1
00:00:03,080 --> 00:00:08,870
So now I want to talk about the configurations that you would use in a typical kiosk scenario.

2
00:00:09,760 --> 00:00:13,420
And how you can use loopback processing in that scenario.

3
00:00:14,370 --> 00:00:19,950
So some of the characteristics of a kiosk and I mentioned some of these earlier, but they're typically

4
00:00:19,950 --> 00:00:22,650
running a single or very few applications.

5
00:00:23,620 --> 00:00:27,430
So it might just be, for example, the browser and nothing else.

6
00:00:28,420 --> 00:00:34,750
And it's usually completely locked down, especially if these are public machines or public facing machines.

7
00:00:35,720 --> 00:00:41,210
You don't want the users to be getting in and mucking around with the system, restarting it or bring

8
00:00:41,210 --> 00:00:42,500
up registry editor.

9
00:00:43,480 --> 00:00:48,310
All kinds of other things that you pretty much don't want to expose to a regular user.

10
00:00:49,300 --> 00:00:55,090
So the user can't do much in that typical kiosk system in a typical kiosk application.

11
00:00:56,010 --> 00:00:59,550
And it may even use a different interface from Explorer.

12
00:01:00,570 --> 00:01:04,970
So Windows has this capability of having custom user interfaces.

13
00:01:05,940 --> 00:01:12,540
And so, for example, a Web kiosk may just be running a stripped down version of running in kiosk mode.

14
00:01:13,480 --> 00:01:16,420
And that's kind of a perfectly reasonable approach.

15
00:01:17,370 --> 00:01:21,210
And it may have a dedicated kiosk user account on that machine.

16
00:01:22,190 --> 00:01:28,490
So it might be, for example, auto logging on with the dedicated local account or even a domain account.

17
00:01:29,490 --> 00:01:32,730
Or it just could be using the user's regular account.

18
00:01:33,770 --> 00:01:38,510
So the user might walk up to a kiosk machine and log in with their normal account.

19
00:01:39,520 --> 00:01:42,400
They're not going to obviously get their normal desktop.

20
00:01:42,640 --> 00:01:47,640
They're going to get whatever the kiosk configuration is set to using loopback policy.

21
00:01:48,620 --> 00:01:54,890
So when running in loop back processing in the kind of kiosk scenario, I almost always see the replacement

22
00:01:54,890 --> 00:01:56,030
of loopback used.

23
00:01:57,010 --> 00:02:02,380
That's simply because Replace Mode says, I want to replace all of your normal user settings with these

24
00:02:02,380 --> 00:02:05,350
special loopback settings that I defined for the computer.

25
00:02:06,300 --> 00:02:11,940
Whereas Merge mode would apply both the kiosk user settings as well as the normal user settings that

26
00:02:11,940 --> 00:02:12,870
the user gets.

27
00:02:13,840 --> 00:02:17,830
Which may result in a configuration that's not locked down at all.

28
00:02:18,820 --> 00:02:23,830
So there's lots of advantages in using replace mode in these kinds of environments.

29
00:02:24,800 --> 00:02:29,120
So let's look at kind of a typical design for the kiosk configuration.

30
00:02:30,080 --> 00:02:32,150
So you've got your kiosk or you.

31
00:02:32,300 --> 00:02:33,140
And you saw that?

32
00:02:33,140 --> 00:02:36,080
I created that in my Active Directory environment.

33
00:02:37,050 --> 00:02:42,300
And it's got the one thing I didn't show was the OAU has been set with the block inheritance flag.

34
00:02:43,240 --> 00:02:46,810
And remember, I talked about that in an early module.

35
00:02:47,800 --> 00:02:53,470
BLOCK inheritance says block all the upstream GPOs from applying to this computer or the user.

36
00:02:54,420 --> 00:03:00,030
And the reason we do that is it allows us to ensure that the GPOs that are linked to this kiosk or you

37
00:03:00,060 --> 00:03:05,190
are the only ones that are applying for these computers and users and it simplifies that the deployment

38
00:03:05,190 --> 00:03:07,620
of a kiosk using loopback processing.

39
00:03:08,490 --> 00:03:12,990
And then I that loopback GPO the thing that enables loopback replace mode.

40
00:03:13,920 --> 00:03:18,570
And again, it could be one GPO or it could be multiple GPOs.

41
00:03:19,550 --> 00:03:26,120
But you can use that those GPOs linked at the kiosk for you to set those per computer or per user settings.

42
00:03:27,160 --> 00:03:29,890
So you have it all defined in one place.

43
00:03:29,920 --> 00:03:33,820
All of the computer settings that are required for the kiosk computers.

44
00:03:34,750 --> 00:03:40,450
And all of the user settings that are required for users logging on to those kiosk computers are all

45
00:03:40,450 --> 00:03:42,550
set within this confined environment.

46
00:03:43,520 --> 00:03:48,440
And that makes it really simple to ensure that you have the lockdown you're expecting to get.

47
00:03:49,430 --> 00:03:55,010
Now, as I mentioned, kiosk typically locks down everything and they even deliver a different user's

48
00:03:55,010 --> 00:03:56,240
shell from Explorer.

49
00:03:57,230 --> 00:04:04,100
And you can do that using this custom user interface policy defined under user configuration admin templates.

50
00:04:05,080 --> 00:04:10,360
It actually lets you set a custom shell for the user interface, and I'll show you that in a little

51
00:04:10,360 --> 00:04:10,720
bit.

52
00:04:11,700 --> 00:04:16,080
Some other useful settings that you'll come across that you might want to consider.

53
00:04:17,040 --> 00:04:23,340
Especially if you're not using a custom shell, are elements that lockdown down the user's desktop experience.

54
00:04:24,340 --> 00:04:26,410
So obvious ones would be.

55
00:04:27,390 --> 00:04:33,510
This policy here for preventing access to the shut down, restart, sleep and hibernate commands.

56
00:04:34,510 --> 00:04:38,920
The last thing you want is somebody coming up to a machine and shutting it down.

57
00:04:39,890 --> 00:04:44,150
So you can remove access to those commands from this policy here.

58
00:04:45,100 --> 00:04:50,710
And there are a number of other policies under the Start menu and taskbar folder that allow for similar

59
00:04:50,710 --> 00:04:51,890
kinds of lockdown.

60
00:04:52,000 --> 00:04:56,920
And then finally, another one is the prevent user from customizing their start screen.

61
00:04:57,850 --> 00:05:03,490
If you're delivering a custom start menu or if it's Windows eight dot X and you're delivering a custom

62
00:05:03,490 --> 00:05:04,300
start screen.

63
00:05:05,250 --> 00:05:09,420
The last thing you want is users rearranging icons or adding icons.

64
00:05:09,420 --> 00:05:14,190
And this policy will allow you to to sort of locked down that start screen experience.

65
00:05:15,210 --> 00:05:18,870
So now let's go ahead and deploy a kiosk configuration.

66
00:05:19,790 --> 00:05:22,790
And I'll show you a little bit about what that looks like.