In my travels, I meet lots of IT Pros with really interesting use cases for deploying Windows clients and servers. This week, I spoke with a couple IT Pros that are planning a pilot deployment of Windows 7 and Windows 8 PCs to replace a fleet of aging Windows XP-based kiosk workstations. These kiosks will be located in public areas, such as libraries and airports, and will run a restricted set of touch screen applications. One set of requirements for these Kiosk machines is to ensure that users cannot interactively shutdown, logoff, lock or switch user accounts. My IT Pros had configured this successfully with Windows XP, but were experiencing some challenges replicating this configuration with Windows 7 and Windows 8.
Below are the steps to disable interactive shutdown, logoff, lock workstation and switch user accounts on Windows 7 and Windows 8. I’ve provided these steps both for machines that are part of a domain environment, as well as for isolated machines that are running only in a workgroup.
NOTE: If you’re testing these steps on Windows 8, please be sure you are running the Windows 8 Release Preview or later (you can download the Release Preview at https://aka.ms/DLW8RP). Some of these steps did not work properly prior to the Release Preview being available.
For Windows PCs in a Domain Environment
If your PC’s are in an Active Directory domain, you can leverage Active Directory Group Policies to deploy the appropriate settings. Be sure to include the below settings in your Group Policy for the user accounts and workstations that will be running as a Kiosk. After creating this Group Policy, you can test by running gpupdate /force and then restarting the PC.
- User Configuration
- Administrative Templates
- Start Menu and Taskbar
- Change Start Menu power button (enabled) – set to “Lock” (I know this sounds weird, but Windows 7 won’t completely disable Logoff if the Start Menu power button is defaulting to the Logoff action).
- Remove Logoff on the Start Menu (enabled)
- Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate commands (enabled)
- Ctrl+Alt+Del Options
- Remove Lock Computer (enabled)
- Remove Logoff (enabled)
- Computer Configuration
- Administrative Templates
- Hide entry points for Fast User Switching (enabled)
For Windows PCs not in a Domain Environment
If your PC’s are not in an Active Directory domain, then you’ll need to make the below changes manually at each Kiosk PC. Note that you may be able to automate the changes via the use of operating system imaging tools and local mandatory user profiles – leave a comment below if you have interest in those steps.
- Login at each Kiosk PC using a user account that will ultimately be used to run the Kiosk desktop applications.
- Launch the Windows Registry Editor (REGEDIT.EXE) and make the following changes to the registry (note that you may need to temporarily grant local Administrative access to your Kiosk user account to do this if it is already in a very locked down state)
- NoClose (REG_DWORD) = 1
- NoLogoff (REG_DWORD) = 1
- StartMenuLogOff (REG_DWORD) = 1
- DisableLockWorkstation (REG_DWORD) = 1
- HideFastUserSwitching (REG_DWORD) = 1