HMI Thin Client Setup Guide

This is a step-by-step guide for setting up new HMI thin clients for your plant. This guide assumes you are comfortable working with Windows but have never done any deployment work before. Every term you need to know is explained the first time it shows up.

Approximate time per machine: 20 to 30 minutes.

Source code for the setup scripts is available on GitHub.

Hardware: OnLogic CL260 fanless industrial edge gateway with Windows 11 IoT Enterprise LTSC 2024 pre-installed and activated at the factory.

What you’re going to do

By the end of this guide, your HMI thin client will:

Boot directly into a full-screen Remote Desktop session pointing at your HMI server.
Auto-login so no operator ever sees a Windows desktop or has to type a password.
Be locked down so operators cannot launch other programs, open File Explorer, or change settings.
Have a hidden admin account you (or the admin) can use for future maintenance.

The operator’s experience is: turn it on, wait about 30 seconds, start using FactoryTalk. That’s it.

Before you start: what you need

Clone the repository:

git clone https://github.com/jakeashcraft/hmi-baseline.git

You’ll need to get the files onto the machine to run the setup script, so copy the whole hmi-baseline folder onto a USB stick or shared network drive that the machine can access.

Directoryhmi-baseline/
- DirectoryLGPO/
  - DirectoryBaseline/ # Exported GPO backup (commit the folder contents)
    …
- DirectoryShellLauncher/
  - ShellLauncher.template.xml
- DirectoryRDP/
  - FactoryTalk.template.rdp
- DirectoryAppLocker/
  - AppLockerPolicy.xml
- DirectoryPlants/
  - Directory_Template/ # Copy this folder when onboarding a new plant
    …
  - DirectoryPlantA/
    plant.psd1
- DirectoryScripts/
  - DirectoryCommon/
    HMIBaseline.psm1 # Reusable functions
  - Apply-Baseline.ps1 # Run during imaging
  - Update-Baseline.ps1 # Push changes to running machines
- .gitignore
- README.md

The kit

The OnLogic CL260 thin client.
Comes pre-loaded with Windows 11 IoT Enterprise LTSC 2024 from the factory, already activated. No install USB or product key needed. The box should include the unit itself, a 24V power adapter, and a USB-C to HDMI adapter (the CL260 doesn’t have a standard HDMI port on its own, so you use this adapter to plug in a monitor).
The HMI Baseline project folder.
A folder called hmi-baseline. This contains all the scripts and configuration that lock the machine down. Inside it, should be a file called LGPO.exe and a folder called LGPO\Baseline\ with files inside it. If either of those is missing, the script will error out and tell you, but better to check first.
Three passwords, provided separately (not written down in this guide):
- HMIAdmin password (the hidden maintenance account)
- HMIOperator password (the auto-login account)
- FactoryTalk user password (the credentials used to connect to FactoryTalk)
The FactoryTalk server details. These should already be filled into the plant config file at Plants\PlantA\plant.psd1. You shouldn’t need to edit anything. If the server name is wrong, contact your IT or Automation lead to find out what it is.
Network info for the HMI: IP address, subnet mask, gateway, DNS server. Plant IT should provide these before you start. Every HMI needs its own unique IP.
A monitor, USB keyboard, and USB mouse for the initial setup. Once the HMI is deployed and mounted, these can be disconnected, then the operator interacts entirely through FactoryTalk on a different screen. You only need them for this setup process.
A USB stick or shared network drive to transfer the hmi-baseline folder onto the HMI. The setup script needs to run from the local disk, so you have to copy the whole project folder onto the machine before running it.

A glossary so the rest of this guide makes sense

OOBE (Out-Of-Box Experience): The blue Windows screens you see the very first time a new Windows PC boots. It asks about language, region, Wi-Fi, creates a user account, etc.
Workgroup: A Windows networking mode for computers that are NOT joined to a corporate domain. Our HMIs are workgroup machines because they live on an isolated plant network with no domain controller.
PowerShell: A command-line shell that comes built into Windows. Like Command Prompt but more powerful. Every command in this guide goes into PowerShell, not Command Prompt.
Elevated / Run as Administrator: Running a program with admin rights. Required for almost everything in this guide.
Shell Launcher: A Windows feature that replaces the normal desktop with a single program of our choice. For HMI operators, that program is Remote Desktop pointed at FactoryTalk.
LGPO / Group Policy: A way to configure hundreds of Windows settings at once. “LGPO.exe” is a free Microsoft tool for applying these settings to a computer that isn’t on a domain.
AppLocker: A Windows feature that controls which programs each user is allowed to run.
Auto-logon: A Windows setting that makes the computer log in as a specific user automatically at boot, without typing a password.

Part 1: Unbox the CL260 and run first-boot setup

Since OnLogic ships the CL260 with Windows pre-installed and activated, you skip the entire Windows installation process. You just need to unbox it, connect a monitor and keyboard, and walk through the one-time setup screens.

1.1 Unbox and connect hardware

Open the OnLogic box. You should have the CL260 unit, a 24V power adapter, and a USB-C to HDMI adapter.
Plug the USB-C to HDMI adapter into the USB-C port on the front of the CL260.
Plug an HDMI cable from your monitor into that adapter.
Plug a USB keyboard and USB mouse into any of the USB-A ports on the CL260.
Plug the ethernet cable into the ethernet port on the back. Leave it unplugged or connected to the HMI VLAN. Do not plug into a general network with internet access yet. We want the Windows setup to run without seeing the internet so it can’t try to force a Microsoft account.
Plug the power adapter into the CL260 and into a wall outlet. The CL260 does not have a power button on the front, it will start automatically when power is applied. If it doesn’t, check the back of the unit for a small power button.

1.2 Get through the first-boot setup screens

The first time the CL260 powers on, Windows runs its one-time setup wizard (the “Out-Of-Box Experience” or OOBE). This is where you tell it your region, create a user account, and set privacy preferences.

LTSC is generally less pushy about Microsoft accounts than regular Windows 11, but some builds still try to require one. The instructions below handle either case. We want a local account only — the HMI should never be signed into a Microsoft account.

Pick your country or region (United States) and click Yes.
Pick your keyboard layout (US) and click Yes. Skip adding a second keyboard.
It will try to connect to a network. On most LTSC installs, you’ll see an option like “I don’t have internet” or “Continue with limited setup” directly on this screen — click that and skip to step 4.

If no such option is visible, or the installer tries to force you to connect, use this bypass:
- Press Shift + F10 on the keyboard. A black Command Prompt window will pop up.
- Type this command exactly, then press Enter:
  Bypass the network requirement
```
start ms-cxh:localonly
```
- A new window will open that lets you create a local account directly. Follow the prompts to pick a username and password, then skip to step 7.
Note: If start ms-cxh:localonly doesn’t work, try oobe\bypassnro instead — the PC reboots and the network screen will then show the “I don’t have internet” option.
For the username, enter setup (we’ll delete this account later).
Pick any password you’ll remember for the next hour. Write it down.
Pick three security questions. Pick anything, honestly, we’re deleting this account.
Privacy settings: turn every slider OFF. Location, diagnostic data, advertising ID, all of it. Click Accept.
If you see “Let’s customize your experience” prompts, click Skip. On most LTSC builds, you won’t see this screen at all.
If you see OneDrive setup, skip it. LTSC does not include OneDrive by default, so you probably won’t see this screen.
Wait while Windows finishes setting up. You’ll land on the desktop eventually. The desktop will look noticeably cleaner than regular Windows 11, no Edge icon, no Microsoft Store, no widgets. That’s normal for LTSC.

Part 2: Configure the network

Now we give the machine its permanent IP address on the HMI VLAN.

2.1 Plug into the HMI VLAN

Plug the ethernet cable into the HMI VLAN switch port. The network icon in the taskbar may show “no internet” — that’s expected, the HMI VLAN is isolated.

2.2 Set the static IP address

Plant IT gave you an IP address, subnet mask, gateway, and DNS server. Apply them now.

Right-click the Start button, click Settings.
Go to Network & internet, then click Ethernet.
Next to IP assignment, click Edit.
Change the dropdown from Automatic (DHCP) to Manual.
Turn on IPv4.
Fill in the IP address, subnet mask, gateway, and preferred DNS that plant IT gave you.
Click Save.

2.3 Rename the computer

Each HMI should follow the naming convention PLA-HMI-01 through PLA-HMI-10. Verify with your IT department on naming conventions for your company.

Open Settings if it isn’t still open.
Click System at the top, then About.
Click Rename this PC.
Enter the name (example: PLA-HMI-03).
When prompted, click Restart later. Don’t restart yet, we still have more to do before reboot.

2.4 Test that you can reach the FactoryTalk server

Before running the setup script, confirm the HMI can actually see the FactoryTalk server. If it can’t, the script will apply successfully but the operator will see an RDP connection error instead of FactoryTalk.

Right-click the Start button, click Terminal (Admin). Click Yes at the UAC prompt.
A blue PowerShell window will open. Type this command to ping the FactoryTalk server. Replace the server name with your actual server name:
Ping the FactoryTalk server
```
ping pla-ft01.plant.local
```
You should see replies. If you see “Ping request could not find host” or “Request timed out”, stop and contact plant IT before continuing. The network isn’t ready.

Close the PowerShell window for now.

Part 3: Copy the HMI Baseline project to the machine

The setup script lives in the project folder. You need to copy it onto the HMI’s internal disk.

Plug the USB stick (or connect to the shared drive) that has the Hmi-baseline folder.
Open File Explorer (Windows key + E).
Navigate to the drive and find the Hmi-baseline folder.
Copy the entire folder.
Navigate to C:\ in File Explorer.
Create a new folder called HMI (so you have C:\HMI).
Paste the Hmi-baseline folder inside C:\HMI.
When you’re done, this path should exist: C:\HMI\Hmi-baseline\Scripts\Apply-Baseline.ps1
Verify two things are present inside the project folder:
- Scripts\Common\LGPO.exe — a small executable file.
- LGPO\Baseline\DomainSysvol\ — a folder with stuff in it.
If either is missing, refer back to the project folder. The script will fail without these.

You can safely eject the USB stick now.

Part 4: Run the setup script

This is the step that actually configures everything: creates the accounts, locks the machine down, sets auto-logon, and reboots.

4.1 Open PowerShell as Administrator

Press the Windows key.
Type powershell.
In the search results, you’ll see Windows PowerShell with an option on the right that says Run as administrator. Click Run as administrator.
Click Yes on the UAC prompt.

You’ll get a blue window with a prompt like PS C:\Windows\system32>. This is where the next commands go.

4.2 Allow the script to run

Windows blocks PowerShell scripts by default for security. We need to allow them for this session only. Type the following command, then press Enter:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force

Nothing visible will happen. That’s fine, it worked.

4.3 Change into the project’s Scripts folder

Type this command, then press Enter. This moves PowerShell’s “current location” to where the script lives:

cd C:\HMI\Hmi-baseline\Scripts

The prompt should now look like PS C:\HMI\Hmi-baseline\Scripts>.

4.4 Run the setup script

Type this command and press Enter:

.\Apply-Baseline.ps1 -PlantCode PLA

The leading .\ is required; it tells PowerShell “run the script in the current folder.”

4.5 Enter the three passwords

The script will immediately prompt you three times, once for each password. You’ll see prompts like:

Password for HMIAdmin:

For each one:

Type the password. Characters will not appear on screen as you type. That’s normal, keep typing.
Press Enter.

The three passwords, in order, are:

HMIAdmin — the hidden admin account for maintenance.
HMIOperator — the account that auto-logs in.
FactoryTalk user — the credentials used inside Remote Desktop to sign into FactoryTalk.

4.6 Watch the script run

After the third password, the script runs through 8 steps. It prints colored output as it goes:

White text = progress info, ignore.
Green text = a step finished successfully.
Yellow text = a warning, usually safe to ignore, the script will say so.
Red text = something failed. Stop and read it. See the Troubleshooting section below.

The script ends with a big success banner that looks like:

===================================================================
  Baseline apply complete for PlantA (PLA)
===================================================================
Rebooting in 10 seconds. Ctrl+C to cancel.

Don’t press Ctrl+C. Let it reboot. The reboot is required for the lockdown to take effect.

Part 5: Verify the HMI works

After the reboot, which takes about 2 minutes, you should see:

The Windows boot logo.
A brief login screen flash (it auto-logs in as HMIOperator).
A black screen for a few seconds.
A Remote Desktop window filling the screen, connecting to FactoryTalk.
The FactoryTalk login screen or HMI runtime, depending on how FactoryTalk is configured on the server.

What “working correctly” looks like

No Start menu. Pressing the Windows key does nothing.
No taskbar. The screen is just the RDP window, full screen.
Closing the RDP window doesn’t work. If you try, it comes right back. That’s Shell Launcher restarting the shell, which is correct.
Ctrl+Alt+Del still works. This gives an operator the option to lock, sign out, or see task manager. They shouldn’t need this, but it’s available for emergencies.

What “not working” looks like

You land on a normal Windows desktop instead of RDP. Auto-logon probably grabbed the HMIAdmin account by mistake, or Shell Launcher didn’t enable. Jump to the troubleshooting section.
A big Remote Desktop error about the server. The FactoryTalk server name in the plant config is wrong, or the network isn’t reaching it.
RDP prompts for credentials. The credential store step failed. See troubleshooting.

How to get back in as admin

Once an HMI is locked down, there’s no obvious way to log in as an admin. Here’s how:

On the locked-down HMI, press Ctrl + Alt + Del.
Click Sign out.
On the sign-in screen that appears, click Other user (bottom-left).
Sign in as HMIAdmin with the admin password.

HMIAdmin gets a normal Windows desktop and can do anything. When you’re done, sign out and the HMI will go back to auto-logging-in as the operator.

Troubleshooting

The script errored out with “LGPO.exe not found”

The project kit is incomplete. Check that C:\HMI\Hmi-baseline\Scripts\Common\LGPO.exe exists.

The script errored out with “LGPO baseline not populated”

Same deal, the kit is incomplete. Check that C:\HMI\Hmi-baseline\LGPO\Baseline\DomainSysvol\ has files inside it.

The script errored out with “Windows edition does not support Shell Launcher”

This shouldn’t happen since OnLogic ships the CL260 with Windows 11 IoT Enterprise LTSC, which does support Shell Launcher. If you do see this error, the OS may have been replaced at some point. Do not try to reinstall Windows yourself, OnLogic’s factory license and activation state need to be preserved.

The script says “Shell Launcher feature just installed. Staging config for post-reboot apply”

This is not an error. It means Shell Launcher needed Windows to reboot before it could be configured. The script staged everything to finish automatically on the next boot. Just let it reboot, then verify per Part 5.

After reboot, the machine lands on a normal desktop, not RDP

Sign in as HMIAdmin and check the log file at C:\HMI\Logs\baseline-*.log. Look for any lines with [Error] in red. Most common causes:

AppIDSvc service didn’t start. This is the AppLocker helper service. To fix, open PowerShell as admin and run:
Start the AppIDSvc service
```
Set-Service -Name AppIDSvc -StartupType Automatic
Start-Service AppIDSvc
```
Then reboot.
Shell Launcher scheduled task didn’t run. Open Task Scheduler, find the task named HMI-Apply-ShellLauncher, right-click and run it manually. Then reboot.

RDP prompts for username and password instead of logging in silently

The Credential Manager step didn’t apply correctly. Sign in as HMIOperator. Open Command Prompt and run:

cmdkey /list

You should see an entry for the FactoryTalk server. If you don’t, the credential wasn’t stored. Easiest fix: sign in as HMIAdmin and re-run the setup script with Update-Baseline.ps1 (see next section).

How to re-run the setup if something went wrong

You don’t need to wipe the machine. Sign in as HMIAdmin, open PowerShell as admin, and run:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
cd C:\HMI\Hmi-baseline\Scripts
.\Update-Baseline.ps1 -PlantCode PLA -Reboot

This re-applies all the policies but skips creating the accounts (they already exist).

”My mouse is trapped inside the RDP window”

That’s on purpose, Remote Desktop captures the mouse when it’s the only thing on screen. To release it, press Ctrl + Alt + Home (the default RDP hotkey for the connection bar), or Ctrl + Alt + Pause. These shortcuts can be used in an emergency but operators don’t need them.

If you get really stuck

Do not try to “fix” things by editing files in the C:\HMI\hmi-baseline\ folder or installing random software. The point of this tooling is that every HMI ends up identical. If one machine is different, it becomes a problem to troubleshoot later.

Appendix: What if a machine needs to be wiped and started over?

If an HMI gets into a bad state and you want to start completely clean, do not install Windows from a generic Microsoft install USB. OnLogic ships the CL260 with a specific activated copy of Windows 11 IoT Enterprise LTSC tied to that hardware. If you overwrite it, you lose the activation and the correct OEM drivers.

Instead, OnLogic provides a recovery process for resetting the machine back to its factory state:

Contact OnLogic support (or check the documentation that came with the unit) to get the recovery media or instructions for your specific CL260 serial number.
Follow their process to reset Windows to the factory image.
Once Windows is back to its factory state, start this guide from Part 1.

For day-to-day issues, you rarely need a full wipe. If the baseline script partially applied and things are broken, the Update-Baseline.ps1 script (covered in the troubleshooting section) is almost always enough to straighten things out without wiping.

A note on Windows Updates

When using LTSC, the HMI only ever receives monthly security patches. Microsoft does not push the big yearly version upgrades (like 23H2 to 24H2) to LTSC machines, so you won’t get surprise upgrades that break Shell Launcher or AppLocker.

Security patches still install on their normal monthly cycle, which is fine and expected. So you can just let them run.

If an HMI starts misbehaving after a reboot, a recent Windows update is still worth checking. Open Settings → Windows Update → Update history and see what installed recently. If you suspect an update broke something, go back through the steps before uninstalling anything.