CIS 3.0.0 L1
      Back to home
      1. Help Center
      2. CIS 3.0.0 L1

      What CIS 3.0.0 settings are excluded from Single or Multi-App Kiosk?

      Overview

      This knowledge base article provides what settings have been excluded from CIS 3.0.0 L1 + BL.

      The following will be covered in this article:

      • Excluded Settings from CIS 3.0.0 L1 + BL Base Profile
      • Why are changes needed in CIS Base Profile for Kiosk?
      • Why are changes needed in Win32 App: CIS 3.0.0 L1 + BL for Kiosk?
      • Why Devicie doesn't manage the username and password?
      • How can you add the username and password?

      Excluded Settings from CIS 3.0.0 L1 + BL Base Profile
      The following settings were removed from the CIS 3.0.0 L1 Base Profile:

      • Interactive logon: Do not display last user name
      • Interactive logon: Machine inactivity limit
      • Interactive logon: Message text for users attempting to log on
      • Interactive logon: Message title for users attempting to log on
      • Interactive logon: Do not require CTRL+ALT+DEL

      Why are changes needed in CIS Base Profile for Kiosk?

      CIS 3.0.0 L1 + BL Base profile is designed to secure a broad range of standard devices, unlike Kiosk devices it doesn't need the same level of security as standard devices. 

      The list of the settings excluded from CIS 3.0.0 L1 + BL Base profile for Kiosk devices:

      • Interactive logon: Do not display last user name:
        • This setting improves security on standard devices by preventing someone from easily guessing the last logged-in user.

        • For Kiosks, as there is a limited number of authorized users, this isn't a significant security risk.

      • Interactive logon: Machine inactivity limit:
        • This setting forces a standard device to automatically log out after a period of inactivity. This is important to prevent unauthorized access if someone leaves their computer unattended.

        • For Kiosks, it is designed for public use and does not need automatic logout as there's no sensitive user data involved.

      • Interactive logon: Message text for users attempting to log on & Interactive logon: Message title for users attempting to log on:
        • These settings allow you to customize messages displayed during login attempts on a standard device.

        • For Kiosks are assigned with zero-touch deployment, there is limited functionality and may not require such logon messages.

      • Interactive logon: Do not require CTRL+ALT+DEL:
        • This setting bypasses the secure attention sequence (SAS) on standard devices.

        • While it might seem less secure, it can be useful for kiosks where a standard login process might be confusing for casual users. Kiosks often have a streamlined login process which is automatic logon after each restart.

      Therefore, a new CIS 3.0.0 L1 Kiosk profile will need to be created and assigned to Kiosk devices to provide a more user-friendly and efficient experience while still maintaining a strong security baseline standard device.

      Why are changes needed in Win32 App: CIS 3.0.0 L1 + BL for Kiosk?

      The Base Win32 App: CIS 3.0.0 L1 + BL applies all the remaining recommended CIS 3.0.0 security baseline policies that are still in Insider mode in Settings Catalog or where only Registry Keys are available. There is a list of changes that need to be made from the Base Win32 App: CIS 3.0.0 L1 + BL, and that a new Base Win32 App: CIS 3.0.0 L1 + BL for Kiosk will need to be created.

      The list of the settings excluded and modified from CIS 3.0.0 L1 + BL Base profile for Kiosk devices:

      • Network access: Do not allow storage of passwords and credentials for network authentication
        • This setting is important for security on most devices because it prevents unauthorized users from accessing stored credentials if they gain access to the device.

        • However, Kiosk devices, the potential risk is different. Kiosk devices have a pre-configured network connection and don't require users to log in with their own credentials. Storing credentials securely can simplify the setup and maintenance of the Kiosk device.
        • By changing the setting to Disable, the path of this Registry key is: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa where DisableDomainCreds from 1 to 0. With credential caching disabled, service domain accounts will need to manually enter their credentials each time they need to use the kiosk as it can be inconvenient. 
      • MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
        • This setting is generally not recommended for security reasons. Enabling automatic login with an administrative account gives any user who boots the device full access to the system.
        • However, Kiosk devices often have a very limited set of functionalities and does not require standard user login at all as it will automatically logon with the automated credentials. Kiosk application.
        • By changing the setting to Enable, the path of this Registry key is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon where AutoAdminLogon from 0 to 1. This will allow automatic logon for a service domain account. As a kiosk doesn't display the login screen, the automatic logon prevents unauthorized access to the main system or any modifications of settings to the Kiosk device.

      Why Devicie doesn't manage the username and password?

      With providing Devicie with a username and password to be packaged into an application for a Kiosk will leave exposure which will pose a significant security risk. Usernames and passwords are a common target for cyberattacks, even strong passwords can be compromised through brute force attacks. 

      How can you add the username and password?

      You can follow this KB: How to create an Auto-login Admin Account on a workstation using Microsoft Intune – Devicie Support Home by following Option 2: Using Win32 app to Create an Entra ID auto-login admin account. Once the Win32 application has been created, deploy to the required Kiosk group.