Desktop Lockdown: elaborated vs ‘Agile’ way of doing it
The desktop lockdown is a way to simplify the use of a computer dedicated to a single task. The possibility to use only dedicated programs will make it difficult to users to compromise the system, whether intentionally or not.
This configuration is useful whenever you want to create an information kiosk, a point of sale or other systems used by people in a public place. In the office it can make easier to use a thin client-type remote access workspace; it can also be useful in order to configure a computer dedicated to the control of a machine. Basically, with the desktop lockdown we want an autologin account, which performs only certain applications, to be present in Windows.
There are various ways to achieve this result, depending on your operating system. In this article we will go through two different ways of doing it: setting the registry keys in Windows, and using Praim Agile Mode.
By using Windows
Windows 10 Enterprise and Education have the AppLocker feature to facilitate the setup of a dedicated computer. The transaction still needs to set a set of rules by Local Security Policy and Local Group Policy on each machine. At the following link you can find the steps needed to set up your PC for this application:
Generally you can get a specialised machine for an application in this way:
- Create a new user and set it to autologin
- Limit the operations that can be made with Ctrl-Alt-Del at the user switching
- Start a launcher or your preferred application instead of the default Windows shell (explorer.exe).
Let’s see in details these operations:
Create a new user (Lockdown), set the password (Lockdp$d), without expiration. To put it in startup autologin add the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "AutoAdminLogon"="1" "DefaultUserName"="Lockdown" "DefaultPassword"="Lockdp$d"
In this way the user can not change the password and launch other programs with the task manager.
- Limit Ctrl-Alt-Delete
Login with Lockdown user, so that, the system creates all directories of that user.
Add the registry keys for the restrictions:
- Change shell
To change the user shell you need to add another registry key for that user:
An easy way to manage more programs at startup is to use a .vbs script.
In this case:
"wscript /b /nologo c:\Lockdown\Launch.vbs"
Set shell = CreateObject (
"iexplore.exe -K www.praim.com"
"shutdown / s / t 0"
By using Praim Agile
A quicker and comprehensive tool, which presents also many other possibilities, can be found in Praim Agile.
You can lockdown the desktop without the need to perform on the PC the configurations mentioned above. In addition, the software provides a well-structured launcher and the opportunity to change the configuration by using the ThinMan management console.
Visit the website pages to know more about what these products can do for your company: