ISO Windows 10 Lockdown Software

[melchiorvester]

I work in the IT department for a company and we are starting to roll out windows 10 computers out to kiosk. The kiosk out there are currently running windows 7 with a lock down system so they can only do limited things, like they cant change settings, move icons, pretty much tamper with the computer. 

 

We currently have Security Administrator 14 which works well for windows 7 and lower but doesn't work well with windows 10.

Security Administrator:   http://www.softheap.com/secagent.html

 

Was wondering if anyone had suggestions on lock down software for kiosk or other computers within a company to prevent changes unless you have a password or administration from IT.

[Tabs]

@melchiorvester 

 

Is there something specific you need this software to do that isn't already possible with group policy objects and limited user accounts? It wouldn't surprise me if you could run a safer/more secure setup with Windows alone, with the requisite application of GPO's and deployment tools like WDT and SCCM.

[melchiorvester]

8 minutes ago, Tabs said:

@melchiorvester 

 

Is there something specific you need this software to do that isn't already possible with group policy objects and limited user accounts? It wouldn't surprise me if you could run a safer/more secure setup with Windows alone, with the requisite application of GPO's and deployment tools like WDT and SCCM.

We need to be able to disable it at times we need to fix something on the computer without effecting all the other computers that have the same login, like our kiosks have all the same login, with the software we had before we typed in a password and disabled the restrictions just for that computer. So I don't believe that GPO's will work.

[Tabs]

7 minutes ago, melchiorvester said:

We need to be able to disable it at times we need to fix something on the computer without effecting all the other computers that have the same login, like our kiosks have all the same login, with the software we had before we typed in a password and disabled the restrictions just for that computer. So I don't believe that GPO's will work.

This is why you use different user accounts - don't make the kiosk account an administrator, and then use the built in windows user switching functionality for logging on as an administrator. Group policies can be set on a per user basis.

[Tabs]

@melchiorvester

 

This Microsoft document describes in detail how to use "Assigned Access", which is basically just a lockdown policy for a computer running Windows 10. It goes into a lot of detail that you may find useful, and Assigned Access is the replacement for most of what Windows 7 Embedded used to do, since there isn't a Windows 10 Embedded SKU.

[Radium_Angel]

32 minutes ago, melchiorvester said:

I work in the IT department for a company and we are starting to roll out windows 10 computers out to kiosk. The kiosk out there are currently running windows 7 with a lock down system so they can only do limited things, like they cant change settings, move icons, pretty much tamper with the computer. 

 

We currently have Security Administrator 14 which works well for windows 7 and lower but doesn't work well with windows 10.

Security Administrator:   http://www.softheap.com/secagent.html

 

Was wondering if anyone had suggestions on lock down software for kiosk or other computers within a company to prevent changes unless you have a password or administration from IT.

Limited user and GPO

[melchiorvester]

8 minutes ago, Tabs said:

This is why you use different user accounts - don't make the kiosk account an administrator, and then use the built in windows user switching functionality for logging on as an administrator. Group policies can be set on a per user basis.

 

4 minutes ago, Tabs said:

@melchiorvester

 

This Microsoft document describes in detail how to use "Assigned Access", which is basically just a lockdown policy for a computer running Windows 10. It goes into a lot of detail that you may find useful, and Assigned Access is the replacement for most of what Windows 7 Embedded used to do, since there isn't a Windows 10 Embedded SKU.

After looking into it I believe this will not work for out case. We don't want to create 60+ user accounts or groups, with a single account we can manage the single user used for the computers. But with GPO and the Windows kiosk server it would effect all computers if we needed to change something. Going into local administrator wouldn't solve issues that come up. This software isn't just for kiosk, its also for other plant computers that need more access like a full windows UI and not limited to the apps we give it.