Local Policy vs Registry settings

[Tech Savvy]

I’m locking down a stand-alone windows 7 pc to act as a kiosk. One of the requirements is an auto logon into a standard user.

Currently I have some settings that are applied via group policy and some settings that are applied via registry settings.

It’s very likely that there is some duplication between group policy settings and registry settings. Which is a problem in and of itself that I’ll be working on. However, here is what I’m seeing and I want to confirm that what I think is happening is correct.

In my configuration process the group policy is applied first and then followed by a series of regedit /S imports.

Auto login is the very last thing that’s set in the registry changes.

Upon first reboot after configuration, all works well and the system attempts to auto login, but is prevented by the “OK” button that is prompted when a banner is set. Not a problem, click ok and auto login works as expected. GREAT!

However, without anything changed I rebooted the computer a second time. This time auto login did not work, I was promoted with “press ctl alt del” and upon pressing it shows the login screen. Bummer!!

So what I think is happening is that maybe the group policy is overwriting the registry settings I made, since the policy would get reapplied on reboot/login? Is that correct?

I feel like this is a very basic question but I’ve been looking at it for so long I can’t help but to constantly question myself lol

 

[fencepost]

Is this a short-term kiosk that's going out of service by the end of the year? If not, then there's no excuse for putting Win7 on it now since it's EOL in January (since you're talking Group Policy clearly it's networked and on a domain).

 

[Tech Savvy]

Is this a short-term kiosk that's going out of service by the end of the year? If not, then there's no excuse for putting Win7 on it now since it's EOL in January

Nope it is in fact very long term. It’s used in a weapon system. And it already went through government certification on windows 7. So there is no changing it for another 20 years or so. Since it’s a weapon system, nothing can be updated, or modified without recertification. Custom hardware/software designed specifically for this system. I know it’s EOL, but I’m working with what I can.

since you're talking Group Policy clearly it's networked and on a domain

Sorry I misspoke, I meant to write Local Policy! Not group policy! Thank you for bringing that to my attention!


Sent from my iPhone using Tapatalk

 

[fencepost]

Hm. Completely not my area, but are you (hopefully) running Windows 7 Embedded? In addition, even if not using Embedded you hopefully have built highly customized/stripped down installation media for Windows 7 to be used for this. There have been assorted discussions on here before of options for Windows-based kiosk systems, though for something military and hopefully without a network connection some of the commercial options might not be appropriate.

Part of why I'm advising Embedded if you're not already using it and are able to change over is that sometimes Windows can do stupid things to itself, such as the Windows Update problems with the CBS log (it compresses the CBS log file to save space, but it compresses to a cab file and there's a hard limit of 4GB on the input - and a hard crash that leaves temp files in Windows\Temp if that file size is exceeded, eventually filling the drive with cab_* files). I'm pretty sure Embedded lets you turn off a lot of that background noise.

 

[Tech Savvy]

It actually uses windows 7 pro. I’m not sure why. They essentially gave me the entire set up and said here you go, lock it down so you can’t do anything else. Windows seems overkill to me all together but my guess is that’s what the developers were comfortable with rather than what’s best for the system lol

But I did disable as much as possible (about 60 or so services) last thing I want is for them to be operating the system and then ask to restart when windows tried to update lol

I’m curious if the local policy gets reapplied on reboot and it f it will overwrite manual registry changes. My guess is yes, but that’s all it is... a guess. I wish there was a document or something that describes the lifecycle of the registry


Sent from my iPhone using Tapatalk

 

[HCHTech]

Isn't your question testable? Pull the plug when it is at the login screen after a reboot, mount the drive on another machine and examine the registry? Our RMM, for example has a remote registry editor, maybe some tool like that where you wouldn't need to unplug the thing, but instead look at the registry live after the reboot but before the login?

Maybe change the permissions on the keys you change so they can't be overwritten?

 

[fencepost]

If you haven't already, you might want to look hard at Powershell Desired State Configuration (http://www.informit.com/articles/article.aspx?p=2423910 has links for the WMF install needed to get it on Win7). If you can fully script all of the lockdown, etc. that may have a lot of value.