Building lock down device – Part 1 (Keyboard Filter)

Updated: There are two “bugs” I mentioned earlier in this post, but I was totally wrong about it. Those “bugs” I ran into, was because I configured them wrong and still missing some settings.
Luckily got help from Microsoft, big thanks to Jagadish Murugan and his team, Bob Mac Neill, and Cathy Moya!

Keyboard Filter feature is absolutely powerful feature that I strongly recommend use it for Shared PC/Kiosk PC/Lock down PC.

The story begins with…

It has been awhile not writing any new blog post, time to start a new series post more focus on Windows 10.

Last year when we were in Seattle, we lost our luggage bag, my husband had to use hotel lobby computer to send some emails to airline and deal with insurance company. Later on, I asked him what kind of machine they have? Was it Microsoft Assigned Access Kiosk device? He told me “no, there is a third party app that locks the machine and with timers. The machine will restart when time runs out, and user profile is deleted after that”.

Here I am, spent past few month build a lock down kiosk machine, picking up all the pieces, break through all the problems (include Windows 10 bugs), it finally comes to the end, and I finally have time to start writing blog post again.

This part is “Keyboard Filter”. When we are making a lock down machine, you probably don’t want user use all those cool keyboard shortcuts, you might not want them use Win+L or Ctrl+Alt+Del lock the machine. I have seen others use third party software to do so, or use keyboard remapping. But if you are using Windows 10 Enterprise or Windows 10 Education, you can use device lockdown feature name Keyboard filter

First you need to install Keyboard filter feature, nothing really super special, just install it same way as other Windows feature. Here is PowerShell example, it requires restart after feature is enabled.

#Event log source
$LogSource = "SCConfigMgr"
New-EventLog -LogName Application -Source $LogSource -ErrorAction Ignore

#Enable keyboard filter feature		
    #Write event log
  Write-EventLog -LogName Application -Source $LogSource -EntryType Info -EventId 1000 -Message "Start enable keyboard filter Feature"

    #Enable keyboard filter feature without restart		
  Enable-WindowsOptionalFeature -Online -FeatureName Client-KeyboardFilter -All -NoRestart -OutVariable result			

    #Detect if restart is needed
  if ($result.RestartNeeded -eq $true)
    $restartneeded = $true
    Write-EventLog -LogName Application -Source $LogSource -EntryType Warning -EventId 1001 -Message "Requried restart"
  # Something went wrong, display the error details and write an error to the event log
  Write-EventLog -LogName Application -Source $LogSource -EntryType Warning -EventId 1001 -Message "$_.Exception.Message"

#If feature installed and requried restart, then restart		
if ($restartneeded -eq $true)
  Restart-Computer -Force

Then we can configure what keyboard combinations we would like to block. For example block Win+L and Ctrl+Alt+Del

function Enable-Predefined-Key($Id)
  $predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
  where {
    $_.Id -eq "$Id"
  if ($predefined)
    $predefined.Enabled = 1;
    $predefined.Put() | Out-Null;
    Write-Host Enabled $Id
    Write-Error "$Id is not a valid predefined key"
$CommonParams = @{ "namespace" = "root\standardcimv2\embedded" };
if ($PSBoundParameters.ContainsKey("ComputerName"))
  $CommonParams += @{ "ComputerName" = $ComputerName };

#Enable filters
Get-WMIObject -class WEKF_Settings @CommonParams -ErrorAction Stop          
Enable-Predefined-Key "Ctrl+Alt+Del"
Enable-Predefined-Key "Win+L"

You can find more samples from official Microsoft documents:

What need to be noticed:

Win/Windows Key

When I test this, I was using Enable-Scancode “Win” , and this is wrong configuration even there is no output error, it said it’s configured. But because this configuration was wrong, it also broke other key restriction settings, I thought this is a bug.

Thanks for Jagadish from Microsoft pointed me out to the correct configuration. 😀

Enable-ScanCode expects “Modifier + Scancode”, in the script there is “Win” but no Scancode so it assumes 0. So the key combination that is blocked is Win+0. If you want to block Windows key use: Enable-Predefined-Key “Windows”

Breakout key

After install keyboard filter feature and configure some keys, I noticed if you push Win key 5 times, it will lock the user to logon screen, I must say that I am super disappointed of this behaviors, because I have try configure everything to prevent user lock the machine, it just doesn’t make any sense if I use keyboard filter to block “Win + L” lock user function, but then it actives Win 5 times to enable lock user feature. I really hope this will be fixed in the future Windows build.

Thanks again to Jagadish. Turns out this is not a bug! I was missing configuration AGAIN. Oh *facepalm*. Here s the documentation that I have missed.

When we use Keyboard Filter, once when we active a key restriction/configuration, it also actives a Breakout key. By default, Windows key is the breakout key, in my case I don’t want people push the Windows key 5 times to lock the machine, so I need to configure a different key for “Breakout” to avoid this.

Next part : Building lock down device – Part 2 (Shell Launcher)


Sandy Zeng

Sandy is an Enterprise Mobility MVP since 2018. She is an experienced Information Technology Specialist for over 10 years. Skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. Sandy's interests are mostly related to Microsoft Technologies, she has passions learning new skill sets to improve her professional career and also as her hobbies. She uses her expertise to help customers achieve their goals and solve their issues.

Sandy founded the blog and is now a blogger on MSEndPointMgr.


  • Hello,

    This is absolutely incredible. I do have one question I am having trouble finding the answer for. Can I have the Keyboard filtering only apply to a specific domain account logging into the system?

    We will have Admins who need to access the system, and them having access to ctrl+alt+del and such is useful….

  • Hi Sandy,

    thanks for the article.

    Do you have any recommendation how to deploy those scripts via intune and autopilot? The issue is, that a reboot during autopilot device ESP would break the setup process. But without a reboot, the second part of the script does not run and keyboard filters can not be activated.

    Goal is to have the device ready with keyboard filters when the deployment is finished.

    • Sorry for delay reply. There is not good way to do this. In our production, we install those kiosk device via MDT or ConfigMgr, and enable those Windows Feature during Task Sequence, and use Autopilot offline json file for Autopilot. I just couldn’t trust OEM image for kiosk device. I have tried deploy the first script enable those features and change machine name, then use dynamic group collect those devices, then deploy the second script, this works, but takes longer time for deployment.

      • I am testing on Windows 10 Ent 21H2 currently and found the Win+L key does still allow the system to be locked, perhaps Microsoft changed something?

      • Actually ignore that, after a reboot, Win+L also no longer works, so a reboot may be required for Win+L to work.

        I also added Alt+Tab to prevent movement between any windows and it also works.

  • Where you ever able to specify a custom breakout key that was a combination, and not just a single key?