Is your organization ready for Windows 8.1? Part 12, Assigned Access

Since Windows 8, Microsoft is moving its developer ecosystem to write apps for The New Interface, formerly known as Metro. With their immersive, scaled appearances and touch optimization, these apps can be used for a wide variety of experiences.

Alas, the kiosk experience for apps in The New Interface was not one of these experiences in Windows 8, but Microsoft has redeemed itself by implementing an app kiosk mode in Windows 8.1, known as Assigned Access.

This features allows for a login to a Windows 8.1 installation, after which only the assigned app opens.

 

Enabling assigned access for a device

To implement an account with assigned access, you will need to perform these steps:

  • Create a local user account
  • Log in with the user account and, optionally, install the assigned app
  • Log off with the account and log on with an account with administrative privileges.
  • Configure the local user account as an account with assigned access

Below, I’ll walk through setting up an account for assigned access to one of my favorite Apps: PosterPedia.

Step 1, create the account for assigned access

First, let’s create the user account to which we will use as the account with Assigned Access. This account needs to be a local account.

Note:
In contrast to the custom shell group policies, software restriction policies and AppLocker policies, Assigned Access cannot be assigned to domain accounts. Scalability for Assigned Access is in its simplicity, although you can still apply the Group Policies from the Computer Configuration to devices additionally when you feel the app requires it.

Today, I’ll add a local account named PosterPedia. This will invite people to click the account tile when they accidentally find themselves on the logon screen.

You can create user accounts both in The New Interface (Click Settings in the Charms bar, click Change PC settings, select Accounts in the left pane and then select Other accounts from the same pane. Click Add an account in the main pane to gain access to the dialog screen for creating a new user account. On the Desktop you can start lusrmgr.msc and create accounts there in the same way you may have been doing in the last few versions of Windows.

Since this is a local account, I’ll configure it without a password to take away any reservations.

Tip!
Windows 8.1 requires a password and password hint for new accounts. To drop this requirement, start secpol.msc. In the left pane, expand Account policies and then Password policies. Change the settings to your needs. When the device is domain-joined, change this setting with a Group Policy, applies to the Organizational Unit where the kiosk devices reside.

 

Step 2, Log in with the user account

Now, log on with the newly created local user account. Make sure you start at least one app in The New Interface. I recommend starting the Windows Store app.

If you want to assign access to one of the built-in Apps (Alarms, Calculator, Calendar, Finance, Food and Drink, Games, Health and Fitness, Help+Tips, Internet Explorer, Mail, Maps, Music, News, People, Reader, Reading List, Scan, Skype, Sound Recorder, Sports, Travel, Video, or Weather) this is all you need to do.

If you want to assign access to a Windows App, either download the App from the Windows Store or sideload the App.

To be able to download Apps from the Windows Store, a Microsoft account is needed. However, in the bottom left corner of this dialog screen, an option labeled Sign into each app separately instead (not recommended) allows you to log on temporarily:

The option labeled Sign into each app separately instead (not recommended) allows you to log on temporarily without switching to a Microsoft Account (click for original screenshot)

Note:
Using the option to sign into each app separately does not trigger any Multi-Factor Authentication setup for a Microsoft account.

 

Step 3, Log off

When you’ve configured the settings for the local user account (including a Profile picture, etc.) you’d want to configure for assigned access, log off. This will write the profile to disk. Log off can be found as Sign out in both the right-click context menu for the User Tile in the top right corner of Start and as the Sign out option when you press Alt + F4 on the Desktop.

Step 4, Configure assigned access

With the local account for assigned access configured and having accessed at least one app in The New Interface, you’re ready to configure assigned access.

Log on the device with an account with administrative privileges.

Access the Charms bar by clicking in the top right corner of the Desktop and slide down, by swiping in from the right side of the screen or by pressing Win + C. From the Charms Bar, select Settings. In the Settings pane, select Change PC settings.

In the left pane, select Accounts. Then select Other accounts.

Note:
When Other accounts is not visible in the list in the left pane, you are not logged on with an account with administrative privileges.

In the main pane, below the list of local users, select the link Set up an account for assigned access.

Set up an account for assigned access (click for original screenshot)

Click on Choose an account and select an account from the list.

Note:
When the account you want to use is not present, it’s not configured as an account that is local to the device.

With the account selected, click Choose an app. Select the one app you want to assign access from the list.

Note:
When the list is empty, the account has not been used to access an app in The New Interface. Although Windows states an app needs to be installed, this is not, necessarily the case.

When you’ve successfully assigned access, close the Dialog box by pulling it down from its top border or press Alt + F4.

Log off with the account and then log on with the account with assigned access.

 

Changing assigned access settings

Perform these steps, when you want to change the account or app used by assigned access for a device:

Log on the device with an account with administrative privileges.

Access the Charms bar by clicking in the top right corner of the Desktop and slide down, by swiping in from the right side of the screen or by pressing Win + C. From the Charms Bar, select Settings. In the Settings pane, select Change PC settings.

In the left pane, select Accounts. Then select Other accounts.

In the main pane, below the list of local users, select the link Set up an account for assigned access.

To select a different user account, click the name or Tile of the  account with assigned access and select the new account. The App will be cleared. Select Choose an app to configure the app used for assigned access.

To change the app for the account with assigned access, select Choose an app and select the app you want to assign access to.

 

Removing assigned access for a device

Perform these steps, when you no longer want to have assigned access for a device:

Log on the device with an account with administrative privileges.

Access the Charms bar by clicking in the top right corner of the Desktop and slide down, by swiping in from the right side of the screen or by pressing Win + C. From the Charms Bar, select Settings. In the Settings pane, select Change PC settings.

In the left pane, select Accounts. Then select Other accounts.

In the main pane, below the list of local users, select the link Set up an account for assigned access.

Click the name or Tile of the  account with assigned access. In the context menu select Don’t use assigned access.

Other tidbits

Some apps require access to device capabilities or even the files on the device. For these capabilities you can use the same old tricks you’re used to using on kiosk devices with previous versions of Windows. The same goes for logon options like automatic logons with a specific account after startup. All these tricks still apply to Windows 8.1

However, breaking out of kiosk mode is different on Windows 8.1. You no longer have to disable the Ctrl + Alt + Del options, since this is disabled for accounts with assigned access. Instead press the Start button on the device five times to leave kiosk mode and get to the logon screen.

Since Windows 8.1 offers Automatic App Updates, be sure to make a choice there. You can disable Automatic App Updates per user and per device and you may or may not choose to do so, depending on your requirements.

 

Related blogposts

Server Posterpedia: A good way to learn Active Directory

Further reading

Assigned access: FAQ
Windows 8.1 Assigned Access
Windows 8.1 Kiosk Mode Renamed To Assigned Access
How to Enable “Assigned Access” Feature in Windows 8.1
Lockdown, Assigned Access, Point-Of-Service, Point-Of-Sales, POS Setup, Kiosk Mode
Assigned access on windows 8.1 to automatically launch apps on login
How to Set Up an Account for Assigned Access in Windows 8.1 and Windows RT 8.1
How to Easily Put a Windows PC into Kiosk Mode With Assigned Access
Windows 8.1 Renames Kiosk Mode to Assigned Access
How to Create an "Assigned Access" Shortcut in Windows 8.1

Series Navigation

<< Is your organization ready for Windows 8.1? Part 11, Internet Explorer Enhanced Protected ModeIs your organization ready for Windows 8.1? Part 13, Quiet hours >>

One Response to Is your organization ready for Windows 8.1? Part 12, Assigned Access

  1.  

    I guess my office staff is not ready to shift to windows 8 yet. They are still comfortable with the windows 2008 server. Thanks for a great article!

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.