Assigned access (Industry 8.1)

March 2, 2015

Review the suggested settings and interactions for using assigned access on your Windows Embedded 8.1 Industry (Industry 8.1) device.

Administrators can use assigned access to restrict a user account to access a single application. You can use assigned access to set up single-function devices, such as restaurant menus or displays at trade shows.

If an account is configured for assigned access, a Windows Store app of your choosing runs in full-screen mode for the chosen standard account. Users of that account cannot switch apps or get out of the app using gestures or the keyboard. Assigned access also disables system notifications that are not critical.

By default, a user can break out of assigned access by quickly pressing the Windows Logo key five times. If needed, you can configure a different key to break out of assigned access by setting BreakoutKeyScanCode as described in WEKF_Settings.

Suggested settings

For the most secure assigned access experience, we recommend that you configure the following settings:

  • Turn off the camera app as described in Camera.
  • Turn off accessibility options in the Ease of Access Center in Control Panel.
  • Hide the Ease of Access button on the Welcome screen as described in Welcome Screen.
  • Block and hide the power button on the Welcome screen as described in Power Button.

Interactions and interoperability

The following sections describe some features that have interoperability issues we recommend that you consider when running assigned access:

  • Accessibility
  • Windows 8 Application Launcher
  • Assigned access Windows PowerShell cmdlets
  • Dialog Filter
  • Embedded Lockdown Manager (ELM)
  • Gesture Filter
  • Keyboard Filter
  • Lockdown Baseline Tool
  • Power Button
  • Shell Launcher
  • Sysprep
  • Toast Notification Filter
  • USB Filter
  • Unified Write Filter (UWF)
  • WEDL_AssignedAccess class
  • Welcome Screen
  • Windows Camera

Accessibility

Assigned access does not change Ease of Access settings.

We recommend that you use Keyboard Filter to block the following key combinations that bring up accessibility features:

Key combination

Blocked behavior

Left Alt+Left Shift+Print Screen

Open High Contrast dialog box.

Left Alt+Left Shift+Num Lock

Open Mouse Keys dialog box.

Windows logo key+U

Open Ease of Access Center.

Windows 8 Application Launcher

In assigned access, a Windows Store app of your choosing runs in full-screen mode for the chosen standard account. When a user is not in assigned access, the Windows 8 Application Launcher settings apply.

Set DisallowRun to block users from opening apps from any links in the Windows Store app that you select for assigned access. For information about how to set DisallowRun, see HOW TO: Restrict Users from Running Specific Windows Programs in Windows 2000

Assigned access Windows PowerShell cmdlets

In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see Assigned access Windows PowerShell reference.

Dialog Filter

Dialog Filter settings apply to all users, including those with assigned access.

Embedded Lockdown Manager (ELM)

Assigned access has no effect on ELM.

Gesture Filter

For assigned access users, only the top and bottom edges, including the app bar, are active. Users cannot drag apps or swipe to switch or close apps, access charms, access the Welcome screen, or get out of the chosen app. Gesture filter settings that are set with GF_Config are be ignored for assigned access users.

Gesture Filter settings apply to other standard accounts.

Keyboard Filter

When in assigned access, the user cannot switch apps or get out of the app by using the keyboard. The following key combinations are blocked for assigned access users:

Key combination

Blocked behavior

Alt+Esc

Cycle through items in the reverse order from which they were opened.

Alt+F4

Close the application.

Alt+Shift+Tab

Switch tasks.

Alt+Spacebar

Open the shortcut menu for the active window.

Alt+Tab

Switch tasks.

BrowserHome

Open the default browser.

BrowserSearch

Open the Search charm.

Ctrl+Alt+Delete

Open the Windows Security screen.

Ctrl+Alt+Esc

Cycle through items in the reverse order from which they were opened.

Ctrl+Esc

Open the Start screen.

Ctrl+F4

Close the window.

Ctrl+Shift+Esc

Open Task Manager.

Ctrl+Tab

Switch windows.

LaunchApp1

Open the app that is assigned to this key.

LaunchApp2

Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator..

LaunchMail

Open the default mail client.

Windows logo key

Switch apps or open the Start screen.

Keyboard Filter settings apply to other standard accounts.

Lockdown Baseline Tool

Assigned access has no impact on this tool.

You can use Lockdown Baseline Tool (LBT) to capture assigned access settings from a reference device and then import into Configuration Manager and then deploy the settings to multiple devices. For information about how to use this tool, see Capture lockdown and branding features.

Power button

We recommend that you remove the power button from the Welcome screen and block the physical power button so that a user cannot turn off the device when it is in assigned access.

To remove the power button from the Welcome screen

  1. Sign in with an administrator account.

  2. At the start screen, type gpedit.msc and press enter to open the Local Group Policy Editor.

  3. In the Local Group Policy Editor, under Computer Configuration, expand Windows Settings > Security Settings > Local Policies, and then tap or click Security Options.

  4. Double-tap or click Shutdown: Allow system to be shut down without having to log on.

  5. In the Shutdown: Allow system to be shut down without … dialog box, select Disabled, and then tap or click OK.

To disable the physical power button

  1. In Control Panel, navigate to Hardware and Sound > Power Options.

  2. Select Choose what the power buttons do.

  3. Under When I press the power button, change On Battery and Plugged in to Do Nothing.

  4. Tap or click Save Changes.

Shell Launcher

Assigned access settings apply even if you use Shell Launcher to replace the default Windows 8.1 shell with a custom shell.

Sysprep

Assigned access settings do not persist after Sysprep. You will need to set them again after deployment.

Toast Notification Filter

In assigned access, system notifications are blocked. When a user is not in assigned access, notification settings apply.

USB Filter

UWF settings apply to all users, including those with assigned access.

Unified Write Filter (UWF)

UWF settings apply to all users, including those with assigned access.

WEDL_AssignedAccess class

Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.

If you need to use assigned access API, see WEDL_AssignedAccess.

Welcome screen

To remove buttons from the Welcome screen, set the appropriate value for BrandingNeutral in the following registry key:

HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon

The following table shows the possible values. To disable multiple Welcome screen UI elements, combine these values using bitwise exclusive-or logic.

Action

Registry value

Disable all Welcome screen UI elements

static const DWORD EMBEDDED_DISABLE_LOGON_ANCHOR_ALL = 0x1

Disable the Power button

static const DWORD EMBEDDED_DISABLE_LOGON_ANCHOR_SHUTDOWN = 0x2

Disable the Language button

static const DWORD EMBEDDED_DISABLE_LOGON_ANCHOR_LANGUAGE = 0x4

Disable the Ease of Access button

static const DWORD EMBEDDED_DISABLE_LOGON_ANCHOR_EASEOFACCESS = 0x8

Disable the Switch user button.

static const DWORD EMBEDDED_DISABLE_BACK_BUTTON = 0x10

Disable the Blocked Shutdown Resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any open applications that are blocking system shut down. No UI is displayed, and users are not given a chance to cancel the shutdown process

static const DWORD EMBEDDED_DISABLE_BSDR= 0x20

You can remove the Wireless UI option from the Welcome screen by using Group Policy.

To remove Wireless UI from the Welcome screen

  1. From a command prompt, run gpedit.msc to open the Local Group Policy Editor.

  2. In the Local Group Policy Editor, under Computer Configuration, expand Administrative Templates, expand System, and then tap or click Logon.

  3. Double-tap or click Do not display network selection UI.

Windows Camera

When a user breaks out of assigned access or puts the device to sleep they can swipe down on the Welcome screen to start the Camera app. For this reason, we recommend that you manually turn off the Camera app when using assigned access.

To manually turn off the Camera app

  1. Swipe in from the right edge of the screen, and then tap Settings (or if you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Settings).

    Tap or click PC & Devices, and then tap or click Lock screen.

  2. Turn off the Camera app.

See Also

Concepts

Lockdown features
Deploy to a device
Deploy to multiple devices