Building lock down device – Part 1 (Keyboard Filter)

Updated: There are two “bugs” I mentioned earlier in this post, but I was totally wrong about it. Those “bugs” I ran into, was because I configured them wrong and still missing some settings.
Luckily got help from Microsoft, big thanks to Jagadish Murugan and his team, Bob Mac Neill, and Cathy Moya!

Keyboard Filter feature is absolutely powerful feature that I strongly recommend use it for Shared PC/Kiosk PC/Lock down PC.

The story begins with…

It has been awhile not writing any new blog post, time to start a new series post more focus on Windows 10.

Last year when we were in Seattle, we lost our luggage bag, my husband had to use hotel lobby computer to send some emails to airline and deal with insurance company. Later on, I asked him what kind of machine they have? Was it Microsoft Assigned Access Kiosk device? He told me “no, there is a third party app that locks the machine and with timers. The machine will restart when time runs out, and user profile is deleted after that”.

Here I am, spent past few month build a lock down kiosk machine, picking up all the pieces, break through all the problems (include Windows 10 bugs), it finally comes to the end, and I finally have time to start writing blog post again.

This part is “Keyboard Filter”. When we are making a lock down machine, you probably don’t want user use all those cool keyboard shortcuts, you might not want them use Win+L or Ctrl+Alt+Del lock the machine. I have seen others use third party software to do so, or use keyboard remapping. But if you are using Windows 10 Enterprise or Windows 10 Education, you can use device lockdown feature name Keyboard filter

First you need to install Keyboard filter feature, nothing really super special, just install it same way as other Windows feature. Here is PowerShell example, it requires restart after feature is enabled.

#Event log source
$LogSource = "SCConfigMgr"
New-EventLog -LogName Application -Source $LogSource -ErrorAction Ignore

#Enable keyboard filter feature		
try
{
    #Write event log
  Write-EventLog -LogName Application -Source $LogSource -EntryType Info -EventId 1000 -Message "Start enable keyboard filter Feature"

    #Enable keyboard filter feature without restart		
  Enable-WindowsOptionalFeature -Online -FeatureName Client-KeyboardFilter -All -NoRestart -OutVariable result			

    #Detect if restart is needed
  if ($result.RestartNeeded -eq $true)
  {
    $restartneeded = $true
    Write-EventLog -LogName Application -Source $LogSource -EntryType Warning -EventId 1001 -Message "Requried restart"
  }			
}
catch
{
  # Something went wrong, display the error details and write an error to the event log
  Write-EventLog -LogName Application -Source $LogSource -EntryType Warning -EventId 1001 -Message "$_.Exception.Message"
}

#If feature installed and requried restart, then restart		
if ($restartneeded -eq $true)
{
  Restart-Computer -Force
}

Then we can configure what keyboard combinations we would like to block. For example block Win+L and Ctrl+Alt+Del

function Enable-Predefined-Key($Id)
{		
  $predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
  where {
    $_.Id -eq "$Id"
  };
      
  if ($predefined)
  {
    $predefined.Enabled = 1;
    $predefined.Put() | Out-Null;
    Write-Host Enabled $Id
  }
  else
  {
    Write-Error "$Id is not a valid predefined key"
  }
}
    
        
$CommonParams = @{ "namespace" = "root\standardcimv2\embedded" };
if ($PSBoundParameters.ContainsKey("ComputerName"))
{
  $CommonParams += @{ "ComputerName" = $ComputerName };
} 

#Enable filters
Get-WMIObject -class WEKF_Settings @CommonParams -ErrorAction Stop          
Enable-Predefined-Key "Ctrl+Alt+Del"
Enable-Predefined-Key "Win+L"

You can find more samples from official Microsoft documents: https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/keyboardfilter-powershell-script-samples

What need to be noticed:

Win/Windows Key

When I test this, I was using Enable-Scancode “Win” , and this is wrong configuration even there is no output error, it said it’s configured. But because this configuration was wrong, it also broke other key restriction settings, I thought this is a bug.

Thanks for Jagadish from Microsoft pointed me out to the correct configuration. 😀

Enable-ScanCode expects “Modifier + Scancode”, in the script there is “Win” but no Scancode so it assumes 0. So the key combination that is blocked is Win+0. If you want to block Windows key use: Enable-Predefined-Key “Windows”

Breakout key

After install keyboard filter feature and configure some keys, I noticed if you push Win key 5 times, it will lock the user to logon screen, I must say that I am super disappointed of this behaviors, because I have try configure everything to prevent user lock the machine, it just doesn’t make any sense if I use keyboard filter to block “Win + L” lock user function, but then it actives Win 5 times to enable lock user feature. I really hope this will be fixed in the future Windows build.

Thanks again to Jagadish. Turns out this is not a bug! I was missing configuration AGAIN. Oh *facepalm*. Here s the documentation that I have missed. https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/wekf-settings

When we use Keyboard Filter, once when we active a key restriction/configuration, it also actives a Breakout key. By default, Windows key is the breakout key, in my case I don’t want people push the Windows key 5 times to lock the machine, so I need to configure a different key for “Breakout” to avoid this.

Next part : Building lock down device – Part 2 (Shell Launcher)