Keyboard Filter Basics (POSReady 7)


Keyboard Filter is a new feature that is being introduced with Windows Embedded POSReady 7. It enables you to configure key combinations that you want to prevent users from entering from a keyboard. Common examples of undesired key combinations include Control+Alt+Delete and Windows+L. These key combinations may cause unwanted behavior and cannot be disabled in Windows. Keyboard Filter is useful for blocking those key combinations.

Keyboard Filter is integrated into the POSReady 7 image and is ready for immediate use after installation. This feature provides a predefined set of commonly blocked key combinations that can be enabled by a system administrator. For more advanced configuration, custom key combinations can be entered. Additionally, this feature uses Group Policy for a familiar and enterprise-ready configuration experience. Keyboard Filter is designed to help you protect your device experience.

This walkthrough covers basic configuration and common scenarios for Keyboard Filter on Windows Embedded POSReady 7. At the end, you will have a POSReady 7 system that blocks both predefined and custom key combinations that you have specified.

  • Prerequisites
  • Configure Predefined Key Combinations
  • Configure Custom Key Combinations
  • Next Steps


To complete this scenario, you will need the following:

  • A reference computer with POSReady 7 installed

A reference computer is a fully assembled computer on which you install a customized installation by using the Windows Embedded POSReady 7 product DVD and an answer file.


Installing a base POSReady 7 image is covered in other product documentation. It will not be covered in this document.

Configure Predefined Key Combinations

When developing Keyboard Filter, many key combinations that are commonly blocked were considered. Some common examples are Control+Alt+Delete and Windows+L, but others such as Alt+F4 are also frequently used.

On Windows Embedded POSReady 7, Keyboard Filter is configured through Group Policy. In this walkthrough, you will configure Keyboard Filter on your reference computer. You can then capture and deploy the reference image. You will use the Local Group Policy Editor for configuration.

In this step, you open the Local Group Policy Editor on your reference computer and navigate to the section where Keyboard Filter settings are configured.

  1. On your reference computer, click Start.

  2. In the search field in the Start menu, type Gpedit.msc.

  3. When Gpedit.msc appears under Programs in the search results, press Enter to launch the Local Group Policy Editor.


    The Local Group Policy Editor can also be opened through Microsoft Management Console (MMC). For more information, see Open the Local Group Policy Editor on Microsoft TechNet.

  4. In the left pane, locate Local Computer Policy. Move to Computer Configuration, Administrative Templates, System, Keyboard Filter.

Configure Predefined Key Combinations

You have opened the Local Group Policy Editor and moved to the Keyboard Filter settings location. You can now choose some of the predefined key combinations that you would like to block. In this example, you will block Control+Alt+Delete, Windows+R, and the Shift key.

  1. First, verify that the key combinations are working.
    1. Press Windows+R.
      You should see the Run dialog appear.
    2. In the Run dialog, press the Shift+A key combination.
      You should see an uppercase A appear.
    3. Finally, press Control+Alt+Delete.
      You should see the secure desktop screen, with options for locking the computer, switching users, and so on.
    4. You can now press Escape to return to your desktop and close the Run dialog.
  2. The predefined key combinations are grouped into categories. Inside the Security Keys folder, you will find the Block Secure Desktop (Ctrl+Alt+Del) setting.
    1. To enable blocking for that combination, double-click the setting.

    2. Choose Enabled in the upper-left corner of the dialog, and then click OK.


      Choosing Enabled will block the combination. You are enabling filtering, not enabling the key combination.

    3. In the left pane, return to the main Keyboard Filter folder.

    4. Choose the Desktop and Shell Keys folder.

    5. Find the Block Run Dialog (Windows+R) setting.

    6. Double-click it, select Enabled, and select OK.

    7. Return to the main Keyboard Filter folder using the left pane.

    8. Choose Modifier Keys.

    9. Double-click the Block Shift Keys setting.

    10. Select Enabled, and then click OK.

    11. Wait at least five seconds from the time that you click Apply or OK.
      Group Policy settings may require additional time to take effect, especially on slower hardware or domain-joined systems.


      An event is logged in the Event Viewer when Keyboard Filter loads new entries and becomes active.

    12. Now try entering the key combinations.
      If everything worked, they should be disabled. Ctrl+Alt+Del should not bring up the desktop. Windows+R should not bring up the Run dialog box. Any key combination with the Shift key should not work; uppercase letters are a good example to try.


      Keyboard filtering is disabled on the secure desktop. Try logging off the system. You can then enter Shift+A for an uppercase A in the password field. Disabling keyboard filtering guarantees that that users and administrators can successfully log on to the computer.

Configure Custom Key Combinations

Although Keyboard Filter provides many predefined key combinations for you to filter, you may also have additional combinations that you may want to block. For those, Keyboard Filter enables you to specify custom key combinations.

In this example, you will block the Windows+Home key combination. That key combination minimizes all windows except the active one. It is not a predefined filter.

  1. Navigate to the Keyboard Filter folder in the Local Group Policy Editor.


    For instructions for this item, see Configuring Predefined Key Combinations.

  2. Double-click the Custom Key Filters setting.

  3. Select Enabled in the upper-left.
    This enables custom key filtering.

  4. In the Options pane, click the Show button.
    This will show a list of custom key combinations to block. If you are using Keyboard Filter for the first time, it will be blank.

  5. Add a custom key combination to the list by typing the following in the blank row: Windows+Home.

  6. When you enter a custom key combination, a new blank row appears for you to enter another combination. If you have any other combinations that you want to try, enter them now.


    For full details about Custom Key Filtering that includes what keys are allowed, what keys cannot be blocked, syntax, and other notes, see the Keyboard Filter Technical Reference topics.

  7. Click OK in the list, and then click OK in the Custom Key Filters setting window.

  8. Wait several seconds.
    Group Policy settings can sometimes take several seconds to take effect, especially on slower hardware or domain-joined systems.


    An event is logged in Event Viewer when Keyboard Filter loads new entries and becomes active.

  9. Now try pressing the Windows+Home key combination.
    You should see no effect.

Next Steps

This document has provided an overview of Keyboard Filter functionality. There are additional features that you can use as part of your Windows Embedded POSReady 7 systems:

  • Domain Deployment through Group Policy
    Because Keyboard Filter uses Group Policy functionality, you can deploy your key filters by using Group Policy to manage key filter configuration for groups of computers and users. For more information, see the Group Policy Planning and Deployment Guide on Microsoft TechNet.
  • Disabling Filtering for Administrators
    You can disable Keyboard Filter for users who have administrative credentials and may need unimpeded access to the POSReady 7 system. There is a setting to enable this in the Keyboard Filter settings folder.


Filtering will be disabled depending on which user is logged in. Elevated processes run by users who do not have administrative credentials will still be filtered.

See Also

Other Resources

Keyboard Filter Technical Reference