User Level Hardened Kiosk Image Deployment Instructions

Secure Image Deployment

  1. Download the “Deployment setup.zip” from https://portal.opswat.com

  2. Download appropriate Kiosk model version (e.g. K-1000, K-2000, K-3000)

  3. Extract the contents of “Deployment setup.zip” to its permanent location, the file paths will be used to create the deployment tools.

images/download/attachments/34548488/1.jpg

4. Extract and move your WIM file into the "Resources" directory under "Deployment setup"

images/download/attachments/34548488/Capture.PNG

5. Run the “Tool Generator.bat” file as Admin.

images/download/attachments/34548488/2.png

6. Follow the prompts to install Windows ADK.

images/download/attachments/34548488/3.jpg

7. A new batch file called “Make USB” will be created. This can be placed and run anywhere in the filesystem such as the Desktop.

images/download/attachments/34548488/4.png

8. Have a USB with at least 8 GB available. Plug it into the system and run “Make_USB.bat" as Admin

images/download/attachments/34548488/5.png

9. Be careful to select the right USB drive. All previous contents on the drive will be lost

images/download/attachments/34548488/6.jpg

images/download/attachments/34548488/7.png

10.When finished, the command prompt will display a message sating the USB is ready for deployment.

images/download/attachments/34548488/8.png

Installing the MetaDefender Secure Kiosk image

You can now use this deployment USB to flash a device with the secure image.

In order to apply the image to a device please do the following:

  1. Insert your deployment USB into the device.

  2. Boot the device from the off state and initiate the keyboard shortcut to enter the system BIOS or “one-time” boot menu. (This keyboard shortcut varies based on motherboard manufacturers)

3. Select the deployment USB in the boot menu. Ensure you are booting into UEFI mode or the image will not boot properly.

images/download/attachments/34548488/IMG_0707.jpg

4. Follow the on-screen command prompt questions:

  • If available enter your Windows License key.

  • Select the drive to install the image. All data will be wiped

  • Choose wither or not to do a full pass wipe (Selecting "Yes" will take much longer)

  • Chose whether or not to restart the device when complete

images/download/attachments/34548488/Capture8.PNG

images/download/attachments/34548488/Capture9.PNG

Please Note:

  • The system may need to be restarted after first logging in to properly to connect to a network

  • The Deployment Setup folder contains a subfolder called Resources that houses the install.wim file. You can drop in any .wim update downloaded from Portal and follow the steps above (maybe move this to top?). The deployment tools provided are offered as a convenience for deploying the image over portable USB drives.

images/download/attachments/34548488/Capture0.PNG

Post Installation Actions

  • Change default log-in information for the local windows account:

Username: KioskUser

Password: Opswat1234!

  • Run setup wizard on MetaDefender Core

    • MetaDefender Core and MetaDefender Kiosk will need to be activated.

    • Go to http://localhost:8008 and follow the wizard in order to activate MetaDefender Core

    • Connect MetaDefender Core with Kiosk following the instructions on this page: 5. Configuring with MetaDefender

  • Change password on MetaDefender Kiosk

    • To activate MetaDefender Kiosk, please go to http://localhost:8009/management and enter your product key. The default password is: admin

  • Change default password on CimTrak admin:admin

  • Accept any changes from baseline in Kiosk UI

Image Details

Base Image:

  • Windows IoT 10 2016 (LTSB)

Windows Updates:

  • KB4033631

  • KB4049411

  • KB4103729

  • KB4485447

  • KB4487038

  • KB4487006

STIG:

See STIG_Checklist.csv

Provided as a .csv file for convenience and due to length of STIG entries. Please note "Not a finding" refers to an entry of the STIG which has been applied.

Group Policy Object

CimTrak used as FIM, version 3.3.0.0

Default Credentials:

  • Windows Login: KioskUser:Opswat1234!

  • core: not set

  • kiosk: admin

  • CimTrak: admin:admin

Ports:

  • 8008 (MetaDefender Core Web Management Console)

  • 8009 (MetaDefender Kiosk Web Management Console)

  • 27017 (CimTrak Web Management Console)

Protocols:

  • http(s)