Windows 8.1 Assigned access for Domain Users

Note: This article was originally published on an old version of my blog back in November 2014. I have reposted it here as back then a couple of people contacted me seeking further information as I never got around to adding screenshots. Well here it is again with them included.

I have recently been developing a Windows 8.1 application to be used in Kiosk Mode or Assigned Access Mode.

As this was to be run on a domain joined workstation and to auto login with a generic domain account I looked into whether the app could be run as a Custom User Interface set via Group Policy.

Sadly this wasn't possible as you cannot run a Windows 8.1 app directly as it isn't a win32 application.

I then tried to see that if I set a protocol in the application package manifest. This also turned out to be a non starter as even though the protcol worked a treat when logged into windows normally it could be run as a Custom User Interface directly or if launched by using cmd start (which again works if logged in normally to windows).

It was now time to try and see how Assigned Access works, so i installed the app under a local user account and logged out. Then under my administrator account I set this local account up for assigned access.

While I did this I had Process Monitor running so i could see exactly what was being changed registry and file wise for Assigned Access.

It appears that it changes settings for Windows Embedded registry entries and also create some files under the Windows -> Embedded directory.

fig 1. Process Monitor

These entries relate to the SID of the local account....interesting.

I gathered the SID of the generic domain account we want the application to run as from the profilelist in the registry and then changed the directory name and the registry entry which had the local user account SID .

fig 2. Directory Name

fig 3. Registry Entry

So, with my fingers crossed I logged into the machine with the generic domain account and hey presto, my windows 8.1 application launched as an Assigned Access App/Kiosk Mode.

Now although this worked for me in this instance I have not tried it on a fresh machine where I haven't done any other tinkering, I think that will be my job for tomorrow to put this little hack to the test.

I hope this helps some of you out who I have seen posting in forums etc asking how this could be done as Microsoft state that it isn't possible.

Give it a go and let me know how you get on.