Anavem
EnglishFrancais
Anavem
Languagefr
How to Lock Down Windows Devices with Keyboard Filter Key Suppression

How to Lock Down Windows Devices with Keyboard Filter Key Suppression

Configure Windows Keyboard Filter to block specific key combinations on shared devices and kiosks. Deploy through PowerShell and Microsoft Intune for enterprise security.

May 5, 2026 15 min
mediumwindows-security 8 steps 15 min

Why Use Windows Keyboard Filter for Device Lockdown?

Windows Keyboard Filter provides enterprise-grade control over keyboard input on shared devices, kiosks, and locked-down systems. This built-in Windows feature allows administrators to suppress specific key combinations that could compromise system security or disrupt user workflows in controlled environments.

The feature works at the driver level, intercepting keyboard input before it reaches applications or the Windows shell. This makes it particularly effective for preventing users from accessing system functions like Task Manager (Ctrl+Shift+Esc), the security attention sequence (Ctrl+Alt+Del), or application switching (Alt+Tab) on public terminals and kiosk devices.

What Makes Keyboard Filter Essential for Enterprise Security?

Unlike software-based solutions that can be bypassed, Keyboard Filter operates as a kernel-mode driver that integrates directly with Windows' keyboard input stack. This low-level integration ensures that blocked key combinations are suppressed regardless of which application has focus or what user account is active.

The feature supports both physical keyboards and on-screen touch keyboards, making it ideal for modern touch-enabled kiosks and tablets. Combined with other Windows lockdown features like Assigned Access and Shell Launcher, Keyboard Filter creates a comprehensive security barrier for public-facing devices.

How Does Intune Deployment Simplify Management?

Microsoft Intune integration allows administrators to deploy keyboard filter configurations at scale without manual intervention on each device. Through configuration profiles and provisioning packages, you can standardize key suppression policies across hundreds of devices while maintaining centralized control and monitoring capabilities.

Implementation Guide

Full Procedure

01

Enable Keyboard Filter Feature

Start by enabling the Keyboard Filter Windows feature. This is the foundation that allows you to suppress key combinations.

Open PowerShell as Administrator and run:

Enable-WindowsOptionalFeature -Online -FeatureName KeyboardFilter -All -NoRestart

Alternatively, you can enable it through the GUI:

  1. Search for "Turn Windows features on or off" in the Start menu
  2. Expand "Device Lockdown"
  3. Check "Keyboard Filter"
  4. Click OK

Verification: Check the feature status:

Get-WindowsOptionalFeature -Online -FeatureName KeyboardFilter

The output should show State: Enabled.

Warning: A restart is required after enabling this feature. Plan accordingly for production systems.
02

Restart the System

The Keyboard Filter driver requires a system restart to load properly. This step is mandatory and cannot be skipped.

Restart-Computer -Force

After the restart, verify the keyboard filter driver is loaded by checking the registry:

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0000" -Name "UpperFilters"

Verification: The UpperFilters value should include both kbdfllt and kbdclass. The kbdfllt entry is the Keyboard Filter driver.

Pro tip: If kbdfllt is missing from UpperFilters, manually add it using Registry Editor or PowerShell to ensure the filter loads correctly.
03

Configure Registry Settings for Key Suppression

Now configure which key combinations to block by creating registry entries. Navigate to the Keyboard Filter registry location:

# Create the main registry path if it doesn't exist
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter" -Force

# Block Ctrl+Alt+Del
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\v1" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\v1" -Name "Name" -Value "Ctrl+Alt+Del"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\v1" -Name "Flags" -Value 1 -Type DWord

# Block Alt+Tab
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\v2" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\v2" -Name "Name" -Value "Alt+Tab"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\v2" -Name "Flags" -Value 1 -Type DWord

# Block Windows+L (Lock screen)
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\v3" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\v3" -Name "Name" -Value "Win+L"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\v3" -Name "Flags" -Value 1 -Type DWord

Common key combinations to block for kiosk environments:

  • Ctrl+Alt+Del - Security attention sequence
  • Alt+Tab - Application switching
  • Win+L - Lock screen
  • Win+R - Run dialog
  • Ctrl+Shift+Esc - Task Manager

Verification: Check your registry entries:

Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter"
04

Test Key Combination Blocking

After configuring the registry, restart the Keyboard Filter service to apply changes without a full system reboot:

Restart-Service -Name "Keyboard Filter" -Force

Test the blocked key combinations by attempting to use them:

  1. Try pressing Ctrl+Alt+Del - it should be ignored
  2. Try pressing Alt+Tab - no application switching should occur
  3. Try pressing Win+L - the screen should not lock

For programmatic testing, you can check Windows Event Logs:

# Check for keyboard filter events
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Kernel-General'} -MaxEvents 10 | Where-Object {$_.Message -like "*keyboard*"}

Verification: Blocked key combinations should produce no response. If they still work, verify the service is running:

Get-Service -Name "Keyboard Filter"
Warning: Always test on a non-production device first. Blocking Ctrl+Alt+Del can prevent normal Windows security functions.
05

Create Windows Configuration Designer Package

For deploying to multiple devices, create a provisioning package using Windows Configuration Designer. First, install it from the Microsoft Store if not already available.

Launch Windows Configuration Designer and create a new project:

  1. Select "Advanced provisioning"
  2. Name your project (e.g., "KioskKeyboardFilter")
  3. Navigate to Runtime settings > SMISettings > KeyboardFilter

Configure the following settings:

<!-- Key settings to configure -->
AllowWindowsLogon = False
BlockNonAdminKeys = True
EnableKeyboardFilter = True

For custom key combinations, export your registry settings and import them:

# Export your keyboard filter registry
reg export "HKLM\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter" C:\temp\keyboardfilter.reg

Import this .reg file into the Windows Configuration Designer under Runtime settings > RegistrySettings.

Build the provisioning package:

  1. Click "Export" > "Provisioning package"
  2. Choose security settings (recommend password protection)
  3. Build the .ppkg file

Verification: The .ppkg file should be created successfully. Test it on a virtual machine before production deployment.

Pro tip: Use descriptive names for your provisioning packages and include version numbers for easier management in enterprise environments.
06

Deploy via Microsoft Intune

For enterprise deployment, use Microsoft Intune to push keyboard filter configurations to managed devices. Access the Microsoft Intune admin center and create a new configuration profile.

Navigate to Devices > Configuration profiles > Create profile:

  1. Platform: Windows 10 and later
  2. Profile type: Settings catalog
  3. Name: "Kiosk Keyboard Filter Policy"

Add keyboard filter settings:

{
  "KeyboardFilter": {
    "AllowAdminKeys": false,
    "BlockedKeys": [
      "Ctrl+Alt+Del",
      "Alt+Tab",
      "Win+L",
      "Win+R",
      "Ctrl+Shift+Esc"
    ]
  }
}

Assign the policy to your target groups:

  1. Click "Assignments"
  2. Select "Add groups"
  3. Choose your kiosk or shared device groups
  4. Set deployment schedule if needed

Monitor deployment status:

# On target devices, check Intune sync status
dsregcmd /status

# Force immediate sync
Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

Verification: Check the Intune admin center for deployment status. On target devices, verify the registry entries were created automatically.

07

Configure Advanced Filtering Options

Fine-tune your keyboard filter with advanced options for specific use cases. Configure additional registry settings for enhanced control:

# Allow specific admin bypass keys
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\Settings" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\Settings" -Name "AllowAdminKeys" -Value 0 -Type DWord

# Block function keys (F1-F12)
for ($i=1; $i -le 12; $i++) {
    $keyPath = "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\v$($i+10)"
    New-Item -Path $keyPath -Force
    Set-ItemProperty -Path $keyPath -Name "Name" -Value "F$i"
    Set-ItemProperty -Path $keyPath -Name "Flags" -Value 1 -Type DWord
}

# Block Windows key combinations
$winKeys = @("Win+D", "Win+E", "Win+I", "Win+M", "Win+P", "Win+S", "Win+X")
$counter = 20
foreach ($key in $winKeys) {
    $keyPath = "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\v$counter"
    New-Item -Path $keyPath -Force
    Set-ItemProperty -Path $keyPath -Name "Name" -Value $key
    Set-ItemProperty -Path $keyPath -Name "Flags" -Value 1 -Type DWord
    $counter++
}

Configure special handling for on-screen keyboard and touch inputs:

# Ensure on-screen keyboard is also filtered (supported since Windows 10 1809)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\Settings" -Name "FilterOnScreenKeyboard" -Value 1 -Type DWord

Verification: Test all configured key combinations, including function keys and Windows key shortcuts. Verify on-screen keyboard behavior matches physical keyboard filtering.

Pro tip: Create a test script that attempts all blocked key combinations and logs results for systematic verification across multiple devices.
08

Troubleshoot Common Issues

Address common problems that occur with Keyboard Filter deployments. Start by checking the service status and driver loading:

# Check if Keyboard Filter service is running
Get-Service -Name "Keyboard Filter" | Format-List

# Verify driver is loaded in the keyboard stack
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0000" -Name "UpperFilters"

Common issues and solutions:

IssueSymptomsSolution
Driver not loadingKeys not blocked after restartManually add 'kbdfllt' to UpperFilters registry
Remote Desktop bypassFilter ignored in RDP sessionsNot supported - use Assigned Access instead
Language switchingKeys work after changing input languageFeature auto-detects; restart if persistent
Admin bypass not workingAdmins cannot use blocked keysSet AllowAdminKeys=1 in registry

Force reload the keyboard filter driver:

# Stop and restart the keyboard filter service
Stop-Service -Name "Keyboard Filter" -Force
Start-Service -Name "Keyboard Filter"

# Alternative: Restart the entire keyboard subsystem
pnputil /restart-device "HID\VID_*"

Check Windows Event Logs for detailed error information:

# Look for keyboard filter related errors
Get-WinEvent -FilterHashtable @{LogName='System'; Level=2,3} | Where-Object {$_.ProviderName -like "*keyboard*" -or $_.Message -like "*filter*"}

Verification: After troubleshooting, test all previously blocked key combinations to ensure they're working as expected.

Warning: If you need to disable Keyboard Filter completely, run Disable-WindowsOptionalFeature -Online -FeatureName KeyboardFilter and restart the system.

Frequently Asked Questions

Does Windows Keyboard Filter work with Remote Desktop sessions?+
No, Windows Keyboard Filter does not work in Remote Desktop Protocol (RDP) sessions. The filter operates at the local keyboard driver level and cannot intercept key combinations sent through remote connections. For remote access scenarios, use Assigned Access mode or configure RDP client restrictions instead.
Can Keyboard Filter block key combinations on touch screen keyboards?+
Yes, Windows Keyboard Filter supports on-screen keyboards and touch input devices since Windows 10 version 1809. The filter works with the built-in Windows on-screen keyboard (TabTip.exe) and most third-party virtual keyboards. You need to enable the FilterOnScreenKeyboard registry setting to ensure consistent behavior across input methods.
What happens if I accidentally block all keyboard input with Keyboard Filter?+
If you misconfigure Keyboard Filter and block essential keys, you can recover by booting into Safe Mode where the filter driver doesn't load. From Safe Mode, use Registry Editor to modify or delete the problematic entries under HKLM\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter. Alternatively, disable the entire feature using DISM commands from Safe Mode.
How do I allow administrators to bypass blocked key combinations?+
Set the AllowAdminKeys registry value to 1 in HKLM\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\Settings. This allows users with administrator privileges to use blocked key combinations while still restricting standard users. You can also configure specific bypass keys for administrative functions while blocking others for regular users.
Can Keyboard Filter configurations be deployed through Group Policy?+
Windows Keyboard Filter doesn't have native Group Policy templates, but you can deploy configurations using Group Policy Preferences for registry settings or Administrative Templates for Windows Configuration Designer packages. Microsoft Intune provides the most comprehensive deployment method with built-in support for Keyboard Filter settings through the Settings Catalog.
Tags
#windows-security#kiosk-mode#intune

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Upgrade to Windows Server 2025 Using Windows Update Without Data Loss
tutorial
Windows

How to Upgrade to Windows Server 2025 Using Windows Update Without Data Loss

Deep Dive
How to Remove Applications Using Microsoft Intune Admin Center
tutorial
Cloud Computing

How to Remove Applications Using Microsoft Intune Admin Center

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account