Windows Embedded 8.1: Assigned Access and Windows Embedded Lockdown

Microsoft

bloggers

discussions

Windows Embedded 8.1: Assigned Access and Windows Embedded Lockdown

  • Comments 0

Posted By Jeff Wettlaufer
Sr. Technical Product Marketing Manager

With the release of Windows 8.1 and Windows Embedded 8.1, a new capability called Assigned Access has been introduced. This post will compare Assigned Access with the existing (and improved for 8.1) embedded lockdown features.

What is Assigned Access?

Assigned Access is a new feature offered in Windows 8.1 RT, Pro and Enterprise, and provides a way to enable a single Windows Store application experience on the device. Administrators can easily lock down a device through the PC settings by choosing a user profile and assigning a modern app to that profile.

When this is selected, the selected user account and app will be launched from boot (once authenticated). Assigned Access uses a pre-defined set of filters to block keyboard gestures, hardware buttons and system toast notifications to prohibit access to other apps or system settings. These cannot be changed, and the capability is restricted to one user and one modern (Windows 8 style) app.

When would I use Assigned Access?

Assigned Access is designed for easy administration for simple scenarios that include a single user and single modern app, and does not require the administrator to have advanced skills. Assigned Access can also be used when customization of Swipe, Gesture and Lockdown are not required. Common scenarios would include using Assigned Access in a school or educational environment for a single learning application.

For a demonstration of Assigned Access and how it’s configured, watch the video below.

What are Embedded lockdown features?

Windows Embedded lockdown features are a collection of lockdown and controls available to a device running Windows Embedded. There are several main categories available for customization; these include filters for Write, Gesture, Keyboard, Dialog, USB and System Notification. In addition, these support administrative capabilities such as Breakout Mode (in which an administrator can leave the app experience to perform administrative tasks) and the automatic launching of modern or classic Win32 apps. Windows Embedded lockdown features are granular, support an unlimited number of combinations and can be assigned to different users on a device allowing different levels of restriction.

Embedded lockdown controls (filters, etc.) are enabled in a few ways. The Embedded Lockdown Manager tool is an MMC console where a vast majority of capabilities are configured. Once set, these can be exported to a PowerShell script and run on that device, or others. In addition, many features can be configured through WMI, Registry, or even remotely scripted (think management tools).

When should I use Windows Embedded lockdown features?

Embedded lockdown features are highly flexible, and support single-user/single-app, single-user/multi- app and multi-user/multi-app scenarios. Windows Embedded supports both modern apps and Win32 shell experiences. Windows Embedded is better suited for larger scale deployments due to the support for remote scripting and management. Customization of Swipe, Gesture and Lockdown beyond the template approach from Assigned Access is another scenario in which Windows Embedded should be chosen. In addition, if organizations want to use the Unified Write Filter, Windows Embedded will be required. Finally, granular customization for management, security and infrastructure-connected scenarios are handled well by a Windows Embedded 8.1 device.

Typical use cases for Windows Embedded devices can vary greatly across different industries. Device scenarios such as multi-user/multi-app and single-user/multi-app can be situations in which controlled experiences are desired. Devices such as kiosks, digital signs and POS devices in retail can require granular lockdown configurations, yet still it’s still desirable to have a flexible, consistent experience. Finally, state preservation through Unified Write Filters enabled by Windows Embedded provides support for broad use, unattended (non employee) access scenarios (Internet stations, kiosks in hotels and airports) where state preservation is not preserved through sessions.

It is important to consider the end-user use case for the device to best determine the right OS version and preferred lockdown method. It’s also important to ensure that all users and app scenarios are considered, as well as the connectivity requirements for the device. Finally, be sure to define the lockdown strategy for your devices early to prevent additional resource challenges down the road.

There is a version of Windows for your scenario, and a flavor of lockdown and control suitable to support your use case and device. Read more about Windows Embedded products and solutions on our website; and visit my other blogs for more about the new technical features of Windows Embedded 8.1.

blog comments powered by Disqus