The Device Lockdown Features allow you to lock down your Windows System. This can be useful to protect the system from malicious users or customize the user experience.
The Device Lockdown Features are described here:
You can use Shell Launcher to configure a custom Shell for a specific Windows User. This script creates a new user and defines any application as custom shell to the user.
You have to define a username and password for the new user. The new user is logged on automatically after system starts.
# Shell Launcher
$ConfigureShellLauncher=$TRUE
$ConfigNewUser=$TRUE #Resets existing user and creates a new one with user rights and configered Autologon
$username = "Operator"
$password = "1"
$customShellApp="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --kiosk www.beckhoff.com --edge-kiosk-type=fullscreen"
You can define an action that should happen after closing the shell:
| Action | Description |
|---|---|
| 0 | Restart the shell |
| 1 | Restart the IPC |
| 2 | Shut down the IPC |
| 3 | Do nothing |
# Define actions to take when the shell program exits.
$Shell_Launcher_Exit_Action = 0 # Restart Shell
#$Shell_Launcher_Exit_Action = 1 # Restart Device
#$Shell_Launcher_Exit_Action = 2 # Shutdown Device
#$Shell_Launcher_Exit_Action = 3 # Do Nothing
You can define a Breakout Key with the Keyboard Filter to switch to the Welcome Screen. Otherwise, you can implement an exit strategy in your HMI. For example you can the run following command to log off the current user:
C:\Windows\System32\rundll32.exe user32.dll, LockWorkStation
Offical Microsoft Documentation:
https://learn.microsoft.com/en-us/windows-hardware/customize/enterprise/shell-launcher
You can suspress Windows elements during the boot phase with Unbranded Boot:
Before Unbranded Boot:
After Unbranded Boot:
You can replace the startup logo with a custom BIOS with an adapted boot screen. The UEFI boot mode is required for this.
Official Microsoft Documentation:
https://learn.microsoft.com/en-us/windows-hardware/customize/enterprise/unbranded-boot
Filter undesirable key presses or key combinations with the Keyboard Filter. This helps to block key combinations like Ctrl+Alt+Delete. You can exclude the Administrator from these policies.
In addition a Breakout Key is configured. This setting specifies the scan code of the key that enables a user to break out of an account that is locked down with Keyboard Filter. A user can press this key consecutively five times to switch to the Welcome screen. The scan code of a key can be looked up here:
https://kbdlayout.info/KBDGR/scancodes?arrangement=ISO105
By default, the BreakoutKeyScanCode is set to the scan code for the left Windows logo key ((HEX=5B, DEC=91))
# Keyboard Filter
$ConfigureKeyboardFilter=$TRUE
$FilteredKeys=@("Ctrl+Alt+Del","Win+L","Win+E","Win+R")
$BreakoutKey="91" #in DEC
$DisableKeyboardFilterForAdministrator=$TRUE
Official Microsoft Documentation:
https://learn.microsoft.com/en-us/windows-hardware/customize/enterprise/keyboardfilter
Custom Logon allows you to disable Windows user logon animations:
Auto Logon UI:
Hide Auto Logon UI:
It's also possible to remove the buttons form the Welcome screen.
Welcome screen:
Welcome screen with Branding Neutral:
# Custom Logon
$ConfigureCustomLogon=$TRUE
$HideAutoLogonUI=$TRUE
$BrandingNeutral=$TRUE
Official Microsoft Documentation:
https://learn.microsoft.com/en-us/windows-hardware/customize/enterprise/custom-logon