Add lockdown and branding features to your image by using Windows SIM (Industry 8.1)

  • Article

7/8/2014

Learn how to add lockdown and branding features to your Windows Embedded 8.1 Industry (Industry 8.1) image or device by using Windows System Image Manager (Windows SIM).

By default, lockdown and branding features are not included in the image when you first install Windows Embedded 8.1 Industry (Industry 8.1). You can use Windows System Image Manager (Windows SIM) to configure an answer file to add lockdown and branding features to your image during installation or deployment.

Add, enable, and configure lockdown and branding features by using Windows SIM

When you first run Windows SIM, you will need to open an Industry 8.1 .wim file and create a catalog before you can create a new answer file. Adding a feature does not necessarily enable the feature. After you add a feature to the image, you may have to configure settings for the feature in order to enable them. To enable lockdown and branding features to work correctly, you must first add the Windows Foundation Page to your answer file, then enable the ISKU-Embedded-Features, then add individual lockdown components to the appropriate configuration pass of your image and configure them as desired.

To add lockdown and branding features by using Windows SIM

  1. Run Windows System Image Manager.

  2. On the File menu, click Select Windows Image.

  3. In the Select a Windows Image window, navigate to the location of install.wim on your Industry 8.1 media.

  4. Select install.wim and click Open.

  5. If this is the first time you are opening an Industry 8.1 .wim file, Windows SIM will ask you if you want to create a catalog file. Select Yes to allow Windows SIM to create the catalog.

  6. In the Windows Image pane, expand Packages > Foundation.

  7. Right-click the Microsoft-Windows-Foundation-Package for your architecture and select Add to Answer File.

To enable lockdown and branding features by using Windows SIM

  1. In the Microsoft-Windows-Foundation-Package pane, under Windows Feature Selections, expand ISKU-Embedded-Features.

  2. Select ISKU-Embedded-Features, click the drop-down icon, and select Enabled.

    Warning

    If you do not enable ISKU-Embedded-Features, no Industry 8.1 lockdown features will be added to your image, even if you enable them, and any lockdown settings will not be applied.

  3. Under ISKU-Embedded-Features, select any lockdown features that you want to add to your image, click the drop-down icon, and select Enabled.

To configure lockdown and branding features by using Windows SIM

  1. To configure lockdown feature settings, in the Windows Image pane, expand Components, and then right-click the corresponding component to add it the settings to the pass.

    For example, to configure Keyboard Filter settings, right-click Microsoft-Windows-Embedded-KeyboardFilterService, and then select Add Setting to Pass 2 offlineServicing.

  2. In the Answer File pane, expand Components, and then expand the pass that contains the settings component for the lockdown feature.

  3. Select the component. The properties pane will contain a list of modifiable settings for the component.

    Warning

    If you do not change any setting values, then the component settings will not be added to the answer file.

  4. To make further modifications to your image, see Windows SIM How-to Topics on MSDN.

Lockdown and branding component packages in Windows SIM

The following are the lockdown and branding packages available in Windows SIM in Industry 8.1.

Custom Logon 

  • Package name
    Microsoft-Windows-Embedded-EmbeddedLogon

  • Description
    You can use Custom Logon to suppress Windows 8.1 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a Custom Logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.

    Custom Logon settings do not modify the credential behavior for Winlogon, so you can use any credential provider that is compatible with Windows 8.1 to provide a custom sign-on experience for your device.

    You must configure Custom Logon settings at design time by adding the settings to the answer file. You cannot change the configuration of Custom Logon during run time.

Dialog Filter 

  • Package name
    Microsoft-Windows-Embedded-DialogFilterService
  • Description
    You can use Dialog Filter to control which dialog boxes and windows are displayed on the screen and to automatically handle dialog boxes by taking a default action, such as to close or show the dialog box. Also, in Industry 8.1, you can configure Dialog Filter to always show dialog boxes from specific processes, regardless of the specified default action.

Gesture Filter 

  • Package name
    Microsoft-Windows-Embedded-GestureFilter
  • Description
    You can use Gesture Filter to disable the edge and corner gestures available in Industry 8.1. Gesture Filter allows you to block edge gestures (left, right, top extended swipe, and each corner) individually.

Keyboard Filter 

  • Package name
    Microsoft-Windows-Embedded-KeyboardFilterService
  • Description
    You can use Keyboard Filter to suppress undesirable key presses or key combinations. Keyboard Filter works with physical keyboards, the Windows On-Screen Keyboard, and touch keyboards. Keyboard Filter also detects dynamic layout changes, such as switching from one language set to another, and continues to suppress keys correctly, even if the location of suppressed keys has changed on the keyboard layout.

Shell Launcher 

  • Package name
    Microsoft-Windows-Embedded-ShellLauncher
  • Description
    You can use Shell Launcher to replace the default Windows 8.1 shell with a custom shell. You can use any application or executable as your custom shell, such as a command window or a custom dedicated application.

Toast Notification Filter 

  • Package name
    Microsoft-Windows-Embedded-ToastFilter
  • Description
    You can use Toast Notification Filter to prevent system toast notifications from displaying in Industry 8.1.

USB Filter 

  • Package name
    Microsoft-Windows-Embedded-USBFilter

  • Description
    You can use USB Filter to allow trusted USB devices to connect to a system. USB Filter intercepts device connect requests and allows an administrator to set which devices are allowed to be active and detectible based on the device product ID, device vendor ID, or device class ID.

    Warning

    Although USB Filter settings are shown in Windows SIM, there is a known issue that causes these settings to be incorrectly implemented in an image. We recommend that you use Control Panel or DISM to turn on USB Filter and to use the USB Filter WMI provider to configure USB Filter.

Unbranded Boot 

  • Package name
    Microsoft-Windows-Embedded-Bootexp
  • Description

Unified Write Filter (UWF) 

  • Package name
    Microsoft-Windows-Embedded-UnifiedWriteFilter

  • Description
    You can use UWF to help protect your physical storage media, including most standard writable storage types that are supported by Windows 8.1, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to made read-only media appear to the OS as a writable volume.

    UWF intercepts all write attempts to a protected volume and redirects those attempts to a virtual overlay.

Windows 8 Application Launcher 

  • Package name
    Microsoft-Windows-Embedded-EmbeddedAppLauncher
  • Description
    You can use Windows 8 Application Launcher to start a Windows Store app immediately after a user signs in to an Windows 8.1 device and to restart the app when the app exits. You can configure Windows 8 Application Launcher to launch different apps for different users. If the Windows Store app is written specifically to work with Windows 8 Application Launcher, you can configure Windows 8 Application Launcher to perform a specified action based on an exit value returned by the app.

See Also

Concepts

Configure and deploy an image
Add lockdown features to your image
Lockdown features
Brand a device