# HMI Thin Client Setup Guide :::note[Keep in mind] This guide is specific to the OnLogic CL260 thin client running Windows 11 IoT Enterprise LTSC 2024. The scripts and configurations are tailored for this hardware and OS version. However, the general principles and steps can be adapted to other Windows-based thin clients with similar requirements. There is only one requirement. The OS needs to be either `Windows 11 Enterprise` or `Windows 11 IoT Enterprise`, because those editions support Shell Launcher and AppLocker, which are the core lockdown mechanisms we use. ::: This is a step-by-step guide for setting up new HMI thin clients for your plant. This guide assumes you are comfortable working with Windows but have never done any deployment work before. Every term you need to know is explained the first time it shows up. **Approximate time per machine:** 20 to 30 minutes. [Source code for the setup scripts is available on GitHub.](https://github.com/jakeashcraft/hmi-baseline) **Hardware:** [OnLogic CL260](https://www.onlogic.com/store/cl260/) fanless industrial edge gateway with `Windows 11 IoT Enterprise LTSC 2024` pre-installed and activated at the factory. ## What you're going to do By the end of this guide, your HMI thin client will: - Boot directly into a full-screen Remote Desktop session pointing at your HMI server. - Auto-login so no operator ever sees a Windows desktop or has to type a password. - Be locked down so operators cannot launch other programs, open File Explorer, or change settings. - Have a hidden admin account you (or the admin) can use for future maintenance. The operator's experience is: turn it on, wait about 30 seconds, start using FactoryTalk. That's it. :::note[This guide] In this guide, we're using FactoryTalk as the HMI server, but the Remote Desktop connection could point to any server or application. The key is that Shell Launcher makes the RDP session the only thing the operator can interact with on the thin client, so whatever you put in that RDP session is what they see and use. ::: --- ## Before you start: what you need Clone the repository: ```bash title="Get the project files" git clone https://github.com/jakeashcraft/hmi-baseline.git ``` You'll need to get the files onto the machine to run the setup script, so copy the whole `hmi-baseline` folder onto a USB stick or shared network drive that the machine can access. - hmi-baseline/ - LGPO/ - Baseline/ # Exported GPO backup (commit the folder contents) - ShellLauncher/ - ShellLauncher.template.xml - RDP/ - FactoryTalk.template.rdp - AppLocker/ - AppLockerPolicy.xml - Plants/ - _Template/ # Copy this folder when onboarding a new plant - PlantA/ - plant.psd1 - Scripts/ - Common/ - HMIBaseline.psm1 # Reusable functions - Apply-Baseline.ps1 # Run during imaging - Update-Baseline.ps1 # Push changes to running machines - .gitignore - README.md ### The kit 1. **The OnLogic CL260 thin client.** Comes pre-loaded with Windows 11 IoT Enterprise LTSC 2024 from the factory, already activated. No install USB or product key needed. The box should include the unit itself, a 24V power adapter, and a USB-C to HDMI adapter (the CL260 doesn't have a standard HDMI port on its own, so you use this adapter to plug in a monitor). 2. **The HMI Baseline project folder.** A folder called `hmi-baseline`. This contains all the scripts and configuration that lock the machine down. Inside it, should be a file called `LGPO.exe` and a folder called `LGPO\Baseline\` with files inside it. If either of those is missing, the script will error out and tell you, but better to check first. 3. **Three passwords**, provided separately (not written down in this guide): - HMIAdmin password (the hidden maintenance account) - HMIOperator password (the auto-login account) - FactoryTalk user password (the credentials used to connect to FactoryTalk) 4. **The FactoryTalk server details.** These should already be filled into the plant config file at `Plants\PlantA\plant.psd1`. You shouldn't need to edit anything. If the server name is wrong, contact your IT or Automation lead to find out what it is. 5. **Network info for the HMI:** IP address, subnet mask, gateway, DNS server. Plant IT should provide these before you start. Every HMI needs its own unique IP. 6. **A monitor, USB keyboard, and USB mouse** for the initial setup. Once the HMI is deployed and mounted, these can be disconnected, then the operator interacts entirely through FactoryTalk on a different screen. You only need them for this setup process. 7. **A USB stick or shared network drive** to transfer the `hmi-baseline` folder onto the HMI. The setup script needs to run from the local disk, so you have to copy the whole project folder onto the machine before running it. ### A glossary so the rest of this guide makes sense - **OOBE (Out-Of-Box Experience)**: The blue Windows screens you see the very first time a new Windows PC boots. It asks about language, region, Wi-Fi, creates a user account, etc. - **Workgroup**: A Windows networking mode for computers that are NOT joined to a corporate domain. Our HMIs are workgroup machines because they live on an isolated plant network with no domain controller. - **PowerShell**: A command-line shell that comes built into Windows. Like Command Prompt but more powerful. Every command in this guide goes into PowerShell, not Command Prompt. - **Elevated / Run as Administrator**: Running a program with admin rights. Required for almost everything in this guide. - **Shell Launcher**: A Windows feature that replaces the normal desktop with a single program of our choice. For HMI operators, that program is Remote Desktop pointed at FactoryTalk. - **LGPO / Group Policy**: A way to configure hundreds of Windows settings at once. "LGPO.exe" is a free Microsoft tool for applying these settings to a computer that isn't on a domain. - **AppLocker**: A Windows feature that controls which programs each user is allowed to run. - **Auto-logon**: A Windows setting that makes the computer log in as a specific user automatically at boot, without typing a password. --- ## Part 1: Unbox the CL260 and run first-boot setup Since OnLogic ships the CL260 with Windows pre-installed and activated, you skip the entire Windows installation process. You just need to unbox it, connect a monitor and keyboard, and walk through the one-time setup screens. ### 1.1 Unbox and connect hardware 1. Open the OnLogic box. You should have the CL260 unit, a 24V power adapter, and a USB-C to HDMI adapter. 2. Plug the USB-C to HDMI adapter into the USB-C port on the front of the CL260. 3. Plug an HDMI cable from your monitor into that adapter. 4. Plug a USB keyboard and USB mouse into any of the USB-A ports on the CL260. 5. Plug the ethernet cable into the ethernet port on the back. **Leave it unplugged or connected to the HMI VLAN. Do not plug into a general network with internet access yet.** We want the Windows setup to run without seeing the internet so it can't try to force a Microsoft account. 6. Plug the power adapter into the CL260 and into a wall outlet. The CL260 does not have a power button on the front, it will start automatically when power is applied. If it doesn't, check the back of the unit for a small power button. ### 1.2 Get through the first-boot setup screens The first time the CL260 powers on, Windows runs its one-time setup wizard (the "Out-Of-Box Experience" or OOBE). This is where you tell it your region, create a user account, and set privacy preferences. LTSC is generally less pushy about Microsoft accounts than regular Windows 11, but some builds still try to require one. The instructions below handle either case. We want a local account only — the HMI should never be signed into a Microsoft account. 1. Pick your **country or region** (United States) and click Yes. 2. Pick your **keyboard layout** (US) and click Yes. Skip adding a second keyboard. 3. It will try to **connect to a network**. On most LTSC installs, you'll see an option like **"I don't have internet"** or **"Continue with limited setup"** directly on this screen — click that and skip to step 4. If no such option is visible, or the installer tries to force you to connect, use this bypass: - Press **Shift + F10** on the keyboard. A black Command Prompt window will pop up. - Type this command exactly, then press Enter: ```powershell title="Bypass the network requirement" start ms-cxh:localonly ``` - A new window will open that lets you create a local account directly. Follow the prompts to pick a username and password, then skip to step 7. > **Note:** If `start ms-cxh:localonly` doesn't work, try `oobe\bypassnro` instead — the PC reboots and the network screen will then show the "I don't have internet" option. 4. For the username, enter **setup** (we'll delete this account later). 5. Pick any password you'll remember for the next hour. Write it down. 6. Pick three security questions. Pick anything, honestly, we're deleting this account. 7. **Privacy settings:** turn every slider OFF. Location, diagnostic data, advertising ID, all of it. Click Accept. 8. If you see "Let's customize your experience" prompts, click Skip. On most LTSC builds, you won't see this screen at all. 9. If you see OneDrive setup, skip it. LTSC does not include OneDrive by default, so you probably won't see this screen. 10. Wait while Windows finishes setting up. You'll land on the desktop eventually. The desktop will look noticeably cleaner than regular Windows 11, no Edge icon, no Microsoft Store, no widgets. That's normal for LTSC. ## Part 2: Configure the network Now we give the machine its permanent IP address on the HMI VLAN. ### 2.1 Plug into the HMI VLAN Plug the ethernet cable into the HMI VLAN switch port. The network icon in the taskbar may show "no internet" — that's expected, the HMI VLAN is isolated. ### 2.2 Set the static IP address Plant IT gave you an IP address, subnet mask, gateway, and DNS server. Apply them now. 1. Right-click the **Start** button, click **Settings**. 2. Go to **Network & internet**, then click **Ethernet**. 3. Next to **IP assignment**, click **Edit**. 4. Change the dropdown from **Automatic (DHCP)** to **Manual**. 5. Turn on **IPv4**. 6. Fill in the IP address, subnet mask, gateway, and preferred DNS that plant IT gave you. 7. Click **Save**. ### 2.3 Rename the computer Each HMI should follow the naming convention **PLA-HMI-01** through **PLA-HMI-10**. Verify with your IT department on naming conventions for your company. 1. Open **Settings** if it isn't still open. 2. Click **System** at the top, then **About**. 3. Click **Rename this PC**. 4. Enter the name (example: `PLA-HMI-03`). 5. When prompted, click **Restart later**. Don't restart yet, we still have more to do before reboot. ### 2.4 Test that you can reach the FactoryTalk server Before running the setup script, confirm the HMI can actually see the FactoryTalk server. If it can't, the script will apply successfully but the operator will see an RDP connection error instead of FactoryTalk. 1. Right-click the **Start** button, click **Terminal (Admin)**. Click Yes at the UAC prompt. 2. A blue PowerShell window will open. Type this command to ping the FactoryTalk server. Replace the server name with your actual server name: ```powershell title="Ping the FactoryTalk server" ping pla-ft01.plant.local ``` 3. You should see replies. If you see "Ping request could not find host" or "Request timed out", stop and contact plant IT before continuing. The network isn't ready. Close the PowerShell window for now. ## Part 3: Copy the HMI Baseline project to the machine The setup script lives in the project folder. You need to copy it onto the HMI's internal disk. 1. Plug the USB stick (or connect to the shared drive) that has the `Hmi-baseline` folder. 2. Open **File Explorer** (Windows key + E). 3. Navigate to the drive and find the `Hmi-baseline` folder. 4. Copy the entire folder. 5. Navigate to `C:\` in File Explorer. 6. Create a new folder called `HMI` (so you have `C:\HMI`). 7. Paste the `Hmi-baseline` folder inside `C:\HMI`. When you're done, this path should exist: `C:\HMI\Hmi-baseline\Scripts\Apply-Baseline.ps1` 8. Verify two things are present inside the project folder: - `Scripts\Common\LGPO.exe` — a small executable file. - `LGPO\Baseline\DomainSysvol\` — a folder with stuff in it. If either is missing, refer back to the project folder. The script will fail without these. You can safely eject the USB stick now. ## Part 4: Run the setup script This is the step that actually configures everything: creates the accounts, locks the machine down, sets auto-logon, and reboots. ### 4.1 Open PowerShell as Administrator 1. Press the **Windows key**. 2. Type `powershell`. 3. In the search results, you'll see **Windows PowerShell** with an option on the right that says **Run as administrator**. Click **Run as administrator**. 4. Click **Yes** on the UAC prompt. You'll get a blue window with a prompt like `PS C:\Windows\system32>`. This is where the next commands go. ### 4.2 Allow the script to run Windows blocks PowerShell scripts by default for security. We need to allow them for this session only. Type the following command, then press Enter: ```powershell title="Allow scripts to run in this PowerShell session" Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force ``` Nothing visible will happen. That's fine, it worked. ### 4.3 Change into the project's Scripts folder Type this command, then press Enter. This moves PowerShell's "current location" to where the script lives: ```powershell title="Change into the project's Scripts folder" cd C:\HMI\Hmi-baseline\Scripts ``` The prompt should now look like `PS C:\HMI\Hmi-baseline\Scripts>`. ### 4.4 Run the setup script Type this command and press Enter: ```powershell title="Run the setup script" .\Apply-Baseline.ps1 -PlantCode PLA ``` The leading `.\` is required; it tells PowerShell "run the script in the current folder." ### 4.5 Enter the three passwords The script will immediately prompt you three times, once for each password. You'll see prompts like: ```powershell title="Password for HMIAdmin" Password for HMIAdmin: ``` For each one: 1. Type the password. Characters will not appear on screen as you type. That's normal, keep typing. 2. Press Enter. The three passwords, in order, are: 1. **HMIAdmin** — the hidden admin account for maintenance. 2. **HMIOperator** — the account that auto-logs in. 3. **FactoryTalk user** — the credentials used inside Remote Desktop to sign into FactoryTalk. ### 4.6 Watch the script run After the third password, the script runs through 8 steps. It prints colored output as it goes: - **White text** = progress info, ignore. - **Green text** = a step finished successfully. - **Yellow text** = a warning, usually safe to ignore, the script will say so. - **Red text** = something failed. Stop and read it. See the Troubleshooting section below. The script ends with a big success banner that looks like: ```powershell title="Success banner" =================================================================== Baseline apply complete for PlantA (PLA) =================================================================== Rebooting in 10 seconds. Ctrl+C to cancel. ``` **Don't press Ctrl+C.** Let it reboot. The reboot is required for the lockdown to take effect. ## Part 5: Verify the HMI works After the reboot, which takes about 2 minutes, you should see: 1. The Windows boot logo. 2. A brief login screen flash (it auto-logs in as HMIOperator). 3. A black screen for a few seconds. 4. A Remote Desktop window filling the screen, connecting to FactoryTalk. 5. The FactoryTalk login screen or HMI runtime, depending on how FactoryTalk is configured on the server. ### What "working correctly" looks like - **No Start menu.** Pressing the Windows key does nothing. - **No taskbar.** The screen is just the RDP window, full screen. - **Closing the RDP window doesn't work.** If you try, it comes right back. That's Shell Launcher restarting the shell, which is correct. - **Ctrl+Alt+Del still works.** This gives an operator the option to lock, sign out, or see task manager. They shouldn't need this, but it's available for emergencies. ### What "not working" looks like - **You land on a normal Windows desktop instead of RDP.** Auto-logon probably grabbed the HMIAdmin account by mistake, or Shell Launcher didn't enable. Jump to the troubleshooting section. - **A big Remote Desktop error about the server.** The FactoryTalk server name in the plant config is wrong, or the network isn't reaching it. - **RDP prompts for credentials.** The credential store step failed. See troubleshooting. ### How to get back in as admin Once an HMI is locked down, there's no obvious way to log in as an admin. Here's how: 1. On the locked-down HMI, press **Ctrl + Alt + Del**. 2. Click **Sign out**. 3. On the sign-in screen that appears, click **Other user** (bottom-left). 4. Sign in as `HMIAdmin` with the admin password. HMIAdmin gets a normal Windows desktop and can do anything. When you're done, sign out and the HMI will go back to auto-logging-in as the operator. ## Troubleshooting ### The script errored out with "LGPO.exe not found" The project kit is incomplete. Check that `C:\HMI\Hmi-baseline\Scripts\Common\LGPO.exe` exists. ### The script errored out with "LGPO baseline not populated" Same deal, the kit is incomplete. Check that `C:\HMI\Hmi-baseline\LGPO\Baseline\DomainSysvol\` has files inside it. ### The script errored out with "Windows edition does not support Shell Launcher" This shouldn't happen since OnLogic ships the CL260 with Windows 11 IoT Enterprise LTSC, which does support Shell Launcher. If you do see this error, the OS may have been replaced at some point. Do not try to reinstall Windows yourself, OnLogic's factory license and activation state need to be preserved. ### The script says "Shell Launcher feature just installed. Staging config for post-reboot apply" This is not an error. It means Shell Launcher needed Windows to reboot before it could be configured. The script staged everything to finish automatically on the next boot. Just let it reboot, then verify per Part 5. ### After reboot, the machine lands on a normal desktop, not RDP Sign in as HMIAdmin and check the log file at `C:\HMI\Logs\baseline-*.log`. Look for any lines with `[Error]` in red. Most common causes: - **AppIDSvc service didn't start.** This is the AppLocker helper service. To fix, open PowerShell as admin and run: ```powershell title="Start the AppIDSvc service" Set-Service -Name AppIDSvc -StartupType Automatic Start-Service AppIDSvc ``` Then reboot. - **Shell Launcher scheduled task didn't run.** Open Task Scheduler, find the task named `HMI-Apply-ShellLauncher`, right-click and run it manually. Then reboot. ### RDP prompts for username and password instead of logging in silently The Credential Manager step didn't apply correctly. Sign in as HMIOperator. Open Command Prompt and run: ```powershell title="List stored credentials" cmdkey /list ``` You should see an entry for the FactoryTalk server. If you don't, the credential wasn't stored. Easiest fix: sign in as HMIAdmin and re-run the setup script with `Update-Baseline.ps1` (see next section). ### How to re-run the setup if something went wrong You don't need to wipe the machine. Sign in as HMIAdmin, open PowerShell as admin, and run: ```powershell title="Re-run the baseline script to fix issues" Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force cd C:\HMI\Hmi-baseline\Scripts .\Update-Baseline.ps1 -PlantCode PLA -Reboot ``` This re-applies all the policies but skips creating the accounts (they already exist). ### "My mouse is trapped inside the RDP window" That's on purpose, Remote Desktop captures the mouse when it's the only thing on screen. To release it, press **Ctrl + Alt + Home** (the default RDP hotkey for the connection bar), or **Ctrl + Alt + Pause**. These shortcuts can be used in an emergency but operators don't need them. ## If you get really stuck Do not try to "fix" things by editing files in the `C:\HMI\hmi-baseline\` folder or installing random software. The point of this tooling is that every HMI ends up identical. If one machine is different, it becomes a problem to troubleshoot later. ## Appendix: What if a machine needs to be wiped and started over? If an HMI gets into a bad state and you want to start completely clean, **do not install Windows from a generic Microsoft install USB.** OnLogic ships the CL260 with a specific activated copy of Windows 11 IoT Enterprise LTSC tied to that hardware. If you overwrite it, you lose the activation and the correct OEM drivers. Instead, OnLogic provides a **recovery process** for resetting the machine back to its factory state: 1. Contact OnLogic support (or check the documentation that came with the unit) to get the recovery media or instructions for your specific CL260 serial number. 2. Follow their process to reset Windows to the factory image. 3. Once Windows is back to its factory state, start this guide from Part 1. For day-to-day issues, you rarely need a full wipe. If the baseline script partially applied and things are broken, the `Update-Baseline.ps1` script (covered in the troubleshooting section) is almost always enough to straighten things out without wiping. ## A note on Windows Updates When using **LTSC**, the HMI only ever receives monthly security patches. Microsoft does not push the big yearly version upgrades (like 23H2 to 24H2) to LTSC machines, so you won't get surprise upgrades that break Shell Launcher or AppLocker. Security patches still install on their normal monthly cycle, which is fine and expected. So you can just let them run. If an HMI starts misbehaving after a reboot, a recent Windows update is still worth checking. Open **Settings → Windows Update → Update history** and see what installed recently. If you suspect an update broke something, go back through the steps before uninstalling anything.