1.7.1.1 How to Update Kiosk/Core Application Protected by Secure Image

In most cases, updating the Operating System, Kiosk/Core applications consists of downloading the latest version from the OPSWAT Portal and installing that image onto your hardware. There may be other instances where only the Kiosk or Core applications will need to be updated. The following instructions will assist in updating the Metadefender Kiosk application software with a Secure Image installation.

Step 1: Log in to CimTrak and unlock "Local Kiosk" policy

Open a web browser and navigate to https://localhost/cmc then log in with your credentials. By default, this should be set to admin:admin.

images/download/attachments/37416116/image2019-6-17_9-32-21.png

Once logged in, go to the tree on the left and navigate down to Local Kiosk

images/download/attachments/37416116/image2019-6-17_9-44-8.png

Right-click on Local Kiosk and select Unlock and Allow Changes, then click OK on the popup

images/download/attachments/37416116/image2019-6-17_9-45-12.png

CimTrak will now unlock the policy that prevents changes to the Kiosk installation directory. This may take a moment and you will need to wait until you get a message at the very bottom stating Object Unlocked

images/download/attachments/37416116/image2019-6-17_9-49-8.png

Step 2: Disable AppLocker

Open the Group Policy Editor (run gpedit.msc)

Expand Computer Configuration→Windows Settings→Security Settings→Application Control Polices→AppLocker. Then click on AppLocker to load the panel on the right then click Configure rule enforcement.

On the Enforcement tab, uncheck Executable rules and Script rules. Click Apply, then OK.

Open cmd.exe with Administrator and run gpupdate.exe /force

Reboot the computer.

After reboot open up the Group Policy Editor again and navigate back to AppLocker. This time, right click on AppLocker and select Clear Policy then click OK to clear the policy.

Now go to %windir%\System32\AppLocker and delete any files found in this directory.

Open cmd.exe with Administrator and run gpupdate.exe /force

Reboot then move on to Step 3.

Step 3: Disabling FIPS Compliant Encryption

If you are installing additional software not originally included in Secure Image, such as MetaDefender Vault, you may need to disable the enforcement of FIPS Compliant Encryption.

Open the Group Policy Editor (run gpedit.msc)

Navigate to Computer Configuration→Windows Settings→Security Settings→Local Policies→Security Options

Locate " System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" in the right panel and double click it.

Set the setting to Disabled and click OK

Reboot the computer

Step 4: Make changes to Kiosk and/or Core

Once the policy is unlocked you will be able to modify the contents of the Kiosk installation directory and install or update additional software. If you are applying a new Core license, you should do that now and allow the engines to fully update before moving on to Step 5.

Step 5: Lock and Digitally Sign the Local Kiosk policy

When you are finished making your updates to Kiosk, go back to the CimTrak web console, right click on the Local Kiosk policy again and this time select Lock and Digitally Sign.... This process will take a minute or two and will be finished when the status at the bottom says Lock Complete. When finished, make sure to log out of CimTrak and close the browser window.

Step 6: Re-enable AppLocker

Go back to the Services window and start the Application Identity service if it's not already running

Open the Group Policy Editor (run gpedit.msc)

Navigate back to and expand AppLocker (Computer Configuration→Windows Settings→Security Settings→Application Control Polices→AppLocker)

Right click Executable Rules and select Automatically Generate Rules...

In the window that pops up set Folder that contains the files to be analyzed to "C:\". Click Next, then Next. This will generate the rules then show a panel to review the rules. Click Create. VERY IMPORTANT: YOU MUST CLICK NO WHEN PROMPTED TO CREATE THE DEFAULT RULES! DO NOT CREATE THE DEFAULT RULES!

Next, right click Script Rules and select Automatically Generate Rules...

In the window that pops up set Folder that contains the files to be analyzed to "C:\". Click Next, then Next. This will generate the rules then show a panel to review the rules. Click Create. VERY IMPORTANT: YOU MUST CLICK NO WHEN PROMPTED TO CREATE THE DEFAULT RULES! DO NOT CREATE THE DEFAULT RULES!

Now right click Packaged app Rules and select Create Default Rules. This is the only time you will create default rules as the Packaged app Rules allow you to use things like Task Manager and the Start menu when AppLocker is enabled.

Finally, click on AppLocker again to load the panel on the right then click Configure rule enforcement.

On the Enforcement tab, check Executable rules and Script rules. Click Apply, then OK.

Open cmd.exe with Administrator and run gpupdate.exe /force

Reboot the computer