Script to lock down Windows 10 Enterprise?

[nkarcher88]

I have a client with Windows 10 Enterprise who would like to ?lock down? their Windows 10 devices to only use an IPTV Streaming program called InStream Mobile.

I have looked into Kiosk Mode, but you can only configure it to use a Windows Store App (what a shame). There is no Windows Store App for InStream Mobile or another compatible third party IPTV Streaming app. So, I have done some research to find a successful way to have a user log on and only be able to use this InStream Mobile program. I have not had much luck.

Just to be clear, the client doesn?t want the user to be able to browse the internet, browse the computer?s C: Drive or files or any other programs.

I think it?s a little too ?picky? of a request, but what do I know? Any ideas or feedback would be greatly appreciated! And yes, I?ve tried some of the powershell commands but they have been unsuccessful as well.

 

[ckacer]

Even though this is a question from last year, I thought I would share what I have learned for Windows 10

The best way to be able to use an app of your choice is to make a registry change. I copied some of the info below to create my own knowledge document.

How to edit the Registry to create a Kiosk:

http://searchenterprisedesktop.tech...iosk-mode-locks-down-PCs-but-note-workarounds

Click start and type regedit.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

A registry entry called "Shell" is configured to start Explorer.exe. This executable is the Windows desktop environment. The OS allows you to run your application in place of the Windows Explorer shell.
Once the app's EXE path is specified in the above registry key location and the next time a user logs on to the Windows PC, the OS runs the app rather than launching the Windows Explorer shell. Replacing Explorer.exe with a choice of application EXE to start when a user logs on to the computer is sometimes referred to as "kiosk mode."

• Since the kiosk mode is configured per machine, you don't have control over which users can access which applications. For example, the configuration approach described above also applies to local administrator accounts.
• Users with administrative rights can launch the Windows Registry Editor via Task Manager and modify the registry entry value to run any other application.
• Users can switch to the desktop by pressing the ALT+ESC key combination.
• Users can also close the application by pressing the ALT+F4 key combination.
• Users can kill the application using Task Manager and launch Explorer.exe via Task Manager > Run, which in turn allows users to access the desktop.
If you wanted to completely lock down a workstation -- making sure, for example, that users do not use the ALT+CTRL+DEL key combination to kill an application -- you could configure various Group Policy settings to disable Task Manager, etc. However, this will not help in a complete lockdown of a workstation. A smart user could always break this functionality by using a number of techniques.

This does leave a back door open for 'Smart Users' possibly.

 

[ckacer]

Even though this is a question from last year, I thought I would share what I have learned for Windows 10

The best way to be able to use an app of your choice is to make a registry change. I copied some of the info below to create my own knowledge document.

How to edit the Registry to create a Kiosk:

Windows kiosk mode locks down PCs, but note workarounds

Click start and type regedit.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

A registry entry called "Shell" is configured to start Explorer.exe. This executable is the Windows desktop environment. The OS allows you to run your application in place of the Windows Explorer shell.
Once the app's EXE path is specified in the above registry key location and the next time a user logs on to the Windows PC, the OS runs the app rather than launching the Windows Explorer shell. Replacing Explorer.exe with a choice of application EXE to start when a user logs on to the computer is sometimes referred to as "kiosk mode."

• Since the kiosk mode is configured per machine, you don't have control over which users can access which applications. For example, the configuration approach described above also applies to local administrator accounts.
• Users with administrative rights can launch the Windows Registry Editor via Task Manager and modify the registry entry value to run any other application.
• Users can switch to the desktop by pressing the ALT+ESC key combination.
• Users can also close the application by pressing the ALT+F4 key combination.
• Users can kill the application using Task Manager and launch Explorer.exe via Task Manager > Run, which in turn allows users to access the desktop.
If you wanted to completely lock down a workstation -- making sure, for example, that users do not use the ALT+CTRL+DEL key combination to kill an application -- you could configure various Group Policy settings to disable Task Manager, etc. However, this will not help in a complete lockdown of a workstation. A smart user could always break this functionality by using a number of techniques.

This does leave a back door open for 'Smart Users' possibly.

 

[ArtAbraham]

If you need*full lockdown capability to run your app (Desktop or UWP) withough needing to use the GPO or Assigned access, you can save money by using Inteset Secure Lockdown*under Windows 10 Home.