Base Windows setup

This page is step one of the Windows kiosk image build. The goal is a fully patched, fully online Windows 11 Pro install with the right BIOS configuration, local account layout, and venue networking pre-staged — but before any kiosk lock-down. Locking down later is much easier than unlocking, so all the OS-level housekeeping happens while we still have a normal desktop.

Plan on 45–90 minutes for this step on the first build. Subsequent images go faster because Windows update churn is mostly cached.

Build on your target hardware

Drivers are baked into the captured image. Build on the same model of thin client you plan to ship. If your fleet has multiple SKUs, you need one image per SKU.

What you need

A thin client matching your fleet SKU (see Hardware requirements)
A Windows 11 Pro install ISO (Home and SE editions don't support the kiosk policies we rely on; IoT Enterprise is supported and unlocks Shell Launcher in Kiosk configuration)
A valid Windows 11 Pro license key
Wired internet for the build (saves an enormous amount of patching time)
A 16 GB+ USB stick for the install media
A fresh DisplaySync admin account on the dashboard you can use to claim the test sign at the end

1. Configure BIOS

BIOS settings get baked into the image (well, the firmware does — these settings live on the device, but they're easy to forget if you don't do them up front). Three settings matter:

Setting	Value	Why
AC Power Recovery / Power On After Power Loss	On (or "Always On")	The sign powers itself back up after a venue power blip without anyone touching it.
Boot Order	Internal SSD first, USB second	Faster cold boots; USB can still take over for recovery when needed.
Wake on LAN	Enabled (if available)	Useful for remote power-on workflows. Optional.

Disable Secure Boot only if your imaging tool requires it. Most modern tools work with Secure Boot enabled.

2. Install Windows 11 Pro

Boot the install media and run a clean install onto the internal drive. Two non-default choices to make during OOBE:

Edition: Windows 11 Pro. Confirm in Settings → System → About after install.
Account: create a local administrator account, not a Microsoft account. The kiosk image must not be tied to a personal MSA, and Microsoft has been progressively making local accounts harder to choose during OOBE — be persistent.

To force a local account during OOBE on Windows 11 23H2 and later:

Shift + F10           # opens cmd.exe during OOBE
oobe\BypassNRO        # restarts OOBE without the network requirement

After reboot, choose "I don't have internet" when prompted, then "Continue with limited setup" to land on a local-account screen.

Pick a name like imgadmin for the admin account — this account is for image building only and gets deleted after Sysprep.

3. Local account layout

The image needs two local accounts:

Account	Role	Created
`imgadmin`	Image-builder admin. Used to install software, patch, configure. Deleted before capture.	Now (during OOBE)
`DisplaySync`	Kiosk runtime user. Auto-logs in on boot, runs the sign app, has minimal privileges.	Later, by the provisioning script in Installing DisplaySync

Don't create the DisplaySync user manually now — provision-windows.ps1 creates it with the right group memberships, password, and shutdown privilege. Creating it by hand and then running the script is fine but redundant.

4. Patch fully, then patch again

Run Settings → Windows Update → Check for updates and let it download, install, and reboot until it reports "You're up to date" on two consecutive checks. This usually means 2–4 reboot cycles on a fresh install.

Then check optional drivers:

Settings → Windows Update → Advanced options → Optional updates

Install any driver updates offered, especially for the GPU and network adapters. Skip "feature update" optional offers — those are big version jumps you don't want during an event.

Why patch now and not later

Windows Update during a live event is a leading cause of unexpected reboots mid-show. The image we capture has all current cumulative updates baked in, and we'll restrict update behavior to off-hours later. The cleaner the starting point, the less surprise reboots you risk in production.

5. Pre-stage venue WiFi profiles

If the device might land on a venue WiFi instead of wired, pre-load the SSIDs and passphrases now. Without this, the sign boots, displays the QR screen, and never connects — somebody has to pull a keyboard out and type the password by hand.

Create a WiFi profile XML, one per venue:

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
  <name>EventWiFi</name>
  <SSIDConfig><SSID><name>EventWiFi</name></SSID></SSIDConfig>
  <connectionType>ESS</connectionType>
  <connectionMode>auto</connectionMode>
  <MSM>
    <security>
      <authEncryption>
        <authentication>WPA2PSK</authentication>
        <encryption>AES</encryption>
        <useOneX>false</useOneX>
      </authEncryption>
      <sharedKey>
        <keyType>passPhrase</keyType>
        <protected>false</protected>
        <keyMaterial>YourPassword</keyMaterial>
      </sharedKey>
    </security>
  </MSM>
</WLANProfile>

Save profiles to C:\wifi-profiles\ and import each one:

netsh wlan add profile filename="C:\wifi-profiles\EventWiFi.xml"

Stack as many as you like — Windows auto-joins any profile in range. For hidden SSIDs, add <nonBroadcast>true</nonBroadcast> inside <SSIDConfig>. Verify:

netsh wlan show profiles

WiFi profiles survive Sysprep generalize, but always re-verify on the first boot after capture.

6. Suppress the "Set Network Location" prompt

When Windows sees a brand-new network, it pops a full-screen "Is this a public or private network?" wizard. On a kiosk that's catastrophic — the wizard blocks the display until somebody dismisses it. Disable the wizard outright:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList" `
         -Name "NewNetworkWindowOff" -Force

The presence of an empty NewNetworkWindowOff subkey is the flag — no values inside.

7. Default unidentified networks to Private

Suppressing the wizard alone isn't enough: Windows still defaults new networks to Public, which blocks SMB, RDP, and screen-sharing. Force every unidentified network to Private via Group Policy:

gpedit.msc → Computer Configuration → Windows Settings → Security Settings → Network List Manager Policies → Unidentified Networks
Location type: Private
User permissions: User cannot change location

Apply, then commit:

gpupdate /force

Belt-and-braces: a startup task that flips any stragglers to Private:

$action = New-ScheduledTaskAction -Execute "PowerShell.exe" `
  -Argument '-WindowStyle Hidden -Command "Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private"'
$trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -Action $action -Trigger $trigger `
  -TaskName "SetPrivateNetwork" -RunLevel Highest

8. Verify before moving on

Before kiosk configuration, run through this checklist on the build machine:

# Edition is Pro
(Get-CimInstance Win32_OperatingSystem).Caption

# WiFi profiles loaded
netsh wlan show profiles

# Network-location wizard disabled
Get-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\NewNetworkWindowOff"

# Active networks are Private
Get-NetConnectionProfile | Format-Table Name, NetworkCategory

# Watchdog scheduled task present
Get-ScheduledTask -TaskName "SetPrivateNetwork"

All five should produce expected output with no errors. Settings → Windows Update should also report "You're up to date" on the most recent check.

If everything checks out, you have a clean Windows 11 Pro install with venue networking pre-staged and lock-down-friendly defaults applied. Next up: Kiosk configuration — auto-login, the kiosk user, the scheduled task that auto-starts the sign app, and the policies that keep this device on a single screen forever.