Hello,

I am attempting to create a Kiosk mode style build for a touchscreen all-in-one PC.

The requirement will be to severely lock the OS down to give minimal access to the OS whilst allowing the user (possibly joe public) access to a pre-defined list of websites.

The 'Assigned Access' looked to be a god-send as it can do this out of the box, but does not allow me to lock down the IE settings. Also with this only being available to local accounts, I cannot enforce IE restrictions with GPO's.

I would have fully intended of locking down the OS in the traditional manner (as I have done in the past with Win7) of GPO's. Unfortunately, there are no GPO options to disable the metro/start screen. Disableing the start menu was easy as pi on Win7 but seemingly impossible for Win8.

I find this very frustrating as I want to go with the new technology but am not able to find an answer to this.

If anyone has any ideas or suggestions for this, please bear in mind that I will not be able to use 3rd party tools for this implementation, just GPO's, reg tweaks etc.

Kind Regards

Barry

Are you using Windows 8.1 Embedded or some other edition?

Windows 8.1 Professional x64

SW_DVD5_Win_Pro_8.1_64BIT_English_MLF_X18-96634.ISO

It looks like the 'Assigned Access' is the way to go, but I would like to lock down the 'Metro' IE so that the user cannot access the address bar, favourites, tabs etc.

I've tried setting the local GPO but it does not seem to take any effect.

Kind Regards

Barry

Hi,

Sorry for my late reply.

Based on my research, we can disable the Metro IE as a work around.

Please  use "Always in Internet Explorer on the desktop" option to disable the Metro IE.

1. Open IE 11 Desktop.

2. Click on the Tools "cog" (top-right) then select Internet options.

3. Click on Programs tab.

4. Tick the box labeled Open Internet Explorer tiles on the desktop.

5. In the dropdown menu above labelled Choose how you open links. select Always in Internet Explorer on the desktop.

6. Click OK.

Meanwhile, you can use GPO to do it:

How to use Group Policy to default Internet Explorer to desktop mode in Windows 8

http://www.grouppolicy.biz/tag/metro/

Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Then, you just need use GPO to manage your desktop IE.

Regards,

Hello,

My question was more to the point of how do I either;

A) Disable the start screen / metro UI - i can lock-down the rest of the desktop etc via GPO.

B) Using the 'Assigned Access' mode - Lock down Metro IE (ie. disable address bar, favourites etc).

Kind Regards
Barry

Hi Barry,

For the issue,  Metro IE is not good choices for assigned access.

If you need to use a Metro IE as your assigned access app, consider the following tips:

1.You can create your own web browser Windows Store app by using the WebView class.

2.You can use Group Policy to block access to the file system (network shares, local drives, and local folders) from Internet Explorers web address bar.

Please refer to the following article:

Best practices for selecting an app for assigned access

http://technet.microsoft.com/zh-cn/library/dn465334.aspx

Regards,

I've had no joy getting the desired level of control within the 'Assigned Access' mode.

I have had better luck using a domain account heavily locked down with GPO's.

A local account would have been better but i see no better way of controlling the lockdown on a local account.

I'm going to chime in  here as I feel as you do, Barry. I too am attempting to create a mobile handheld kiosk that will be be able to access a single page and interact with it. 

Heres the issue: 

Running IE in Desktop mode using the -K switch disables the active OSK monitoring and when a user interacts with a web page they need to have access to the taskbar to bring up the keyboard to enter text into the fields. This is a failed attempt at minimal access to the system. This is corrected by running IE in "Metro" mode. 

However when running in Metro Mode the address bar is accessible, Tabbed browser is not disabled and the user generally has full control over IE again. This is another fail. 

So I'm now caught in a spin, I can get the control I need with -K and local policies/GPO's but I loss the OSK. But I can't use the tablet like that so I enable the Kiosk Mode and use a local user, losing GPO's and control over IE. 

Why didn't Microsoft think of these cases when developing such a wonderful tool. I bet more corporations out there would adopt this device, and Windows 8 if management of the user environment and application base was of primary concern. It appears that it hasn't been. 

If anyone knows how to workaround these issues and deliver a single page locked down Web based handheld please let me know. 

Thank you, 

Chris

I have been battling with Win 8.1 embedded to setup assigned access using Google Chrome. That part is easy enough. But assigned access would only launch Google chrome in normal more (with the address bar showing). What I want to do is launch chrome in Kiosk more (using the --kiosk parameter/switch which is normally accomplished via the command prompt or using a shortcut) but there simply is not way to pass the assigned access feature the parameters needed to put chrome in kiosk more. I've tried many many thing such as using AutoIT to create an exe that would replace the chrome.exe but just launches chrome in kiosk more...but nothing works since the assigned access feature wouldn't allow the assigned exe to open another exe
Can anyone please tell us how we could use chrome as the assigned access app with the right more (kiosk). If that can be done, it would make Win 8.1 a great platform for kiosks everywhere!

• Proposed as answer by TinHat Monday, January 06, 2014 10:22 PM
• Unproposed as answer by TinHat Monday, January 06, 2014 10:22 PM

I have been battling with Win 8.1 embedded to setup assigned access using Google Chrome. That part is easy enough. But assigned access would only launch Google chrome in normal more (with the address bar showing). What I want to do is launch chrome in Kiosk more (using the --kiosk parameter/switch which is normally accomplished via the command prompt or using a shortcut) but there simply is not way to pass the assigned access feature the parameters needed to put chrome in kiosk more. I've tried many many thing such as using AutoIT to create an exe that would replace the chrome.exe but just launches chrome in kiosk more...but nothing works since the assigned access feature wouldn't allow the assigned exe to open another exe
Can anyone please tell us how we could use chrome as the assigned access app with the right more (kiosk). If that can be done, it would make Win 8.1 a great platform for kiosks everywhere!

• Proposed as answer by TinHat Monday, January 06, 2014 10:22 PM
• Unproposed as answer by TinHat Monday, January 06, 2014 10:22 PM

I have been battling with Win 8.1 embedded to setup assigned access using Google Chrome. That part is easy enough. But assigned access would only launch Google chrome in normal more (with the address bar showing). What I want to do is launch chrome in Kiosk more (using the --kiosk parameter/switch which is normally accomplished via the command prompt or using a shortcut) but there simply is not way to pass the assigned access feature the parameters needed to put chrome in kiosk more. I've tried many many thing such as using AutoIT to create an exe that would replace the chrome.exe but just launches chrome in kiosk more...but nothing works since the assigned access feature wouldn't allow the assigned exe to open another exe
Can anyone please tell us how we could use chrome as the assigned access app with the right more (kiosk). If that can be done, it would make Win 8.1 a great platform for kiosks everywhere!

• Proposed as answer by TinHat Monday, January 06, 2014 10:22 PM
• Unproposed as answer by TinHat Monday, January 06, 2014 10:22 PM

Hi, How about setting up and configuring parental controls prior to enabling kiosk mode, would this not work?

My problem is that one app isn't enough. I am looking to set up some devices so that students can write CV's and apply for jobs on the net at the same time. How can you do that with 'only one app' lock-down policy?


Multiple kiosk apps would work but it's daft and cumbersome!

• Edited by TinHat Monday, January 06, 2014 10:36 PM

Hi, How about setting up and configuring parental controls prior to enabling kiosk mode, would this not work?

My problem is that one app isn't enough. I am looking to set up some devices so that students can write CV's and apply for jobs on the net at the same time. How can you do that with 'only one app' lock-down policy?


Multiple kiosk apps would work but it's daft and cumbersome!

• Edited by TinHat Monday, January 06, 2014 10:36 PM

Hi, How about setting up and configuring parental controls prior to enabling kiosk mode, would this not work?

My problem is that one app isn't enough. I am looking to set up some devices so that students can write CV's and apply for jobs on the net at the same time. How can you do that with 'only one app' lock-down policy?


Multiple kiosk apps would work but it's daft and cumbersome!

• Edited by TinHat Monday, January 06, 2014 10:36 PM

Thanks for all of your suggestions and help.

The solution i went for was a domain joined machine, with machine specific GPO's applied.
Upon starting Windows, it auto-logs into a Local account, with user specific lockdown applied using local GPO (non-administrator accounts only).

Then in startup a batch script starts my desired webpage in (desktop version) IE using kiosk mode.

The only other issue I had was stopping the start button (device has a physical button) bringing up the Metro start screen. To 'fix' this, i simply killed explorer as part of my startup batch script.

It may be crude, but it works for my purpose and allows me to stick with 8.1 for this project.

Oh and to note, using this method, I was not able to have the on screen keyboard open when tapping into text fields on web pages - where in comparison this worked on Win7. Luckily, the webpage being used for this project didn't need this functionality, otherwise I would have had to revert to Win7.

Kind Regards
Barry

• Marked as answer by Barry J. Lane Tuesday, January 07, 2014 3:38 PM

Thanks for all of your suggestions and help.

The solution i went for was a domain joined machine, with machine specific GPO's applied.
Upon starting Windows, it auto-logs into a Local account, with user specific lockdown applied using local GPO (non-administrator accounts only).

Then in startup a batch script starts my desired webpage in (desktop version) IE using kiosk mode.

The only other issue I had was stopping the start button (device has a physical button) bringing up the Metro start screen. To 'fix' this, i simply killed explorer as part of my startup batch script.

It may be crude, but it works for my purpose and allows me to stick with 8.1 for this project.

Oh and to note, using this method, I was not able to have the on screen keyboard open when tapping into text fields on web pages - where in comparison this worked on Win7. Luckily, the webpage being used for this project didn't need this functionality, otherwise I would have had to revert to Win7.

Kind Regards
Barry

• Marked as answer by Barry J. Lane Tuesday, January 07, 2014 3:38 PM

Thanks for all of your suggestions and help.

The solution i went for was a domain joined machine, with machine specific GPO's applied.
Upon starting Windows, it auto-logs into a Local account, with user specific lockdown applied using local GPO (non-administrator accounts only).

Then in startup a batch script starts my desired webpage in (desktop version) IE using kiosk mode.

The only other issue I had was stopping the start button (device has a physical button) bringing up the Metro start screen. To 'fix' this, i simply killed explorer as part of my startup batch script.

It may be crude, but it works for my purpose and allows me to stick with 8.1 for this project.

Oh and to note, using this method, I was not able to have the on screen keyboard open when tapping into text fields on web pages - where in comparison this worked on Win7. Luckily, the webpage being used for this project didn't need this functionality, otherwise I would have had to revert to Win7.

Kind Regards
Barry

• Marked as answer by Barry J. Lane Tuesday, January 07, 2014 3:38 PM

Hi Barry, 

As much as you have solved your own issue, I don't feel that this is a complete solution to the issue. Although the solution works for you, it isn't a true kiosk as there is limited functionality (IE OSK not working). 

To me getting the OSK to work within your solution would be the solution I need. I have gone down the path you have taken and it didn't work for me. 

I'm not sure that this can be classified as resolved, you said it yourself, if you needed the OSK, Win 7 would have been your option. Win 8.1 should work as expected. Not be hacked and slashed at to work around limiting functionality. I don't have the ability/time to revert 30 plus tablets to Win 7 and use them like that. 

Thanks, 

Chris

I agree, it is not a fix that I would recommend but for my particular scenario it worked fine.

I did toy with starting the OSK (built in and metro) in my startup script but without a keyboard, users cannot alt+tab to get back to it, so that was a wasted test.

I did the same sort of lockdown in Win7, minus the touchscreen element and it was very easy.
Why Microsoft made it so difficult to do the same sort of thing in 8/8.1 is beyond me.

I think Microsoft need to re-think the built-in kiosk mode as it would work great if we could actually use it how we wanted to use it rather on how they want us to use it.

Kind Regards

Barry

I agree, I also played with launching the OSK application as part of my custom shell script and that failed miserably. I could bring it up, but as you say, without Alt+Tab it was pointless. Plus it took over the screen and you couldn't see the text field anymore. 

where did you put your startup batch file.

In the startup folder for my local user account;

C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

I agree to all of the above problem. I am also facing the same issue. We have a bunch of win 8.1 tablet and needing to lock it down to run a third party application which will work as a kiosk machine. Assigned Access is great but it only allow running Metro apps from windows store. Our third party app was written in house and it is already designed in such a way that user cant get out of it. It runs fine on win7, win7 emebeded, etc.

With Assigned Access, I can't make it work so thats completely useless. I am trying work out how to lock the tablet down by other means. The tablets cannot be in part of domain so it is all local. Using AppLocker, I can lock down most of the applications but that is a tedious task, lock down with local GPO is a pain as well and will ultimately lock out even admin access, from support point of view it is a nightmare. 

I know this is a little late for some of you but I wanted to share my experience:

After creating my local account, before setting up the assigned access I logged into the user and launch desktop IE.  From here I configure all the settings I need (homepage, trusted sites, proxy, etc).  After this, I launch modern IE and set "always show address bar and tabs" (accessed through Charms->Settings).  After this I log out and set the assigned access.

Just about to head into July and am soon going to get into my first kiosk unit. Win 8.1 Pro, an AIO PC. As I read this thread from the beginning, noting the dates of posts, I kept hoping as the conversation progressed that somebody would post saying "ah ha! a new update just came out fixing all this". But of course, nope. Why Microsoft continually releases a new thing (be it an OS feature, or standalone product) that on it's version 1.0 is always inadequate, is difficult to understand.  I think Assigned Access would be great, if Micorosoft would take 5 minutes and read forum posts prior to spending 10's or 100's of hours in product development time.  It's a great start, but it is wholly insufficient for real world use. 

I'll have to set it up as is in Win 8.1 and hope Microsoft gets involved with fixing all the massive shortcomings of Assigned Access before my customers need things to be tighter.  Good luck buying an OEM machine AIO or tablet with Win 7 on it!  So for me, Win 8.1 is the only option. 

Out of curiosity, is there a comprehensive article someplace outlining how to lock down Win 7 as you guys were describing? 

Thanks! 

Just wanted to throw this out there as well.  There's a recently released page that explains the registry entries for Assigned Access that can provide you additional levels of control and configuration.  http://msdn.microsoft.com/en-us/library/dn449303(v=winembedded.82).aspx

I have been battling with Win 8.1 embedded to setup assigned access using Google Chrome. That part is easy enough. But assigned access would only launch Google chrome in normal more (with the address bar showing). What I want to do is launch chrome in Kiosk more (using the --kiosk parameter/switch which is normally accomplished via the command prompt or using a shortcut) but there simply is not way to pass the assigned access feature the parameters needed to put chrome in kiosk more. I've tried many many thing such as using AutoIT to create an exe that would replace the chrome.exe but just launches chrome kiosk more...but nothing works since the assigned access feature wouldn't allow the assigned exe to open another exe
Can anyone please tell us how we could use chrome as the assigned access app with the right more (kiosk). If that can be done, it would make Win 8.1 a great platform for kiosks everywhere!

I find myself in the same situation. I've tried everything, even modified the regedit path for chrome adding the --kiosk option but it did not work. 

Is there any chance to add that --kiosk option with assigned access? It would be terrific.

Thank you

I've studied all of the above and struggled, but it turns out there's an app for what I need: Kiosk Browser in the App Store. It bypasses the need for assigned access and everything else. I just needed the "kiosk" to show one web site -- with a touch screen. With a mouse or keyboard you can exit, but as far as I can tell with just the touch screen it's safe.

-- Update: That "Kiosk Browser" app, from the Windows app store, was too light weight -- little in the way of control or documentation. Looks like KioWare Lite is doing the trick for me -- just don't have the expertise or budget to do it all myself from scratch.

• Edited by Don_Button Tuesday, October 14, 2014 2:58 PM

I've studied all of the above and struggled, but it turns out there's an app for what I need: Kiosk Browser in the App Store. It bypasses the need for assigned access and everything else. I just needed the "kiosk" to show one web site -- with a touch screen. With a mouse or keyboard you can exit, but as far as I can tell with just the touch screen it's safe.

-- Update: That "Kiosk Browser" app, from the Windows app store, was too light weight -- little in the way of control or documentation. Looks like KioWare Lite is doing the trick for me -- just don't have the expertise or budget to do it all myself from scratch.

• Edited by Don_Button Tuesday, October 14, 2014 2:58 PM

Hi Marcus,

what is missing to get on screen keyboard in windows 8.1 kiosk mode(Assigned Access)?

this is only missing for everyone.

Rgds,

V_R_

Hi Marcus,

what is missing to get on screen keyboard in windows 8.1 kiosk mode(Assigned Access)?

this is only missing for everyone.

Rgds,

V_R_

In the same boat... Kiosk Mode on a Surface Pro 3, cannot get the OSK to display using IE.  Attempting to implement using Group Policy.