Hey, here’s Joao again. My inbox has been filled with Windows 8.1 related e-mails, and I decided to talk to you about a much requested feature that finally saw the light of day.
Have you heard of Assigned Access? Maybe you have heard of the scenario it implements: Kiosk mode!
So far your only option to create a Windows Kiosk where your users and customers could interact with a single application without the risk of compromising the system was to use Windows Embedded.
Now with the enhanced security of having each Modern App (coming from the Store or Sideloaded) sandboxed, Microsoft is finally offering an alternative that I’m sure will please many customers. It doesn’t matter if you are a very big customer or a startup, but if you feel like Windows Embedded is an overkill, maybe Assigned Access is really what you are looking for.
When you set up assigned access you can choose any Modern App to be run exclusively and in full screen in a local account. The only Modern Apps that cannot be used are those that would allow a user to make changes to the local system and compromise the kiosk (Store, and PC Settings, and Internet Explorer). The focus is to easily set up a single purpose machine that users are not able to tamper.
Please note that traditional desktop apps don’t provide the same level of security and therefore cannot be used in Assigned Access. You will need Windows Embedded to lock a machine in a desktop application.
With an Assigned Access account the user will not see any notifications, and the Windows hardware button will be suppressed as will be the following shortcuts and gestures:
Secure Authentication Screen (SAS)
Switch Apps/Go to Start Screen
Shortcut menu for active window
Swipe from left
Switch app, side-by-side app
Swipe from right
Swipe from top
Close an app
The only pre-requisites are to have a local account and preinstall the Modern App for that account. For that you will have to login to that account at least once before you set it up for Assigned Access.
Note: The accounts should be single purpose, so it’s not possible to use a domain account.
In my demo I have created a new local account called Kiosk, but you can choose any name that you like
You can press Set up an account for assigned access to proceed with selecting the account and application you want to use
It’s as simple as that!
If you want to set this up on multiple machines or simply love Windows Powershell, this configuration can also be scripted using Set-AssignedAccess
A typical command would be Set-AssignedAccess -AppName <appname> -UserName <username>
If you use a device for multiple purposes (e.g. normal user machine, but used as a Kiosk in trade shows), or need to make changes to your kiosk configuration, you will eventually want to sign out of the Assigned Access account. To do that you will have to have a physical keyboard attached to the device and press the Windows Logo key 5 times in a short period of time either on your physical keyboard (the touch keyboard won’t work) or in the Windows hardware button, if your device has one. Remember, the physical Windows button on the device will not work, to sign out of an Assigned Access account you really need a physical keyboard.
As most kiosk machines are now touchscreen or use a specifically designed keyboard, users will not have a keyboard with the Windows button available to them, and admins have this simple solution for signing out and making changes to the Assigned Access machine and its applications.
I can imagine many scenarios for Assigned Access, but I’m really looking forward to your comments on how you are going to use it!
If you haven’t seen the variety of form factors that you can leverage, follow this link: http://www.youtube.com/watch?v=2iab5qC_My0
UPDATE 12-4-13: Due to an incorrect statement regarding Internet Explorer not being available in Assigned Access, and the Windows hardware button not being able to sign out of the Assigned Access account. Thank you Vadim Sterkin for testing and reporting back these inconsistencies
Joao “Loves Comments” Botto11-25-13 Spanish version of this post http://blogs.technet.com/b/ask-pfe-latam-plat/archive/2013/11/01/como-configurar-acceso-asignado-en-windows-8-1-modo-quiosco.aspx -MarkMoro
I guess I'm a bit confused?
If the Win Key is disabled by default, how would the administrator go about signing out of the Assigned Access account?
Would they need to attach a USB keyboard?
press the Windows key 5 times. This written here:
Very cool implementation of a very much needed functionality !
Greetings from Portugal ;-) ,
Ronnie Vernon, yes you will have to attach a usb keyboard or the dock/keyboard that some devices have
That is all well and good, but as soon as word spreads, people may carry around a keyboard to mess with you, or that desktop in assigned access mode, much like our users did when batches of them learned that you can hold down shift at login to break the autologon cycle.
Any options for an unlock password?
Mike, we currently don't have the option for an unlock password.
To avoid that type of situations you can either use Windows Embedded, or if still want to keep it simple, lock the USB ports or put the device in a frame. I have seen many companies use frames/cases for devices that they want to use as a kiosk in a public area - it is an beautiful yet inexpensive solution
Greetings Mauro Rita :)
Joao, are you the guest blogger here? That's awesome!
Check this out:
Ed Price, that is very cool! I had no idea I was on that list!
I have a couple of questions/comments regarding this statement: "The only Modern Apps that cannot be used are those that would allow a user to make changes to the local system and compromise the kiosk (Store, PC Settings, and Internet Explorer)"
1. Browser is the most useful application for the kiosk, yet it's excluded from the feature. While I understand the security reasoning behind this decision, the whole assigned access mode becomes not so attractive, but...
2. Wait, I just assigned modern IE to a user and it can run any executable, albeit not interact with it. Why is that? :)
Some people tell me that they can't assign IE. I've reproduced this both on my tablet (8.1 Pro) and VM (8.1 Ent, totally clean install). Here's the recording from the latter http://sdrv.ms/1aEGElJ
Apologies for the black square instead of the cursor, I forgot to disable one Camtasia option. Otherwise, it's perfectly clear :)
So my question stands: is this a bug or is this by design?
Vadim Sterkin, we currently don't have a kisok mode of our Modern IE and therefore it would be a security risk to be able to launch it for Assigned Access. Are you saying that you managed to do that on some Windows 8.1 RTM machines?
If you have a specific webpage that you want to have in a kiosk, creating a webapp from it should be quite easy.
We appreciate your feedback
@Joao Sousa Botto
>Are you saying that you managed to do that on some Windows 8.1 RTM machines?
I'm not only saying that, I'm showing this in the video to which I've provided the link in the comment you replied to. I can post it again, not a problem http://sdrv.ms/1aEGElJ :)
Vadim Sterkin, thank you so much for bringing this to my attention! I didn't have the chance to watch the video earlier because I was travelling and the bandwidth at the hotels was terrible.
I wasn't able to reproduce this in my lab environment, but I'm contacting some people that should be able to clarify this situation. I'll post more information here as soon as I have it
Thanks for your reply. Actually, I didn't do anything special to reproduce the issue on two different PCs with different editions of 8.1. So I'm not sure why you can't do it in your lab env.
1. Install 8.1, and use an existing Microsoft account to log in during install.
1.1 Install all updates.
2. Create a standard local account (User), log it in once, then press "Win" 5 times to exit.
3. Go back to the administrative account, log the User off.
4. Set up assigned access (choose IE).
5. Restart, log in with User.
The video starts with the step 3. I'll be curious to find out whether MSFT at least confirms this as a bug, even indirectly :)