1.7.1 User Level Hardened Kiosk Image Deployment Instructions

Secure Image Deployment

  1. Download the Deployment Tools from https://portal.opswat.com from the link at the bottom of the MetaDefender Kiosk Secure Image section.

  2. Download appropriate Kiosk model version (e.g. K-1000, K-2000, K-3000)

  3. Extract the contents of “Deployment setup.zip” downloaded in step 1 to its permanent location, the file paths will be used to create the deployment tools.


4. Extract and move your WIM file into the "Resources" directory under "Deployment setup"


5. Run the “Tool Generator.bat” file as Admin.


6. Follow the prompts to install Windows ADK.


7. A new batch file called “Make USB” will be created. This can be placed and run anywhere in the filesystem such as the Desktop.


8. Have a USB with at least 16 GB available. Plug it into the system and run “Make_USB.bat" as Admin


9. Be careful to select the right USB drive. All previous contents on the drive will be lost



10.When finished, the command prompt will display a message stating the USB is ready for deployment.


Installing the MetaDefender Secure Kiosk image

You can now use this deployment USB to flash a device with the secure image.

In order to apply the image to a device please do the following:

  1. Insert your deployment USB into the device.

  2. Boot the device from the off state and initiate the keyboard shortcut to enter the system BIOS or “one-time” boot menu. (This keyboard shortcut varies based on motherboard manufacturers)

3. Select the deployment USB in the boot menu. Ensure you are booting into UEFI mode or the image will not boot properly.


4. Follow the on-screen command prompt questions:

  • If available enter your Windows License key.

  • Select the drive to install the image. All data will be wiped

  • Choose whether or not to do a full pass wipe (Selecting "Yes" will take much longer)

  • Choose whether or not to restart the device when complete



Please Note:

  • The system may need to be restarted after first logging in to properly to connect to a network

  • The Deployment Setup folder contains a sub-folder called Resources that houses the install.wim file. You can drop in any .wim update downloaded from Portal and follow the steps above. The deployment tools provided are offered as a convenience for deploying the image over portable USB drives.


Post Installation Actions

  • Change default log-in information for the local windows account:

    • Username: KioskUser

    • Password: Opswat1234!

  • Run setup wizard on MetaDefender Core

    • MetaDefender Core and MetaDefender Kiosk will need to be activated.

    • Go to http://localhost:8008 and follow the wizard in order to activate MetaDefender Core

    • Connect MetaDefender Core with Kiosk following the instructions on this page: 5. Configuring with MetaDefender Core

  • Run setup wizard on MetaDefender Kiosk

    • To activate MetaDefender Kiosk, please go to http://localhost:8009/ and follow the wizard to create an account and apply your license.

  • Change default password on CimTrak admin:admin

    • If you change the CimTrak password make sure to update this password in Kiosk's configuration by going to http://localhost:8009, log in, then go to the Configuration tab and go all the way to the bottom of the Advanced settings to find the File Integrity Monitor settings.

  • Accept any changes from baseline in Kiosk UI

Image Details

Base Image:

  • Windows 10 IoT Enterprise 2016 LTSB

    • Version 1607

    • OS Build 14393.3144

Windows Updates:

  • KB4033631

  • KB4049411

  • KB4103729

  • KB4485447

  • KB4487038

  • KB4487006

  • KB4503537

  • KB890830

  • KB4346087

  • KB4493473

  • KB4493478

  • KB4503308

  • KB4503267

  • KB4519998

  • KB4521858

  • KB4519979

  • KB4520724

  • KB4525236

Secure Image 4.4.2

  • KB4494175

  • KB4556813

  • KB890830

  • KB4550994

  • KB4537759


See STIG_Checklist.csv

Provided as a .csv file for convenience and due to length of STIG entries. Please note "Not a finding" refers to an entry of the STIG which has been applied.

Group Policy Object

CimTrak used as FIM, version

Default Credentials:

  • Windows Login: KioskUser:Opswat1234!

  • Core: not set

  • Kiosk: not set

  • CimTrak: admin:admin


  • 8008 (MetaDefender Core Web Management Console)

  • 8009 (MetaDefender Kiosk Web Management Console)

  • 27017 (CimTrak Web Management Console)


  • http(s)