Use assigned access to lock down a Windows Embedded 8.1 Industry device

Article
09/18/2013

9/16/2013

Microsoft

September 2013

Summary

Helps you use assigned access to set up a single function device, restricting a user account to access a single Windows Store app:

Understand how assigned access interacts with other features and settings.
Configure assigned access.
Turn off assigned access.
Get the current configuration for assigned access.

Applies To

Windows Embedded 8.1 Industry Pro

Windows Embedded 8.1 Industry Enterprise

Introduction

Administrators can use Assigned access to restrict a user account to access a single application. You can use assigned access to set up single-function devices, such as restaurant menus or displays at trade shows. If an account is configured for assigned access, a Windows Store app of your choosing runs in full-screen mode for the chosen standard account. Users of that account cannot switch apps or get out of the app using gestures or the keyboard. Assigned access also disables system notifications that are not critical.

By default, a user can break out of assigned access by quickly pressing the Windows Logo key five times.

Suggested settings

For the most secure assigned access experience, we recommend that you configure the following settings:

Turn off the Camera app as described in Windows Camera.
Turn off accessibility options in the Ease of Access Center in Control Panel.
Hide the Ease of Access button on the Welcome screen as described in Welcome screen.
Block and hide the Power button on the Welcome screen as described in Power button.

Understand how assigned access interacts with other features and settings

The following sections describe some features that have interoperability issues we recommend that you consider when running assigned access:

Accessibility
Application Launcher
Assigned access Windows PowerShell cmdlets
Dialog Filter
Embedded Lockdown Manager (ELM)
Gesture Filter
Keyboard Filter
Power button
Shell Launcher
Sysprep
Toast Notification Filter
USB Filter
Unified Write Filter (UWF)
WEDL_AssignedAccess class
Welcome screen
Windows Camera

Accessibility

Assigned access does not change Ease of Access settings.

We recommend that you use Keyboard Filter to block the following key combinations that bring up accessibility features:

Key combination	Blocked behavior
Left Alt+Left Shift+Print Screen	Open High Contrast dialog box.
Left Alt+Left Shift+Num Lock	Open Mouse Keys dialog box.
Windows logo key+U	Open Ease of Access Center.

Application Launcher

In assigned access, a Windows Store app of your choosing runs in full-screen mode for the chosen standard account. When a user is not in assigned access, the Windows 8 Application Launcher settings apply.

Set DisallowRun to block users from opening apps from any links in the Windows Store app that you select for assigned access. For information about how to set DisallowRun, see HOW TO: Restrict Users from Running Specific Windows Programs in Windows 2000

Assigned access Windows PowerShell cmdlets

In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access.

Dialog Filter

Dialog Filter settings apply to all user accounts, including those with assigned access.

Embedded Lockdown Manager (ELM)

Assigned access has no effect on ELM.

Gesture Filter

For assigned access accounts, only the top and bottom edges, including the app bar, are active. Users cannot drag apps or swipe to switch or close apps, access charms, access the Welcome screen, or get out of the chosen app. Gesture filter settings that are set with GF_Config are be ignored for assigned access users.

Gesture Filter settings apply to other standard accounts.

Keyboard Filter

When in assigned access, the user cannot switch apps or get out of the app by using the keyboard. The following key combinations are blocked for assigned access accounts:

Key combination	Blocked behavior
Alt+Esc	Cycle through items in the reverse order from which they were opened.
Alt+F4	Close the application.
Alt+Shift+Tab	Switch tasks.
Alt+Spacebar	Open the shortcut menu for the active window.
Alt+Tab	Switch tasks.
BrowserHome	Open the default browser.
BrowserSearch	Open the Search charm.
Ctrl+Alt+Delete	Open the Windows Security screen.
Ctrl+Alt+Esc	Cycle through items in the reverse order from which they were opened.
Ctrl+Esc	Open the Start screen.
Ctrl+F4	Close the window.
Ctrl+Shift+Esc	Open Task Manager.
Ctrl+Tab	Switch windows.
LaunchApp1	Open the app that is assigned to this key.
LaunchApp2	Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator.
LaunchMail	Open the default mail client.
Windows logo key	Switch apps or open the Start screen.

Keyboard Filter settings apply to other standard accounts.

Power button

We recommend that you remove the Power button from the Welcome screen and block the physical power button so that a user cannot turn off the device when assigned access is active.

To remove the power button from the Welcome screen

Sign in with the account for assigned access.
At a command prompt, type gpedit.msc to open the Local Group Policy Editor.
In the Local Group Policy Editor, under User Configuration, expand Administrative Templates, and then tap or click Start Menu and Task Bar.
Double-tap or click Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands.
In the Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands dialog box, select Enabled, and then tap or click OK.

To disable the physical power button

In Control Panel, go to Hardware and Sound > Power Options.
Select Choose what the power buttons do.
Under When I press the power button, change On Battery and Plugged in to Do Nothing.
Tap or click Save Changes.

Shell Launcher

Assigned access settings apply even if you use Shell Launcher to replace the default Windows 8.1 shell with a custom shell.

Sysprep

Assigned access settings do not persist after Sysprep. You will need to set them again after deployment.

Toast Notification Filter

In assigned access, system notifications are blocked for the selected user account. Normal notifications apply for all other user accounts.

USB Filter

UWF settings apply to all accounts, including those with assigned access.

Unified Write Filter (UWF)

UWF settings apply to all accounts, including those with assigned access.

WEDL_AssignedAccess class

Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.

If you need to use assigned access API, see WEDL_AssignedAccess in MSDN.

Welcome screen

To remove buttons from the Welcome screen, set the appropriate value for BrandingNeutral in the following registry key:

HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon

The following table shows the possible values. To disable multiple Welcome screen UI elements, combine these values using bitwise exclusive-or logic.

Action	Registry value
Disable all Welcome screen UI elements	static const DWORD EMBEDDED_DISABLE_LOGON_ANCHOR_ALL = 0x1
Disable the Power button	static const DWORD EMBEDDED_DISABLE_LOGON_ANCHOR_SHUTDOWN = 0x2
Disable the Language button	static const DWORD EMBEDDED_DISABLE_LOGON_ANCHOR_LANGUAGE = 0x4
Disable the Ease of Access button	static const DWORD EMBEDDED_DISABLE_LOGON_ANCHOR_EASEOFACCESS = 0x8
Disable the Switch user button	static const DWORD EMBEDDED_DISABLE_BACK_BUTTON = 0x10
Disable the Blocked Shutdown Resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any open applications that are blocking system shut down. No UI is displayed, and users are not given a chance to cancel the shutdown process	static const DWORD EMBEDDED_DISABLE_BSDR= 0x20

You can remove the Wireless UI option from the Welcome screen by using Group Policy.

To remove Wireless UI from the Welcome screen

At a command prompt, type gpedit.msc to open the Local Group Policy Editor.
In the Local Group Policy Editor, go to Computer Configuration > Administrative Templates > System > Logon.
Double-tap or click Do not display network selection UI.

Windows Camera

When a user breaks out of assigned access or puts the device to sleep they can swipe down on the Welcome screen to start the Camera app. For this reason, we recommend that you manually turn off the Camera app when using assigned access.

To manually turn off the Camera app

Swipe in from the right edge of the screen, and then tap Settings (or if you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Settings).

Tap or click PC & Devices, and then tap or click Lock screen.
Turn off the Camera app.

Configure assigned access

You can configure assigned access by using Windows PowerShell or theWindows Embedded 8.1 Industry (Industry 8.1) UI.

Configure assigned access by using Windows PowerShell

You can use the Set-AssignedAccess Windows PowerShell cmdlet to configure assigned access. You can identify the user by one of the following:

User name of the local user account name to use for assigned access.
User security identifier (SID) for the account to use for assigned access. This account cannot be a domain account or an administrative account.

You can identify the Windows Store app by one of the following:

App name that is the friendly name of the installed Windows Store app to use for assigned access. Wildcard characters are accepted.
You can use AppName for any app that is returned by Get-AppxPackage. Get-AppxPackage does not return the browser. To use the browser for assigned access, use the AppUserModelId parameter instead of AppName.
Application User Model ID (AppUserModelID) for the installed Windows Store app to use for assigned access. For information about how to find the AppUserModelID, see Find the Application User Model ID.

Windows PowerShell cmdlets support the following common parameters that are implemented by Windows PowerShell: Verbose, Debug, ErrorAction, ErrorVariable, OutBuffer, OutVariable, WarningAction, and WarningVariable. For more information, see about_CommonParameters on MSDN.

Prerequisites

You are signed in to an administrator account.
You have Windows PowerShell and Windows Embedded 8.1 Industry (Industry 8.1) installed on your computer.

For the following Windows PowerShell examples, replace the following placeholder text with the appropriate values:

Placeholder	Description
<app name>	The name of the installed Windows Store app to use for assigned access. You can use a wildcard character for this value,
<Application User Model ID>	The Application User Model ID (AppUserModelID) for the installed Windows Store app to use for assigned access.
<security identifier (SID)>	The security identifier (SID) for the account to use for assigned access. This account cannot be a domain account or an administrator account.
<username>	The local user account name to use for assigned access. This account cannot be a domain account or an administrator account.

To configure assigned access by user name and AppUserModelID

At a Windows PowerShell prompt, type the following:

Set-AssignedAccess -AppUserModelId <Application User Model ID> -UserName <username>

If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

To configure assigned access by user name and app name

At a Windows PowerShell prompt, type the following, using the app name and user name:
```
Set-AssignedAccess -AppName <app name> -UserName <username>
```
If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

To configure assigned access by user SID and AppUserModelID

At a Windows PowerShell prompt, type the following, using the AppUserModelID and user SID:

Set-AssignedAccess -AppUserModelId <Application User Model ID> -UserSID <security identifier (SID)>

If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

To configure assigned access by app name and user SID

At a Windows PowerShell prompt, type the following, using the desired app name and user SID:
```
Set-AssignedAccess -AppName <app name> -UserSID <security identifier (SID)>
```
If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

Remarks

To get a list of all the applications installed for a user account, use the Get-AppxPackage cmdlet as follows: (Get-AppxPackage -User username ). For more information, type "Get-Help Set-AssignedAccess -detailed". For technical information, type "Get-Help Set-AssignedAccess -full".

Configure browser for assigned access

To configure the web browser for assigned access, you must use AppUserModelId and a specific Application User Model IDs.

The following example shows how to configure assigned access for Internet Explorer.
```
Set-assignedaccess –username UserName -AppUserModelId ‘DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default’
```
The following example shows how to configure assigned access for Google Chrome.
```
Set-assignedaccess –username UserName -AppUserModelId ‘DefaultBrowser_NOPUBLISHERID!Chrome’
```
If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

Configure assigned access by using the UI

When signed in with an administrator account, you can configure assigned access by using the Industry 8.1 UI.

Prerequisites

You are signed in to an administrator account.
You have Windows 8.1 installed on your computer.

To configure assigned access

On a reference device, swipe in from the right edge of the screen, tap Settings (or if you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Settings), and then tap or click Change PC Settings.
Tap or click Accounts.
Tap or click Other accounts, and then tap or click Choose an account for assigned access.
On the Assigned access page, perform the following steps:
- Tap or click Choose an account, and then choose the account to use for assigned access.
- Tap or click Choose an app, and then choose the app that you want to start when the selected user signs in.
To start assigned access, restart the device and then sign in using the account that you selected.

To turn assigned access off

To sign out of assigned access, quickly press the left Windows logo key five times.
At the Welcome screen, sign in as an administrator.
Swipe in from the right edge of the screen, tap Settings (or if you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then clicking Settings), and then tap or click Change PC Settings.
Tap or click Accounts.
Tap or click Other accounts, and then tap or click Choose an account for assigned access.
Tap or click Choose a user account, and then tap or click Don’t use assigned access.
To apply the change, restart the device.

Find the Application User Model ID

Industry 8.1 features that work with Windows Store apps use the Application User Model ID (AUMID) to identify the app. The AUMID format is the package family name followed by an exclamation point and the application ID.

You can find the AUMID of Windows Store apps installed on a device by either using Windows PowerShell or querying the registry. Querying the registry can only return information about Windows Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device.

Querying by using Windows PowerShell does not return the AUMID s for web browsers. You can use the following AUMID s to specify a web browser:

Internet Explorer: DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default
Google Chrome: DefaultBrowser_NOPUBLISHERID!Chrome

To identify the AUMID of an installed app by using Windows PowerShell

At a Windows PowerShell command prompt, type the following commands to list the AUMID s for all Windows Store apps installed for the current user on your device:
```
$installedapps = get-AppxPackage

$aumidList = @()
foreach ($app in $installedapps)
{
    foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
    {
        $aumidList += $app.packagefamilyname + "!" + $id
    }
}

$aumidList
```
You can add the –user <username> or the –allusers parameters to the get-AppxPackage cmdlet to list AUMID s for other users. You must use an elevated Windows PowerShell prompt to use the –user or –allusers parameters.

To identify the AUMID of an installed app by using the registry

At a command prompt, type the following command:

reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"

Examples

The following code sample creates a function in Windows PowerShell that returns an array of AUMID s of the installed apps for the specified user.

function listAumids( $userAccount ) {

    if ($userAccount -eq "allusers")
    {
        # Find installed packages for all accounts. Must be run as an administrator in order to use this option.
        $installedapps = Get-AppxPackage -allusers
    }
    elseif ($userAccount)
    {
        # Find installed packages for the specified account. Must be run as an administrator in order to use this option.
        $installedapps = get-AppxPackage -user $userAccount
    }
    else
    {
        # Find installed packages for the current account.
        $installedapps = get-AppxPackage
    }

    $aumidList = @()
    foreach ($app in $installedapps)
    {
        foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
        {
            $aumidList += $app.packagefamilyname + "!" + $id
        }
    }

    return $aumidList
}

The following Windows PowerShell commands demonstrate how you can call the listAumids function after you have created it.

# Get a list of AUMIDs for the current account:
listAumids

# Get a list of AUMIDs for an account named “CustomerAccount”:
listAumids(“CustomerAccount”)

# Get a list of AUMIDs for all accounts on the device:
listAumids(“allusers”)

Clear assigned access

You can use the Clear-AssignedAccess cmdlet to remove the user account from assigned access and return the user to default settings.

For more information, type "Get-Help Clear-AssignedAccess -detailed". For technical information, type "Get-Help Clear-AssignedAccess -full".

To clear assigned access

At a Windows PowerShell prompt, type the following:
```
Clear-AssignedAccess 
```
If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

Get current configuration for assigned access

You can use the Get-AssignedAccess cmdlet to retrieve the current configuration for assigned access, including the user name, user SID, app friendly name, and app ID.

For more information, type "Get-Help Get-AssignedAccess -detailed". For technical information, type "Get-Help Get-AssignedAccess -full".

To get the current configuration for assigned access

At a Windows PowerShell prompt, type the following:
```
Get-AssignedAccess 
```
An output similar to the following appears:

User Name: MYPC\UserName
User SID: S-1-5-21-594534509-2542345234-234523453-1004
AppUserModelId: Microsoft.Media.PlayReadyClient_2.3.1678.0_x64__8wekyb3d8bbwe
App Name: Microsoft.Media.PlayReadyClient
If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

Conclusion

Assigned access lets you set up single-function devices, such as for a restaurant menu or a display at a trade show. You select the user and Windows Store app to use, and can easily configure it using Windows PowerShell commands or the UI.

Share via