Title
Create new category
Edit page index title
Edit category
Edit link
Kiosk Hardening
All OPSWAT Kiosk appliances ship by default with our Hardened Image. For customers who are installing the Kiosk application on their own custom hardware OPSWAT recommends that the following steps to harden the operating system.
Auto login
If MetaDefender Kiosk is being used on a dedicated system we recommend that the Windows system on the kiosk is configured to auto-login into the account with Administrator privileges that Kiosk will run with. If the Kiosk system is part of a domain additional steps may be required to allow this.
User Access Control (UAC)
OPSWAT recommends that UAC is disabled on systems that are being used as dedicated MetaDefender Kiosks. If UAC is not disabled MetaDefender Kiosk's watchdog functionality may not work correctly.
There are two ways to completely disable UAC in Windows:
By editing the registry
Click Start and type
regedit.exeto open the Registry EditorNavigate to the registry key at HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System
Set
EnableLUAto0Restart Windows
By adjusting Local Group Policy settings
Click Start and type
gpedit.mscto open the Group Policy EditorNavigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Right pane is populated with policies, locate the ones for User Access Control and set:
User Account Control: Only elevate executables that are signed and validated → Enabled
User Account Control: Switch to the secure desktop when prompting for elevation→ Disabled
Restart Windows
Windows Update
Install all patches and updates available through Windows Update. Once all updates are installed, OPSWAT recommends that automatic updates are turned off to prevent system reboots.
Navigate to Start > Control Panel > Windows Update > Change settings
Select Never check for updates from the menu
Click Apply or OK and close the dialog box
If turning off automatic updates is not desired, a process must be configured to restart the MetaDefender Kiosk system. We recommend using standard organizational patch practices and tools.
Setting the power saving options
Select the maximum performance power saving option.
Navigate to Start > Control Panel > Power Options
Click Change plan settings
Click Change advanced power settings
Select High Performance from the menu
Click OK
Disabling mouse cursor pointer
This configuration is optional. Once these steps are taken, there will be no visible mouse pointer.
OPSWAT recommends that mouse cursor points are turned off after MetaDefender Kiosk has been configured. If the system touchscreen configuration software does not have this feature, it can be done manually by following the steps below:
Navigate to Start > Control Panel > Mouse
Click the Pointers tab
Browse to
C:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\blank.curCustomize each pointer type to the provided blank pointer:
blank.curClick Apply and close the dialog box.
Disabling hotkeys
By default, the Kiosk will ignore any command that is a combination of Ctrl and another key.
The Ctrl + Alt + Del combination is disabled once you launch the Kiosk. When a user presses these keys, it is expected to see a screen with no options displayed.

If you want to disable completely where nothing happens, please follow how to disable Windows hot keys.
Enable Bitlocker Drive Encryption
To protect data and prevent unauthorized access, we recommend enabling BitLocker Drive Encryption on the system and data drives to safeguard sensitive information in the event of theft, loss, or unauthorized access.
For detailed configuration steps, please refer to Enable Bitlocker guide.
Other system hardening configuration
MetaDefender Kiosk does the following system hardening when installed:
Disables auto-run on all plug-and-play media and drives
Captures and disables all hotkey combinations such as the
Windows Key,Alt+Tab, etc... when Kiosk is running