Use assigned access to lock down a Windows Embedded 8.1 Industry device

  • Article

9/16/2013

Microsoft

September 2013

Summary

Helps you use assigned access to set up a single function device, restricting a user account to access a single Windows Store app:

  • Understand how assigned access interacts with other features and settings.
  • Configure assigned access.
  • Turn off assigned access.
  • Get the current configuration for assigned access.

Applies To

Windows Embedded 8.1 Industry Pro

Windows Embedded 8.1 Industry Enterprise

Introduction

Administrators can use Assigned access to restrict a user account to access a single application. You can use assigned access to set up single-function devices, such as restaurant menus or displays at trade shows. If an account is configured for assigned access, a Windows Store app of your choosing runs in full-screen mode for the chosen standard account. Users of that account cannot switch apps or get out of the app using gestures or the keyboard. Assigned access also disables system notifications that are not critical.

By default, a user can break out of assigned access by quickly pressing the Windows Logo key five times.

Suggested settings

For the most secure assigned access experience, we recommend that you configure the following settings:

  • Turn off the Camera app as described in Windows Camera.
  • Turn off accessibility options in the Ease of Access Center in Control Panel.
  • Hide the Ease of Access button on the Welcome screen as described in Welcome screen.
  • Block and hide the Power button on the Welcome screen as described in Power button.

Understand how assigned access interacts with other features and settings

The following sections describe some features that have interoperability issues we recommend that you consider when running assigned access:

  • Accessibility
  • Application Launcher
  • Assigned access Windows PowerShell cmdlets
  • Dialog Filter
  • Embedded Lockdown Manager (ELM)
  • Gesture Filter
  • Keyboard Filter
  • Power button
  • Shell Launcher
  • Sysprep
  • Toast Notification Filter
  • USB Filter
  • Unified Write Filter (UWF)
  • WEDL_AssignedAccess class
  • Welcome screen
  • Windows Camera

Accessibility

Assigned access does not change Ease of Access settings.

We recommend that you use Keyboard Filter to block the following key combinations that bring up accessibility features:

Key combination Blocked behavior

Left Alt+Left Shift+Print Screen

Open High Contrast dialog box.

Left Alt+Left Shift+Num Lock

Open Mouse Keys dialog box.

Windows logo key+U

Open Ease of Access Center.

Application Launcher

In assigned access, a Windows Store app of your choosing runs in full-screen mode for the chosen standard account. When a user is not in assigned access, the Windows 8 Application Launcher settings apply.

Set DisallowRun to block users from opening apps from any links in the Windows Store app that you select for assigned access. For information about how to set DisallowRun, see HOW TO: Restrict Users from Running Specific Windows Programs in Windows 2000

Assigned access Windows PowerShell cmdlets

In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access.

Dialog Filter

Dialog Filter settings apply to all user accounts, including those with assigned access.

Embedded Lockdown Manager (ELM)

Assigned access has no effect on ELM.

Gesture Filter

For assigned access accounts, only the top and bottom edges, including the app bar, are active. Users cannot drag apps or swipe to switch or close apps, access charms, access the Welcome screen, or get out of the chosen app. Gesture filter settings that are set with GF_Config are be ignored for assigned access users.

Gesture Filter settings apply to other standard accounts.

Keyboard Filter

When in assigned access, the user cannot switch apps or get out of the app by using the keyboard. The following key combinations are blocked for assigned access accounts:

Key combination Blocked behavior

Alt+Esc

Cycle through items in the reverse order from which they were opened.

Alt+F4

Close the application.

Alt+Shift+Tab

Switch tasks.

Alt+Spacebar

Open the shortcut menu for the active window.

Alt+Tab

Switch tasks.

BrowserHome

Open the default browser.

BrowserSearch

Open the Search charm.

Ctrl+Alt+Delete

Open the Windows Security screen.

Ctrl+Alt+Esc

Cycle through items in the reverse order from which they were opened.

Ctrl+Esc

Open the Start screen.

Ctrl+F4

Close the window.

Ctrl+Shift+Esc

Open Task Manager.

Ctrl+Tab

Switch windows.

LaunchApp1

Open the app that is assigned to this key.

LaunchApp2

Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator.

LaunchMail

Open the default mail client.

Windows logo key

Switch apps or open the Start screen.

Keyboard Filter settings apply to other standard accounts.

Power button

We recommend that you remove the Power button from the Welcome screen and block the physical power button so that a user cannot turn off the device when assigned access is active.

To remove the power button from the Welcome screen

  1. Sign in with the account for assigned access.

  2. At a command prompt, type gpedit.msc to open the Local Group Policy Editor.

  3. In the Local Group Policy Editor, under User Configuration, expand Administrative Templates, and then tap or click Start Menu and Task Bar.

  4. Double-tap or click Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands.

  5. In the Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands dialog box, select Enabled, and then tap or click OK.

To disable the physical power button

  1. In Control Panel, go to Hardware and Sound > Power Options.

  2. Select Choose what the power buttons do.

  3. Under When I press the power button, change On Battery and Plugged in to Do Nothing.

  4. Tap or click Save Changes.

Shell Launcher

Assigned access settings apply even if you use Shell Launcher to replace the default Windows 8.1 shell with a custom shell.

Sysprep

Assigned access settings do not persist after Sysprep. You will need to set them again after deployment.

Toast Notification Filter

In assigned access, system notifications are blocked for the selected user account. Normal notifications apply for all other user accounts.

USB Filter

UWF settings apply to all accounts, including those with assigned access.

Unified Write Filter (UWF)

UWF settings apply to all accounts, including those with assigned access.

WEDL_AssignedAccess class

Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.

If you need to use assigned access API, see WEDL_AssignedAccess in MSDN.

Welcome screen

To remove buttons from the Welcome screen, set the appropriate value for BrandingNeutral in the following registry key:

HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon

The following table shows the possible values. To disable multiple Welcome screen UI elements, combine these values using bitwise exclusive-or logic.

Action Registry value

Disable all Welcome screen UI elements

static const DWORD EMBEDDED_DISABLE_LOGON_ANCHOR_ALL = 0x1

Disable the Power button

static const DWORD EMBEDDED_DISABLE_LOGON_ANCHOR_SHUTDOWN = 0x2

Disable the Language button

static const DWORD EMBEDDED_DISABLE_LOGON_ANCHOR_LANGUAGE = 0x4

Disable the Ease of Access button

static const DWORD EMBEDDED_DISABLE_LOGON_ANCHOR_EASEOFACCESS = 0x8

Disable the Switch user button

static const DWORD EMBEDDED_DISABLE_BACK_BUTTON = 0x10

Disable the Blocked Shutdown Resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any open applications that are blocking system shut down. No UI is displayed, and users are not given a chance to cancel the shutdown process

static const DWORD EMBEDDED_DISABLE_BSDR= 0x20

You can remove the Wireless UI option from the Welcome screen by using Group Policy.

To remove Wireless UI from the Welcome screen

  1. At a command prompt, type gpedit.msc to open the Local Group Policy Editor.

  2. In the Local Group Policy Editor, go to Computer Configuration > Administrative Templates > System > Logon.

  3. Double-tap or click Do not display network selection UI.

Windows Camera

When a user breaks out of assigned access or puts the device to sleep they can swipe down on the Welcome screen to start the Camera app. For this reason, we recommend that you manually turn off the Camera app when using assigned access.

To manually turn off the Camera app

  1. Swipe in from the right edge of the screen, and then tap Settings (or if you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Settings).

    Tap or click PC & Devices, and then tap or click Lock screen.

  2. Turn off the Camera app.

Configure assigned access

You can configure assigned access by using Windows PowerShell or theWindows Embedded 8.1 Industry (Industry 8.1) UI.

Configure assigned access by using Windows PowerShell

You can use the Set-AssignedAccess Windows PowerShell cmdlet to configure assigned access. You can identify the user by one of the following:

  • User name of the local user account name to use for assigned access.
  • User security identifier (SID) for the account to use for assigned access. This account cannot be a domain account or an administrative account.

You can identify the Windows Store app by one of the following:

  • App name that is the friendly name of the installed Windows Store app to use for assigned access. Wildcard characters are accepted.
    You can use AppName for any app that is returned by Get-AppxPackage. Get-AppxPackage does not return the browser. To use the browser for assigned access, use the AppUserModelId parameter instead of AppName.
  • Application User Model ID (AppUserModelID) for the installed Windows Store app to use for assigned access. For information about how to find the AppUserModelID, see Find the Application User Model ID.

Windows PowerShell cmdlets support the following common parameters that are implemented by Windows PowerShell: Verbose, Debug, ErrorAction, ErrorVariable, OutBuffer, OutVariable, WarningAction, and WarningVariable. For more information, see about_CommonParameters on MSDN.

Prerequisites

  • You are signed in to an administrator account.
  • You have Windows PowerShell and Windows Embedded 8.1 Industry (Industry 8.1) installed on your computer.

For the following Windows PowerShell examples, replace the following placeholder text with the appropriate values:

Placeholder Description

<app name>

The name of the installed Windows Store app to use for assigned access. You can use a wildcard character for this value,

<Application User Model ID>

The Application User Model ID (AppUserModelID) for the installed Windows Store app to use for assigned access.

<security identifier (SID)>

The security identifier (SID) for the account to use for assigned access. This account cannot be a domain account or an administrator account.

<username>

The local user account name to use for assigned access. This account cannot be a domain account or an administrator account.

To configure assigned access by user name and AppUserModelID

  1. At a Windows PowerShell prompt, type the following:

    Set-AssignedAccess -AppUserModelId <Application User Model ID> -UserName <username>

  2. If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

To configure assigned access by user name and app name

  1. At a Windows PowerShell prompt, type the following, using the app name and user name:

    Set-AssignedAccess -AppName <app name> -UserName <username>

  2. If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

To configure assigned access by user SID and AppUserModelID

  1. At a Windows PowerShell prompt, type the following, using the AppUserModelID and user SID:

    Set-AssignedAccess -AppUserModelId <Application User Model ID> -UserSID <security identifier (SID)>

  2. If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

To configure assigned access by app name and user SID

  1. At a Windows PowerShell prompt, type the following, using the desired app name and user SID:

    Set-AssignedAccess -AppName <app name> -UserSID <security identifier (SID)>

  2. If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

Remarks

To get a list of all the applications installed for a user account, use the Get-AppxPackage cmdlet as follows: (Get-AppxPackage -User username ). For more information, type "Get-Help Set-AssignedAccess -detailed". For technical information, type "Get-Help Set-AssignedAccess -full".

Configure browser for assigned access

  1. To configure the web browser for assigned access, you must use AppUserModelId and a specific Application User Model IDs.

    The following example shows how to configure assigned access for Internet Explorer.

    Set-assignedaccess –username UserName -AppUserModelId ‘DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default’

    The following example shows how to configure assigned access for Google Chrome.

    Set-assignedaccess –username UserName -AppUserModelId ‘DefaultBrowser_NOPUBLISHERID!Chrome’

  2. If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

Configure assigned access by using the UI

When signed in with an administrator account, you can configure assigned access by using the Industry 8.1 UI.

Prerequisites

  • You are signed in to an administrator account.
  • You have Windows 8.1 installed on your computer.

To configure assigned access

  1. On a reference device, swipe in from the right edge of the screen, tap Settings (or if you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Settings), and then tap or click Change PC Settings.

  2. Tap or click Accounts.

  3. Tap or click Other accounts, and then tap or click Choose an account for assigned access.

  4. On the Assigned access page, perform the following steps:

    • Tap or click Choose an account, and then choose the account to use for assigned access.
    • Tap or click Choose an app, and then choose the app that you want to start when the selected user signs in.

  5. To start assigned access, restart the device and then sign in using the account that you selected.

To turn assigned access off

  1. To sign out of assigned access, quickly press the left Windows logo key five times.

  2. At the Welcome screen, sign in as an administrator.

  3. Swipe in from the right edge of the screen, tap Settings (or if you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then clicking Settings), and then tap or click Change PC Settings.

  4. Tap or click Accounts.

  5. Tap or click Other accounts, and then tap or click Choose an account for assigned access.

  6. Tap or click Choose a user account, and then tap or click Don’t use assigned access.

  7. To apply the change, restart the device.

Find the Application User Model ID

Industry 8.1 features that work with Windows Store apps use the Application User Model ID (AUMID) to identify the app. The AUMID format is the package family name followed by an exclamation point and the application ID.

You can find the AUMID of Windows Store apps installed on a device by either using Windows PowerShell or querying the registry. Querying the registry can only return information about Windows Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device.

Querying by using Windows PowerShell does not return the AUMID s for web browsers. You can use the following AUMID s to specify a web browser:

  • Internet Explorer: DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default
  • Google Chrome: DefaultBrowser_NOPUBLISHERID!Chrome

To identify the AUMID of an installed app by using Windows PowerShell

  1. At a Windows PowerShell command prompt, type the following commands to list the AUMID s for all Windows Store apps installed for the current user on your device:

    $installedapps = get-AppxPackage

$aumidList = @()
foreach ($app in $installedapps)
{
    foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
    {
        $aumidList += $app.packagefamilyname + "!" + $id
    }
}

$aumidList

    You can add the –user <username> or the –allusers parameters to the get-AppxPackage cmdlet to list AUMID s for other users. You must use an elevated Windows PowerShell prompt to use the –user or –allusers parameters.

To identify the AUMID of an installed app by using the registry

  1. At a command prompt, type the following command:

    reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"

Examples

The following code sample creates a function in Windows PowerShell that returns an array of AUMID s of the installed apps for the specified user.

function listAumids( $userAccount ) {

    if ($userAccount -eq "allusers")
    {
        # Find installed packages for all accounts. Must be run as an administrator in order to use this option.
        $installedapps = Get-AppxPackage -allusers
    }
    elseif ($userAccount)
    {
        # Find installed packages for the specified account. Must be run as an administrator in order to use this option.
        $installedapps = get-AppxPackage -user $userAccount
    }
    else
    {
        # Find installed packages for the current account.
        $installedapps = get-AppxPackage
    }

    $aumidList = @()
    foreach ($app in $installedapps)
    {
        foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
        {
            $aumidList += $app.packagefamilyname + "!" + $id
        }
    }

    return $aumidList
}

The following Windows PowerShell commands demonstrate how you can call the listAumids function after you have created it.

# Get a list of AUMIDs for the current account:
listAumids

# Get a list of AUMIDs for an account named “CustomerAccount”:
listAumids(“CustomerAccount”)

# Get a list of AUMIDs for all accounts on the device:
listAumids(“allusers”)

Clear assigned access

You can use the Clear-AssignedAccess cmdlet to remove the user account from assigned access and return the user to default settings.

For more information, type "Get-Help Clear-AssignedAccess -detailed". For technical information, type "Get-Help Clear-AssignedAccess -full".

To clear assigned access

  1. At a Windows PowerShell prompt, type the following:

    Clear-AssignedAccess

  2. If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

Get current configuration for assigned access

You can use the Get-AssignedAccess cmdlet to retrieve the current configuration for assigned access, including the user name, user SID, app friendly name, and app ID.

For more information, type "Get-Help Get-AssignedAccess -detailed". For technical information, type "Get-Help Get-AssignedAccess -full".

To get the current configuration for assigned access

  1. At a Windows PowerShell prompt, type the following:

    Get-AssignedAccess

    An output similar to the following appears:

    User Name: MYPC\UserName
    User SID: S-1-5-21-594534509-2542345234-234523453-1004
    AppUserModelId: Microsoft.Media.PlayReadyClient_2.3.1678.0_x64__8wekyb3d8bbwe
    App Name: Microsoft.Media.PlayReadyClient

  2. If a user is signed in or the PC has a PS/2 keyboard, restart the computer to apply the changes.

Conclusion

Assigned access lets you set up single-function devices, such as for a restaurant menu or a display at a trade show. You select the user and Windows Store app to use, and can easily configure it using Windows PowerShell commands or the UI.