This article explains how to configure Windows 10 as single-app kiosk with Chrome browser
Configuring Windows 10 single-app kiosk with Chrome browser
This article provides instructions for configuring a Windows 10 single-app kiosk with the Chrome browser. The instructions were created for Windows 10 IoT Enterprise LTSC 2019. Use these instructions when assigned access kiosk mode does not support desktop apps.
Recommended Microsoft Windows 10 skills:
Managing Windows Group Policy (GPO)
Managing Local Users and Groups
Managing File and Folder Permissions
Creating PowerShell scripts
Creating batch files (.bat)
Instructions:
[Login with admin access]
- Sign into a local administrator user account.
[Create kiosk user account]
- Press Windows + R keys, type in compmgmt.msc, and then click OK to launch Computer Management.
- Expand to System Tools Local Users and Groups Users.
- In the right pane, right-click the area and then choose New User.
- Enter a username for the kiosk user account and then set a password. In this example, the kiosk user account was named KioskUser1.
- To skip using a password for login, leave password fields blank.
- Uncheck User must change password at next login.
- Checkmark Password never expires.
- Click Create and then click Close.
- Double-click on the newly created kiosk user account.
- On the Member Of tab, click Add, type in Administrators, and then click OK.
- Click OK again. Close the Computer Management windows when finished.
[Install Chrome browser]
- Press Windows + R keys, type in iexplore.exe, and then click OK to launch Internet Explorer.
- Select Use recommended security and compatibility settings, and then click OK.
- Go to https://chromeenterprise.google/browser/download/#windows-tab
- Click Download.
- Uncheck Help make Google Chrome better by automatically sending usage statistics and crash reports to Google, and then click Accept and download.
- Click Save.
- Click Open folder.
- Right-click on the downloaded file, and then click Extract All.
- Click Extract.
- Go to the Installers folder, and then run GoogleChromeStandaloneEnterprise64.msi. When the Chrome browser has finished installing, move to the next step.
[Install Chrome management policies]
- Press Windows + R keys, type in C:\ and then click OK to launch File Explorer.
- Go to the file path C:\Windows\
- Right-click on the PolicyDefinitions folder, and then select Properties.
- On the Security tab, click Advanced.
- In the Owner section, click Change.
- Type in Administrators, and then click OK.
- Checkmark Replace owner on subcontainers and objects, and then click OK.
- Click OK.
- Click OK.
- Open the extracted Chrome setup files folder.
- Go to the Configuration admx folder, and copy all the contents inside into C:\Windows\PolicyDefinitions. Close the folder when finished.
[Configure Chrome management policies]
- Press Windows + R keys, type in in gpedit.msc, and then click OK to launch Group Policy Editor.
- Configure policies per organization requirements.
- Use the shell launcher PowerShell script mentioned later in the instructions to set the home page URL. Configuring the home page URL options under the Chrome policies Startup, Home page, and New Tab container will not apply.
- Policy 1: Computer Configuration Administrative Templates Google Google Chrome double-click on Clear Browsing Data on Exit. Click Enable, click Show, and then enter which types of browsing history should be cleared on exit. For example, enter browser_history to clear browsing history. Click Enable, and then click OK.
- Policy 2: Computer Configuration Administrative Templates Google Google Chrome double-click on Disable synchronization of data with Google.
- Optionally, use Command Prompt to run gpupdate /force to apply changes immediately.
[Log into kiosk user account]
- Click Start, click the user icon, and then select the kiosk user account.
- Click Sign in.
[Configure kiosk user account]
- Right-click on the desktop background, and then click display settings.
- Adjust scale and layout as needed. Close the settings window when finished.
- Make any other necessary changes under the kiosk user profile.
[Create a script to close Chrome browser when screen saver is triggered]
Chrome will be configured to restart when it is closed using the shell launcher PowerShell script mentioned later in the instructions. Closing Chrome will cause the browsing history to clear. The event is automatically triggered by configuring a screen saver.
- Create a new text file with taskkill /IM “chrome.exe” in the message, and then save the file.
- Rename the text file extension from .txt to .bat to change to a batch file.
- Using a .bat to .exe converter utility, convert the file. In this example, the Advanced BAT to EXE Converter v4.23 utility was used. The file was renamed to CloseChrome.exe
- Open Chrome browser and then double-click the newly converted .exe file to verify the action to close the Chrome browser is working.
- Rename the .exe file extension to .scr to change the file to a screen saver file type.
- Copy the file into the C:\Windows directory.
- Open Settings Personalization Lock screen Screen saver settings
- Choose the newly created screen saver file, set a duration when to run, and then click OK.
- Click Start, click the user icon, and then sign out.
[Login with admin access]
- Go back into the local administrator user account.
[Install shell launcher]
- Go to Control Panel Program Turn Windows features on or off.
- Expand on Device Lockdown, and then checkmark Shell Launcher and then click OK.
- Click Close. Close the Programs windows when finished.
[Configure shell launcher]
- Open Windows PowerShell ISE in admin mode.
- Copy the PowerShell script from the box below into the PowerShell ISE script pane.
- Run sections from the script top to bottom as needed using the F8 key.
- Save PowerShell script for future reference.
| # Set variables $COMPUTER = "localhost" $NAMESPACE = "root\standardcimv2\embedded" # Create a handle to the class instance so we can call the static methods. $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" # This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. $Admins_SID = "S-1-5-32-544" # Create a function to retrieve the SID for a user account on a machine. function Get-UsernameSID($AccountName) { $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) return $NTUserSID.Value } # Get the SID for a user account named "KisokUser1". Change the name KioskUser1 to match the spelling the kiosk user account created earlier. $Kiosk_SID = Get-UsernameSID("KioskUser1") # Define actions to take when the shell program exits. $restart_shell = 0 $restart_device = 1 $shutdown_device = 2 $do_nothing = 3 # Examples # Set the command prompt as the default shell, and restart shell if it's closed. $ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_shell) # Display the default shell to verify that it was added correctly. $DefaultShellObject = $ShellLauncherClass.GetDefaultShell() "`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction # Set Chrome browser as the shell for "KioskUser1", and restart shell if it's closed. Change home page URL as needed. $ShellLauncherClass.SetCustomShell($Kiosk_SID, "%ProgramFiles%\Google\Chrome\Application\chrome.exe --kiosk https://www.elotouch.com", ($null), ($null), $restart_shell) # Set Explorer as the shell for administrators. $ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") # View all the custom shells defined. "`nCurrent settings for custom shells:" Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction # Enable shell launcher feature $ShellLauncherClass.SetEnabled($TRUE) # Disable shell launcher feature $COMPUTER = "localhost" $NAMESPACE = "root\standardcimv2\embedded" $ShellLauncherClass = [wmiclass]\\$COMPUTER\${NAMESPACE}:WESL_UserSetting $ShellLauncherClass.SetEnabled($FALSE) # Remove the new custom shells. $ShellLauncherClass.RemoveCustomShell($Admins_SID) $ShellLauncherClass.RemoveCustomShell($Kiosk_SID) |
[Remove admin permission from kiosk user account]
- Press Windows + R keys, type in compmgmt.msc, and then click OK to launch Computer Management.
- Expand to System Tools Local Users and Groups Users.
- Double-click on the kiosk user account, and then go to the Member Of tab.
- Select Administrators, click Remove, and then click OK.
[Log into kiosk user account]
- Click Start, click the user icon, and then select the kiosk user account.
- Click Sign in.
The kiosk user account configuration is now complete.
Optionally, remove the physical keyboard if attached.
Other recommended settings:
- Enable safe browsing protection level (Chrome GPO)
- Disable Incognito mode (Chrome GPO)
- Set screen to never turn off
- Disable automatic sleep
- Turn off hard disk after never
- Rename computer
- Show the touch keyboard when there's no keyboard attached
- Set default web browser to Chrome
- Push Chrome GPOs through an organization domain
Note:
- Shell launcher settings should be configured after sysprep.
Please report any broken links by emailing support@elotouch.com and include a link to the knowledge article