shortcuts and set the value from “Allowed” to “Blocked” for the undesired shortcuts. Recommended to disable the “Windows” shortcut. Edit DisableKeyboardFilterForAdministrators and set its value to 1. Keyboard filter will NOT be applied to the administrators leaving them with full access to the machine's commands.

Windows 11 Enterprise/Pro, Windows 11 IoT