1
00:00:03,070 --> 00:00:07,120
So let's see how we can implement a kiosk using loopback policy.

2
00:00:08,100 --> 00:00:12,390
So I've got this kiosk user settings GPO that you see here.

3
00:00:13,370 --> 00:00:14,960
And if I go up to my kiosk.

4
00:00:14,960 --> 00:00:21,080
So you you'll remember that I had the kiosk, GPO, that actually implements loopback policy here.

5
00:00:22,030 --> 00:00:26,350
And then I decided to break out my user settings that I want to deliver to the user.

6
00:00:26,440 --> 00:00:29,500
In this separate kiosk user settings GPO.

7
00:00:30,430 --> 00:00:33,160
So if I go ahead and edit that GPO.

8
00:00:34,120 --> 00:00:37,990
I'll show you some settings that I've made to try and lock down my kiosk.

9
00:00:38,960 --> 00:00:44,270
The first and most important setting is I've set the custom user interface policy.

10
00:00:45,230 --> 00:00:51,560
So if I come in here under user configuration admin template system, the custom user interface lets

11
00:00:51,560 --> 00:00:54,200
me set a different shell from the Explorer shell.

12
00:00:55,170 --> 00:00:58,500
And what you see here is that I have set the program files.

13
00:00:59,470 --> 00:01:03,810
Internet Explorer IEEE Explorer K now running IEEE Explorer.

14
00:01:03,820 --> 00:01:06,820
That's the Internet Explorer browser with the K option.

15
00:01:07,760 --> 00:01:10,100
Puts IEE into a kiosk mode.

16
00:01:11,050 --> 00:01:17,080
It's a special mode of IEEE where all of the normal user controls are unavailable and all you see is

17
00:01:17,080 --> 00:01:17,770
the browser.

18
00:01:18,760 --> 00:01:25,090
So by specifying IEEE as the custom user interface, I'm essentially telling Windows not to run Explorer

19
00:01:25,090 --> 00:01:27,760
anymore, but to run IEEE as the Shell.

20
00:01:28,740 --> 00:01:35,160
So I've got that set and I've also made a couple of other system lockdowns under start menu and taskbar.

21
00:01:36,120 --> 00:01:37,950
I've locked the taskbar.

22
00:01:38,890 --> 00:01:44,060
I've used that setting that I had in one of my previous slides to prevent access to the shutdown.

23
00:01:44,080 --> 00:01:47,020
Restart sleep and hibernate commands.

24
00:01:48,010 --> 00:01:52,180
And I've enabled the policy to remove log off from the start menu.

25
00:01:53,100 --> 00:01:59,100
So I don't want any semblance of giving the user the ability to get to or log off or shut down the system.

26
00:02:00,030 --> 00:02:04,590
Now, the other thing that I've done is under system control, alt delete options.

27
00:02:04,740 --> 00:02:09,960
There are a set of four policies that let me remove the change password lock, computer task manager

28
00:02:09,960 --> 00:02:13,200
and log off policies from the control alt delete screen.

29
00:02:14,150 --> 00:02:20,540
So the user is no longer able to perform activities like locking the computer or logging off or even

30
00:02:20,540 --> 00:02:22,700
changing their password from that screen.

31
00:02:23,660 --> 00:02:28,550
So I've set all these policies up under the kiosk user settings, GPO.

32
00:02:29,440 --> 00:02:35,050
And I'm going to go ahead and remember from a previous slide, I talked about setting block inheritance

33
00:02:35,050 --> 00:02:35,830
on the kiosk.

34
00:02:35,830 --> 00:02:36,520
So you.

35
00:02:37,460 --> 00:02:43,580
I'm going to go ahead and do that so I don't get any superfluous upstream computer GPOs or even user

36
00:02:43,580 --> 00:02:49,700
GPOs from from many upstream GPOs like the default domain policy or the domain wide settings.

37
00:02:50,680 --> 00:02:54,880
If either of those head, computer or user policies in them, I would.

38
00:02:55,830 --> 00:03:01,440
If I hadn't set block inheritance here, then my user logging into my kiosk machine would still get

39
00:03:01,440 --> 00:03:01,890
those.

40
00:03:02,850 --> 00:03:08,220
Now one thing to note is the user, even though we're in replaced mode here in loop back processing,

41
00:03:08,220 --> 00:03:13,410
the user will still get some of their normal user settings that aren't overridden by the kiosk user

42
00:03:13,410 --> 00:03:13,980
settings.

43
00:03:14,980 --> 00:03:21,070
So in other words, the only time the kiosk user settings are going to replace the user's existing settings

44
00:03:21,070 --> 00:03:25,210
is if they are conflicting with or overriding the user's normal settings.

45
00:03:26,190 --> 00:03:30,780
The user will still get some of their normal settings when they log into the kiosk.

46
00:03:31,690 --> 00:03:37,300
But in the case of my configuration here, because I have set the custom user interface, none of those

47
00:03:37,300 --> 00:03:41,920
settings are really going to apply because all they're going to have access to is IEEE.

48
00:03:42,860 --> 00:03:47,840
So let's go ahead and log on to my Windows client and we'll see what happens when we do that.

49
00:03:48,790 --> 00:03:52,360
I'm going to log in with my good old Joe sales user account.

50
00:03:53,370 --> 00:03:56,820
So now I'm logging in as my JIO sales user account.

51
00:03:57,840 --> 00:04:03,840
You'll see it's applying all of my normal user policies, but it also applied my kiosk loopback settings

52
00:04:03,840 --> 00:04:05,610
to the user in replace mode.

53
00:04:06,510 --> 00:04:12,150
And what you're seeing coming up is essentially a user interface that no longer includes the Explorer,

54
00:04:12,390 --> 00:04:15,180
but rather includes, i.e., in this kiosk mode.

55
00:04:16,160 --> 00:04:20,090
And you'll notice that it doesn't have any windows or menu options on it.

56
00:04:21,090 --> 00:04:24,470
It just says whatever home page I've specified here.

57
00:04:25,400 --> 00:04:31,610
And if I try to, for example, do a control alt delete to get to the control alt delete screen, you'll

58
00:04:31,610 --> 00:04:33,860
notice all of my options are unavailable.

59
00:04:34,860 --> 00:04:40,380
So essentially I've thanks to policy, I've removed all those options I would normally have.

60
00:04:41,300 --> 00:04:46,880
And now the user is really stuck in this mode where all they can do is browse the Internet using this

61
00:04:46,880 --> 00:04:47,450
page.

62
00:04:48,380 --> 00:04:53,810
And normally what you would do in a kiosk configuration is you'd set the homepage to be something like

63
00:04:53,810 --> 00:04:59,150
your Internet page or whatever application website you want the user to be able to go to within this

64
00:04:59,150 --> 00:04:59,780
kiosk.

65
00:05:00,760 --> 00:05:06,100
So it gives you that ability to lock down the user to doing a single function, and they really can't.

66
00:05:06,280 --> 00:05:09,190
Thanks to policy, they really can't do much else.

67
00:05:10,180 --> 00:05:15,700
So that's in a nutshell how using loopback processing can work in kiosk environments.