Launch via PowerShell (run as kiosk user):
| Attack vector | Mitigation | |---------------|-------------| | | Filter keys / disable via FilterAdministratorToken , GPO | | Sticky keys / accessibility | Delete sethc.exe , utilman.exe backups | | USB storage | GPO: Administrative Templates > System > Removable Storage Access | | Task Manager | Disable via HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System → DisableTaskMgr = 1 | | Windows Update interruptions | Configure active hours, use kiosk_mode servicing policy | | On-screen keyboard | Disable via GPO or remove osk.exe | Recommended: Shell Launcher v2 (Enterprise only) Replace explorer.exe with your app → prevents any shell access.
Set via registry:
Launch via PowerShell (run as kiosk user):
| Attack vector | Mitigation | |---------------|-------------| | | Filter keys / disable via FilterAdministratorToken , GPO | | Sticky keys / accessibility | Delete sethc.exe , utilman.exe backups | | USB storage | GPO: Administrative Templates > System > Removable Storage Access | | Task Manager | Disable via HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System → DisableTaskMgr = 1 | | Windows Update interruptions | Configure active hours, use kiosk_mode servicing policy | | On-screen keyboard | Disable via GPO or remove osk.exe | Recommended: Shell Launcher v2 (Enterprise only) Replace explorer.exe with your app → prevents any shell access. windows 11 kiosk
Set via registry: