Contents

Getting Started with Windows IoT Enterprise

Hardware Guidance
Requirements
SoCs and Custom Boards
Quickstarts
Start prototyping
Kiosk mode
Overview
Assigned access single-app kiosk
Assigned acess multi-app kiosk
Shell Launcher
Browser Support
Screen Swipe Policy
Advanced Lockdown Features
Application Control
Device Safeguards
Keyboard Filter
Unified Write Filter
Hibernate Once/Resume Many (HORM)
Branding Features
Custom Logon
Microsoft Store Access
Page Visibility
Layout Control
Unbranded Boot and Errors
Manage Update Experience
Device Management
Overview
OS Updates
 App Updates
Reset and Recovery
IoT Device Features
Network Service Controls
Bus Providers
Device Drivers
Embedded Mode
On-Screen Keyboard
Accessibility
Privacy
Security
Commercialization
Licensing & Usage
Manufacturing Guide
Soft Real-Time
Overview
Device Configuration
Application Development
Azure IoT Edge for Linux on Windows (EFLOW)
Downloads
Features by Release
Frequently Asked Questions
Contact Us
 Getting Started with Windows IoT Enterprise
11/16/2021 • 3 minutes to read • Edit Online

This article will give you an overview of the product and guide you through how to get started with Windows
IoT Enterprise.

What is Windows IoT Enterprise?

Windows IoT Enterprise is a full version of Windows Enterprise that delivers enterprise manageability and
security to IoT solutions. Windows IoT Enterprise shares all the benefits of the worldwide Windows ecosystem. It
is a binary equivalent to Windows Enterprise, so you can use the same familiar development and management
tools as client PCs and laptops. However, when it comes to licensing and distribution, the desktop version and
IoT versions differ. Today there are two releases of Windows IoT Enterprise: Windows 10 IoT Enterprise and
Windows 11 IoT Enterprise.

NOTE
Windows 10 IoT Enterprise offers both LTSC and SAC options, and OEMs can choose the one they need for their devices.
At this time Windows 11 IoT Enterprise is only available as an annual release. For more information on how to reach out
to a Windows IoT Distributor or how to purchase a license, review Licensing & Usage.

Why Do Customer Choose Windows IoT Enterprise?

There are three main reasons why customers choose to develop with Windows IoT Enterprise:
1. Productive - Leverage existing knowledge to build and manage Windows IoT Enterprise devices with
powerful tools and technologies to quickly unlock data and drive digital transformation.
2. Trusted - Windows IoT Enterprise helps you build IoT solutions that you can trust, keeping your devices,
data, and identities secure and giving you peace of mind.
3. Smar t - Windows IoT Enterprise helps you connect your devices to each other, your network, and the cloud,
so you can use data to drive real business insight and create new business opportunities

TIP
If you are building any kind of OEM style appliance , such as a point-of-sale or retail device, industrial automation
equipment, digital signage, medical equipment or any appliance with a screen, Windows IoT Enterprise is the solution for
you.
See how our customers are using Windows IoT Enterprise to accomplish their business goals.

Documentation Overview
This documentation set will cover the technical breakdown of what's included when you choose to use Windows
IoT Enterprise.
Hardware Guidance
This section provides insight into the hardware needed to run Windows IoT Enterprise as your device's OS.
Articles include:
 Hardware Requirements
Selecting SoCs and Custom Boards
Quickstarts
This section provides quick tutorials on how to get started with Windows IoT Enterprise.
Articles include:
How to Start Prototyping
Kiosk Mode
This section walks users through the features and functionalities of Kiosk Mode and how to enable those
features on Windows IoT Enterprise.
Articles include:
Kiosk Mode Overview
Assigned access single-app kiosk mode
Assigned access multi-app kiosk mode
Configure Shell Launcher
Browser Support
Manage the Edge Swipe Policy
Advanced Lockdown Features
This section highlights how to create a lock-down environment with Windows IoT Enterprise OS features.
Articles include:
Application Control
Put in Place Device Safeguards
Use a Keyboard Filter
Explore the Unified Write Filter
Enable Hibernate Once, Resume Many (HORM)
Branding Features
This section reviews how to create a custom user-experience that highlights your brand. Articles include:
Enable Custom Logon
Manage Microsoft Store Access
Control Page Visibility
Configure Layout Control
Enable Unbranded Boot
Manage Update Screen UI and Notifications
Device Management
Learn more about the device management solutions you can take advantage of with Windows IoT Enterprise.
Articles include:
Device Management Overview
Manage OS Updates
Manage App Updates
Reset & Recovery
IoT Device Features
This section gives an overview of many of the built-in functionalities of Windows IoT Enterprise devices.
Articles include:
Windows IoT Security
Enable Embedded Mode
Configure Device Drivers
Bus Providers
Manage Network Service Controls
Enable On-Screen Keyboard
Privacy Features
Accessibility Features
Commercialization
Learn how to commercialize your Windows IoT Enterprise devices.
Articles include:
Explore Licensing Options (LTSC, SAC)
Windows IoT Enterprise Manufacturing Guide
Soft Real-Time
Learn how to use Soft Real-Time capabilities with your Windows IoT Enterprise devices.
Overview
Device Configuration
Application Development
Additional Resources
These resources provide additional information and support to our customers and partners.
Articles include:
Azure IoT Edge for Linux on Windows
Downloads
Features by Release
Frequently Asked Questions
Contact Us
 Minimum Hardware Requirements for Windows IoT
Enterprise
11/16/2021 • 2 minutes to read • Edit Online

This specification defines the minimum hardware requirements for Windows IoT Enterprise. Microsoft will build
and test the Windows IoT Enterprise OS against the requirements described in this specification.

Overview
This specification defines the minimum hardware requirements necessary to:
Boot and run Windows IoT Enterprise.
Update and service Windows IoT Enterprise.
The goal of this specification is to enable OEMs, ODMs, SoC vendors, and other component vendors to make
early design decisions for devices and computers that will run Windows IoT Enterprise.
This specification does not provide compatibility and certification requirements for devices and computers that
run Windows IoT Enterprise or implementation guidance for exceptional user experiences.

NOTE
Beginning with Windows 10, version 2004, all new Windows 10 systems will be required to use 64-bit builds and
Microsoft will no longer release 32-bit builds for OEM distribution. This does not impact 32-bit customer systems that are
manufactured with earlier versions of Windows 10; Microsoft remains committed to providing feature and security
updates on these devices, including continued 32-bit media availability in non-OEM channels to support various upgrade
installation scenarios.

Processor
Devices that run Windows IoT Enterprise must meet these processor requirements. Check out the processor
matrix to review the latest processor generations and models that are supported. Previous generations of
processors and models (indicated by "Up through"), remain supported in addition to the listed processors and
models.

TIP
Information on support is available at Microsoft Support Policy and Microsoft Lifecycle FAQ.
For specific hardware support, please refer to your Original Equipment Manufacturer (OEM) provider.

Windows 11 IoT Enterprise Processor Lists

Intel
Qualcomm
AMD

Memory
Devices that run Windows IoT Enterprise must meet the following RAM requirements.
Storage
Storage device size
Devices that run Windows IoT Enterprise must include a storage device that meets the following size
requirements.
Storage Controller Requirements

Display and graphics

Resolution, bit depth, and size
Display size requirements do not apply to Windows IoT Enterprise.
Graphics
Devices that run Windows IoT Enterprise and require hardware accelerated graphics, must include a GPU that
supports DirectX 9 or later.
Networking
It is recommended that devices that run Windows IoT Enterprise include at least one network connectivity
option, such as Wi-Fi or an Ethernet adapter.

Trusted Platform Module (TPM)

NOTE
While TPM requirements are highly encouraged for Windows 10 IoT Enterprise, it is not required. The use of a TPM for
Windows 10 IoT Enterprise devices is determined based on the usage and security requirements of each device.

TPM Requirements
Trusted Platform Module Technology Overview
TPM Recommendations

Additional Resources
Shared Minimum Hardware Requirements for Windows OS
Minimum Hardware Requirements
Windows Processor Requirements
Hardware Component Guidelines
 SoCs and Custom Boards
11/16/2021 • 2 minutes to read • Edit Online

Microsoft-enabled SoCs
Microsoft works alongside Intel, Qualcomm, and AMD to verify support for Windows IoT Enterprise on several
vendors' system on a chip (SoCs). These SoCs are used in hundreds of different devices that you can use to
prototype and commercialize your idea. The SoC you choose to adopt will depend on considerations such as
performance requirements, power profile, cost, physical connectivity options, long-term support, and operating
conditions.
You'll also need to decide whether you want to use an off-the-shelf board or device, build a custom device using
a system on a module (SoM) plus a custom carrier board, or build a complete custom board. Cost and the
degree of customization are the key factors in this decision, with both generally increasing as you customize
further.

Boards
If an off-the-shelf device is in a form factor that includes the connectivity options that work for your scenarios,
that will often be the most cost- and time-effective choice.
For most people, developing a complete custom board would make sense when the product is expected to be
sold in volumes greater than hundreds, or even thousands, of millions of units. For smaller volumes, using a
SoM and designing a custom carrier board, instead of designing a completely new board, can significantly
reduce your cost and time-to-market, as well as streamlining software development and integration.
Each of the platforms has unique features that need attention during implementation, please review the
following SoC provider's websites for more details.
Intel
AMD
Qualcomm
VIA Technologies

Additional Resources
Windows IoT Enterprise Manufacturing Guide
Windows Processor Requirements
 Start Prototyping
11/16/2021 • 2 minutes to read • Edit Online

This guide will walk you through how to start prototyping with Windows IoT Enterprise.

Step 1: Select Hardware

To begin your prototyping journey, you can select a SoC board or leverage your existing hardware to run
Windows IoT Enterprise, as long as it meets the following requirements.
The following boards have been proven to be a great start point for your Windows IoT Enterprise solution. Feel
free to choose a specific version based upon your budgetary constraints and technical requirements.
Latte Panda
Intel NuC
AAEON Up Squared
Up Board
If you are a SoM provider or an ODM and would like to be added to the list above, directly edit this page and
submit a pull request or send an email to [email protected]

Step 2: Evaluate Edition

To get started, you can try the Windows 10 Enterprise 90 day Evaluation. To select which edition of Windows IoT
Enterprise you would like to work with, review Features by Release.

Step 3: Deploy an Image

If your board comes with instructions on how to deploy Windows IoT Enterprise, follow those instructions.
Otherwise, you can follow the labs provided in the Windows IoT Enterprise Manufacturing Guide.

Step 4: Load an Application

You can choose to port over any of your existing Windows applications or feel free to reference any of our UWP
app samples in GitHub.

Step 5: Licensing & Distribution

If you are interested in pursuing your prototype, past the 90-day evaluation period, reach out to a Windows IoT
distributor. Microsoft offers many Windows IoT and Embedded SKUs, and authorized distributors of Windows
IoT products can help you pick the right SKU for your hardware and your budget by leveraging their
development experiences, and knowledge, to help you build secure and connected Windows IoT solutions. If you
would like to work with one of our distributors, please select a distributor in your region and contact the
distributor directly for more details.

Additional Resources
Windows IoT Enterprise Manufacturing Guide
Windows Processor Requirements
 Kiosk mode
11/16/2021 • 3 minutes to read • Edit Online

Windows IoT Enterprise allows you to build fixed purpose devices such as ATM machines, point-of-sale
terminals, medical devices, digital signs, or kiosks. Kiosk mode helps you create a dedicated and locked down
user experience on these fixed purpose devices. Windows IoT Enterprise offers a set of different locked-down
experiences for public or specialized use: assigned access single-app kiosks, assigned access multi-app kiosks, or
shell launcher.
Kiosk configurations are based upon either assigned access or shell launcher. There are several kiosk
configuration methods that you can choose from, depending on your answers to the following questions.

NOTE
A benefit of using an assigned access kiosk mode is these policies are automatically applied to the device to optimize the
lock-down experience.

Which type of app will your kiosk run?

Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For digital
signage, select a digital sign player as your kiosk app. Check out the Guidelines for Kiosk Apps.

Which type of kiosk do you need?

If you want your kiosk to run a single app for anyone to see or use, consider an assigned-access single-app
kiosk that runs either a Universal Windows Platform (UWP) app or a Windows desktop application.
For a kiosk that people can sign in to with their accounts or that runs more than one app, consider an assigned
access multi-app kiosk.

Which type of user account will be the kiosk account?

The kiosk account can be a local standard user account, a domain account, or an Azure Active Directory (Azure
AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and
authenticate on the device, you should use an assigned access multi-app kiosk configuration. The assigned
access single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in
to the kiosk app if you select an app that has a sign-in method.

Kiosk capabilities for Windows 10 IoT Enterprise

M O DE F EAT URES DESC RIP T IO N C USTO M ER USA GE
 M O DE F EAT URES DESC RIP T IO N C USTO M ER USA GE

Assigned access Single-app kiosk (UWP) Auto launches a UWP app Digital signs & single
in full screen and prevents function devices
access to other system
functions, while monitoring
the lifecycle of the kiosk
app. Only supports one
single-app kiosk profile
under one account per
device.

Assigned access Single-app kiosk (Microsoft Auto launches Microsoft Public browsing kiosks &
Edge) Edge and prevents access digital signs
to other system functions,
while monitoring the
lifecycle of browser. Only
supports one single-app
kiosk profile under one
account per device.

Assigned access Multi-app kiosk Always auto launches a Firstline Worker shared
restricted Start menu in full devices
screen with the list of
allowed app tiles. Supports
configuring different multi-
app kiosk profiles for
different users/user groups
per device.

Shell launcher Shell launcher Auto launches an app that Fixed purpose devices with
the customer specifies and a custom shell experience
monitors the lifecycle of this
app. App can be used as a
‘shell’ if desired. No default
lockdown policies like
hotkey blocking are
enforced in Shell Launcher.

NOTE
Assigned access multi-app kiosk will not be available in the initial release of Windows 11 IoT Enterprise. See What's new in
Windows 11 IoT Enterprise for more information.

How to configure your device for kiosk mode?

Please visit the following documentation to set up a kiosk according to your scenario:
Configure kiosks and digital signs
Prepare a device for kiosk configuration
Set up digital signs on Windows 10
Set up a single-app kiosk
Set up a multi-app kiosk
Configure Microsoft Edge kiosk mode

Additional Resources
Find the Application User Model ID of an installed app
Validate your kiosk configuration
Guidelines for choosing an app for assigned access (kiosk mode)
Policies enforced on kiosk devices
Assigned access XML reference
Use AppLocker to create a Windows 10 kiosk
Use Shell Launcher to create a Windows 10 kiosk
Use MDM Bridge WMI Provider to create a Windows 10 kiosk
Troubleshoot kiosk mode issues
Plan your kiosk mode transition to Microsoft Edge
 Assigned access single-app kiosk
11/16/2021 • 2 minutes to read • Edit Online

A single-app kiosk uses the assigned access feature to run a single app above the lock screen. When the kiosk
account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device
outside of the kiosk app.

NOTE
Assigned access single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in
on the physical device that is set up as a kiosk.

Benefits of using a single-app kiosk

A single-app kiosk is ideal for public use. Using shell launcher, you can configure a kiosk device that runs a
Windows desktop application as the user interface. The application that you specify replaces the default shell
(explorer.exe) that usually runs when a user logs on. This type of single-app kiosk runs above the lock screen,
and users will have access to only this app and nothing else on the system. This experience is often used for
public-facing kiosk machines. Check out Set up a kiosk on Windows 10 Pro, Enterprise, or Education for more
information.

Configuring your single-app kiosks

You have several options for configuring your single-app kiosk.
Locally, in Settings
PowerShell
The Kiosk Wizard in Windows Configuration Designer
Microsoft Intune or other MDM providers

TIP
You can also configure a kiosk account and app for single-app kiosk within XML in a provisioning package by using a
kiosk profile. Be sure to check the configuration recommendations before you set up your kiosk.

Additional Resources
Set up a single-app kiosk
Guidelines for choosing an app for assigned access
Kiosk apps for assigned access: Best practices
Configure kiosks and digital signs
Prepare a device for kiosk configuration
More kiosk methods and reference information
 Assigned access multi-app kiosk
11/16/2021 • 2 minutes to read • Edit Online

An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a
customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a
locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared
by multiple people. Here's a guide on how to set up a multi-app kiosk.

NOTE
Assigned access multi-app kiosk will not be available in the initial release of Windows 11 IoT Enterprise. See What's new in
Windows 11 IoT Enterprise for more information.

Benefits of using a multi-app kiosk

The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience
for individuals by putting in front of them only the things they need to use, and removing from their view the
things they don’t need to access.
A multi-app kiosk is appropriate for devices that are shared by multiple people. Each user can authenticate with
the device and receive a customized lockdown experience based on the configuration.

Configuring your multi-app kiosk

Configure a kiosk in Microsoft Intune
Configure a kiosk using a provisioning package

NOTE
When you configure a multi-app kiosk, specific policies are enforced that will affect all non-administrator users on the
device.

Additional Resources
New features and improvements
Set up a multi-app kiosk
Kiosk apps for assigned access: Best practices
Guidelines for choosing an app for assigned access
Configure kiosks and digital signs
Prepare a device for kiosk configuration
More kiosk methods and reference information
 Shell Launcher
11/16/2021 • 2 minutes to read • Edit Online

Using Shell Launcher, you can configure a kiosk device to run a Windows Desktop or Universal Windows
Application as the user interface. The application that you specify replaces the default shell (explorer.exe) that
usually runs when a user logs on. This type of single-app kiosk does not run above the lock screen.
Methods of controlling access to other desktop applications and system components can be used in addition to
using the Shell Launcher such as, Group Policy, AppLocker, and Mobile Device Management

NOTE
In Shell Launcher v1, available in Windows 10, you can only specify a Windows desktop application as the replacement
shell. In Shell Launcher v2, available in Windows 10, version 1809 and above, you can also specify a UWP app as the
replacement shell.
To use Shell Launcher v2 in version 1809, you need to install the KB4551853 update.

Differences between Shell Launcher v1 and Shell Launcher v2

Shell Launcher v1 replaces explorer.exe , the default shell, with eshell.exe , which can launch a Windows
desktop application.
Shell Launcher v2 replaces explorer.exe with customshellhost.exe . This new executable file can launch a
Windows desktop application or a UWP app.
In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers additional
enhancements:
You can use a custom Windows desktop application that can then launch UWP apps, such as Settings and
Touch Keyboard.
From a custom UWP shell, you can launch secondary views and run on multiple monitors.
The custom shell app runs in full screen, and can run other apps in full screen on user’s demand. For sample
XML configurations for the different app combinations, see Samples for Shell Launcher v2.

Turn on Shell Launcher

Shell Launcher is an optional component and is not turned on by default in Windows 10. It must be turned on
prior to configuring. You can turn on and configure Shell Launcher in a customized Windows 10 image (.wim) if
Microsoft Windows has not been installed. If Windows has already been installed and you are applying a
provisioning package to configure Shell Launcher, you must first turn on Shell Launcher in order for a
provisioning package to successfully apply.
There are multiple ways to enable Shell Launcher:
Control Panel
WESL_UserSetting
DISM
Windows Configuration Designer
Learn the methods to configure Shell Launcher.
Shell Launcher Capabilities
Explore the various capabilities of Shell Launcher:
Launch different shells for different user accounts
Perform an action when the shell exits
Set your custom shell
Understand Shell Launcher user rights

Additional Resources
Use Shell Launcher to create a Windows 10 Kiosk
Launch different shells for different user accounts
Perform an action when the shell exits
Shell Launcher user rights
 Browser Support
11/16/2021 • 2 minutes to read • Edit Online

Today, you can use two browsers, Internet Explorer 11 and Microsoft Edge to create an assigned access single-
app or multi-app kiosk experience.

Microsoft Edge Kiosk Mode

Available for LTSC starting in Windows 10 IoT Enterprise 2021 LTSC

Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create,
manage, and provide the best experience for their customers. The following lockdown experiences are available:
Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
Both experiences are running a Microsoft Edge InPrivate session, which protects user data.

Internet Explorer 11
Internet Explorer 11 will be considered a legacy browser, in subsequent releases.
In anticipation of that, you can use Internet Explorer (IE) mode on Microsoft Edge. IE mode allows you to run
legacy web apps as well as modern web apps in a single browser.

NOTE
For in-support Windows 10 IoT Enterprise Semi-Annual Channel (SAC) releases, Internet Explorer 11 will reach end of
support on June 15, 2022.
Internet Explorer 11 follows the Long-Term-Servicing-Channel (LTSC) Lifecyle for LTSC SKUs.

Supported Versions

B RO W SER

OS Release IE11 App Edge Browser - Legacy New Edge Browser

Windows 10 IoT Enterprise
LTSC 2019 (RS5)
Supported until OS EOL
No browser security
updates after March, 9,
2021 (removed where
applicable). In-box engine
supported until OS EOL
Edge and WebView2
Runtime not in-box
(requires app migration
from EdgeHTML)
 B RO W SER

Windows 10 IoT Enterprise, End of support June 15, Removed & replaced with Included in-box or installed
Version 21H2, SAC 2022 New Edge Browser in May with May 2021 Update
2021 Update

Windows 10 IoT Enterprise Supported until OS EOL Not included Microsoft Edge included in-
LTSC 2021 box and follows Modern
Lifecycle Policy

Windows 11 IoT Enterprise - - Microsoft Edge included in-

box and follows Modern
Lifecycle Policy

Additional Resources
Configure Microsoft Edge kiosk mode
Plan your kiosk mode transition
 Screen Swipe Policy
11/16/2021 • 2 minutes to read • Edit Online

If your Windows IoT device has a touchscreen, users have the option to swipe from the edge of a screen to
invoke a system user interface. Depending on the direction of the swipe, the action center, tablet mode or
taskbar can appear.

How to Enable/Disable Screen Swipe via Group Policy

One of the ways you can go about managing the screen edge swipe functionality in Windows IoT Enterprise is
by using the Group Policy Editor.
The following steps outline how to enable/disable the policy:
1. Launch the Local Group Policy Editor for the Device
2. On the navigation pane, select Computer Configuration > Administrative Templates > Windows
Components > Edge UI
3. Select Edit Policy Setting
4. Choose if you would like to enable or disable this policy.
5. For this change of policy to go into effect, restart the device.

NOTE
By disabling this policy setting, users will not be able to invoke any system UI by swiping in from any screen edge.
If you enable or do not configure this policy setting, users will be able to invoke system UI by swiping in from the screen
edges.

Verify Lockdown Policy

The easiest way to verify if the policy is in effect is to restart the explorer process or to reboot after the policy is
applied. Try to swipe from the right edge of the screen and evaluate the behavior. The desired result is for Action
Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the
screen to rearrange, that functionality will also be disabled.

Additional Resources
LockDown/AllowEdgeSwipe
 Application Control
11/16/2021 • 2 minutes to read • Edit Online

Application control is a crucial scenario that enables an organization to create a lockdown experience. Windows
IoT Enterprise, includes two technologies, Windows Defender Application Control (WDAC) and AppLocker, which
can be used for application control to meet your organization's specific scenarios and requirements.

NOTE
When it comes to choosing between WDAC or AppLocker it is generally recommended that customers who are able to
implement application control using WDAC rather than AppLocker, do so. WDAC is undergoing continual improvements
and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive
security fixes, it will not undergo new feature improvements.

Windows Defender Application Control (WDAC)

WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are
allowed to run on their Windows devices. WDAC is designed as a security feature under the servicing criteria
defined by the Microsoft Security Response Center (MSRC). To learn more about if WDAC can work for your
organization, check out the following documentation.

AppLocker
AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker
contains new capabilities and extensions that allow you to create rules to allow or deny apps from running
based on unique identities of files and to specify which users or groups can run those apps. Since AppLocker
rules specify which apps are allowed to run on the device, you can leverage AppLocker to create a Windows IoT
kiosk that runs multiple apps. AppLocker is ideal for organizations that currently use Group Policy to manage
their PCs. To learn more about if AppLocker can work for your organization, check out the following
documentation.

Additional Resources
WDAC and AppLocker feature availability
 Device Safeguards
11/16/2021 • 3 minutes to read • Edit Online

Windows IoT Enterprise gives you the power as the administrator of your devices to set certain policies to
protect your IoT devices. Whether that be against device tampering, malware infections, data loss, or preventing
peripherals from gaining access to your device, Windows IoT Enterprise gives you the power to create a
customized experience that safeguards against these threats.
In a Windows IoT device restrictions profile, most configurable settings are deployed at the device level using
device groups.
The following guide reviews the various policies that can be configured to create a safe and secure device usage
experience.

Device Installation - Group Policy

If your organization manages devices through group policy, we recommend you follow this Step-By-Step Guide.

Control removable media using Microsoft Defender for Endpoint

Microsoft recommends a layered approach to securing removable media, and Microsoft Defender for Endpoint
provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from
compromising your devices:
1. Discover plug and play connected events for peripherals in Microsoft Defender for Endpoint advanced
hunting. Identify or investigate suspicious usage activity.
2. Configure to allow or block only certain removable devices and prevent threats.
a. Allow or block removable devices based on granular configuration to deny write access to
removable disks and approve or deny devices by using USB device IDs.
b. Prevent threats from removable storage introduced by removable storage devices by enabling:
- Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
- The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run
from USB.
- Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA
Protection for Thunderbolt and blocking DMA until a user signs in.
3. Create customized alerts and response actions to monitor usage of removable devices based on these
plug and play events or any other Microsoft Defender for Endpoint events with custom detection rules.
4. Respond to threats from peripherals in real-time based on properties reported by each peripheral.

NOTE
These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data
from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10
devices you can configure BitLocker and Windows Information Protection, which will encrypt company data even if it is
stored on a personal device, or use the Storage/RemovableDiskDenyWriteAccess CSP to deny write access to removable
disks. Additionally, you can classify and protect files on Windows devices (including their mounted USB devices) by using
Microsoft Defender for Endpoint and Azure Information Protection.
Device Installation Settings - MDM
If your organization manages devices through mobile device management, we recommend you review the
following device installation policies:
Allow Installation Of Matching Device IDs
Allow Installation Of Matching Device Instance IDs
Allow Installation Of Matching Device Setup Classes
Prevent Device Metadata From Network
Prevent Installation Of Devices Not Described By Other Policy Settings
Prevent Installation Of Matching Device IDs
Prevent Installation Of Matching Device Instance IDs
Prevent Installation Of Matching Device Setup Classes

Look up device ID
You can use Device Manager to look up a device ID.
1. Open Device Manager.
2. Click View and select Devices by connection .
3. From the tree, right-click the device and select Proper ties .
4. In the dialog box for the selected device, click the Details tab.
5. Click the Proper ty drop-down list and select Hardware Ids .
6. Right-click the top ID value and select Copy .
For information about Device ID formats, see Standard USB Identifiers.
For information on vendor IDs, see USB members.
The following is an example for looking up a device vendor ID or product ID (which is part of the device ID)
using PowerShell:

PowerShell
Get-WMIObject -Class Win32_DiskDrive |
Select-Object -Property *

Additional Resources
Policy CSP - DeviceInstallation
Defender/AllowFullScanRemovableDriveScanning
Perform a custom scan of a removable device
Device Control Power BI Template for custom reporting
Windows Information Protection
 Keyboard Filter
11/16/2021 • 2 minutes to read • Edit Online

If your device is being use for a dedicated purpose, it may make sense to ensure that key combinations like
'Ctrl+Alt+Delete' do not alter the operation of the device by locking the screen or using Task Manager to close a
running application. Windows IoT Enterprise provides a feature called Keyboard Filter that allows you to
suppress undesirable key presses or key combinations.

Keyboard Filter Features

Keyboard Filter has the following features:
It supports hardware keyboards, the standard Windows on-screen keyboard, and the touch keyboard
(TabTip.exe).
It also suppresses key combinations even when they come from multiple keyboards. For example, if a user
presses the Ctrl key and the Alt key on a hardware keyboard, while at the same time pressing Delete on a
software keyboard, Keyboard Filter can still detect and suppress the Ctrl+Alt+Delete functionality.
Supports numeric keypads and keys designed to access media player and browser functionality.
Can configure a key to breakout of a locked down user session to return to the Welcome screen.
Automatically handles dynamic layout changes.
Can be enabled or disabled for administrator accounts.
Can force disabling of Ease of Access functionality.
Can block physical hardware keys.
Supports x86 and x64 architectures.

Turn on Keyboard Filter

There are multiple ways to turn on Keyboard Filter:
Control Panel
Unattend
Windows Configuration Designer
DISM

NOTE
Turning on an off Keyboard Filter requires that you restart your device. Keyboard Filter is automatically enabled after the
restart.

Additional Resources
Keyboard Filter
Predefined Key Combinations
Keyboard Filter WMI provider reference
Windows PowerShell script samples for Keyboard Filter
 Unified Write Filter
11/16/2021 • 2 minutes to read • Edit Online

The Unified Write Filter (UWF) is a Windows IoT Enterprise feature that helps to protect your drives by
intercepting and redirecting any writes to the drive (app installations, settings changes, saved data) to a virtual
overlay. The virtual overlay is a temporary location that is usually cleared during a reboot or when a guest user
logs off.
The Unified Write Filter is useful in the following scenarios:
Isolating writes to extend the life of storage media
Optimizing Application load timing on boot – it can be faster to resume from a HORM file on every boot
rather than reloading the system on each boot
Resetting systems like Thin Clients, which are used in shared workspaces (e.g. schools, libraries, hotels, etc.)
with frequent guests to ensure each guest receives a clean experience

Install the Unified Write Filter

The Unified Write Filter (UWF) is an optional Windows feature. So in order to use UWF, you'll first need to install
the feature.
Turn on UWF on a running PC
Install UWF on a customized Windows Image
Install the UWF feature by using Windows Configuration Designer
Install the UWF feature by using Windows Management Instrumentation (WMI)
Next, you'll enable (and optionally configure) the feature.
The first time you enable UWF on your device, UWF makes the following changes to your system to improve the
performance of UWF:
Paging files are disabled.
System restore is disabled.
SuperFetch is disabled.
File indexing service is turned off.
Fast boot is disabled.
Defragmentation service is turned off.
BCD setting bootstatuspolicy is set to ignoreallfailures .
After UWF is enabled, you can select a drive to protect and start using UWF.

TIP
You can install UWF for running PCs and devices, prepare it for customized Windows images, or manage it remotely using
CSP or WMI.

New Capabilities - 21H2

With Windows 10 IoT Enterprise, version 21H2, a new set of capabilities have been introduced to the Unified
Write Filter.
1. UWF Swapfile Created on Any Volume
Allows booting from devices suseptible to wear from writings (e.g. SSD)
Redirects Disk overlay to other media
2. Read Only Mode (ROM) Mode
Allows elimination to physical devices
Official successor to WES7 Enhanced Write Filter
3. Full Volume Commit in ROM Mode
Ability to commit entire state of UWF protected volumes to physical disk at once.

Additional Resources
Enable UWF
Unified Write Filter
Unified Write Filter WMI Provider Reference
UWF Command-line tool
Service UWF-protected devices
 Hibernate Once/Resume Many (HORM)
11/16/2021 • 2 minutes to read • Edit Online

A device with HORM enabled can quickly be turned off or shut down, and then restarted into the preconfigured
state, even in the event of a sudden power loss.

Configure HORM
You can use the Hibernate Once/Resume Many (HORM) feature with Unified Write Filter (UWF) to start your
device in a preconfigured state. When HORM is enabled, your system always resumes and restarts from the last
saved hibernation file (hiberfil.sys).

UWF configuration
UWF must be enabled before you can enable or disable HORM. UWF must be configured in the following ways
to protect the hibernation file from becoming invalid:
All fixed volumes that are mounted on the system must be protected by UWF.
Your system must not have any file, folder, or registry exclusions configured for UWF.
The UWF overlay must be configured to use RAM mode. HORM does not support disk-backed overlays.
UWF does not filter hibernation files from being written to disk. If you want to protect the preconfigured state of
your device, lock down any functionality that can modify the hibernation file. For example, disable hibernation,
hybrid sleep, and fast startup on your device for standard user accounts so that the saved hibernation file is not
overwritten when entering a sleep, hibernate, or shutdown state.
To disable hybrid sleep and fast startup on your device, follow these steps.
To configure the UWF with HORM, check out this guide.
 Custom Logon
11/16/2021 • 2 minutes to read • Edit Online

Custom Logon features allow you to take control of the welcome and shutdown screens for your device.

Feature Benefits
By using Custom Logon, you can suppress all elements of the Welcome screen UI and provide a custom logon
UI for your users. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end
applications while the OS waits for applications to close before a shutdown.
Custom Logon settings do not modify the credential behavior of Winlogon , so you can use any credential
provider that is compatible with Windows to provide a custom sign-in experience for your device.

Enable Custom Logon

Custom Logon is an optional component and is not turned on by default in Windows. It must be turned on prior
to configuring. You can turn on and configure Custom Logon in a customized Windows image (.wim) if
Microsoft Windows has not been installed. If Windows has already been installed and you are applying a
provisioning package to configure Custom Logon, you must first turn on Custom Logon in order for a
provisioning package to be successfully applied.
The Custom Logon feature is available in the Control Panel.
You can set Custom Logon by following these steps:
1. In the Windows search bar, type Turn Windows features on or off .
2. In the Windows Features window, expand the Device Lockdown node, and select the checkbox for Custom
Logon.
Turn on and configure Custom Logon using DISM
Configure Custom Logon settings using Unattend

Complementary Features
You may want to use or change some of the following features in conjunction with Custom Logon to further
customize the user experience.
Power button
We recommend that you remove the power button from the Welcome screen and block the physical power
button so that a user cannot turn off the device when using assigned access or shell launcher.
Go to Power Options > Choose what the power button does , change the setting to Do nothing , and then
Save changes .
Remove Wireless UI from the Welcome screen
You can also remove the Wireless UI option from the Welcome screen by using Group Policy.
To remove Wireless UI from the Welcome screen:
1. From a command prompt, run gpedit.msc to open the Local Group Policy Editor.
2. In the Local Group Policy Editor, under Computer Configuration > Administrative Templates > System
> Logon .
3. Double-tap or click Do not display network selection UI .
Welcome Screen
You also have the option to remove other buttons from the Welcome screen to create your own customized
experience.
This includes:
Language button
Ease of Access button
Switch user button

Additional Resources
Custom Logon
Complementary features to Custom Logon
Troubleshooting Custom Logon
 Microsoft Store Access
11/16/2021 • 2 minutes to read • Edit Online

You have the option to decide how much access you would like your users to have when it comes to opening the
Microsoft Store on Windows IoT Enterprise. Access to the Microsoft store can be blocked or modified achieve a
desired customer experience or meet an organization's policy. You can use AppLocker or Group Policy to
configure access to Microsoft Store.

NOTE
The Long-Term-Servicing Channel (LTSC) has the store service for updating preinstalled apps, but does not include the
Store UI for browsing apps. The Semi-Annual Channel (SAC) has both the store service and UI.

Block Microsoft Store using AppLocker

AppLocker provides policy-based access control management for applications. You can block access to Microsoft
Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app
as the packaged app that you want to block from client computers.

Block Microsoft Store using Group Policy

You can also use Group Policy to manage access to Microsoft Store.

Block Microsoft Store using configuration service provider

If you have Windows IoT Enterprise devices in your organization that are managed using a mobile device
management (MDM) system, such as Microsoft Intune, you can block access to Microsoft Store app using the
following configuration service providers (CSPs):
Policy CSP
AppLocker CSP
For more information, see Configure an MDM provider.

Show private store only using Group Policy

If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your
private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available,
but employees can't view or purchase apps. Employees can view and install apps that the admin has added to
your organization's private store.

Additional Resources
Configure access to Microsoft Store
Distribute apps using your private store
Manage access to private store
 Settings Page Policy: Page Visibility
11/16/2021 • 2 minutes to read • Edit Online

Page Visibility is a feature that allows you to further customize the visibility of pages in the System Settings app.

Configure the Page Visibility Policy

Added in Windows 10, version 1703, the page visibility policy can prevent specific pages in the System Settings
app from being visible or accessible, or to do so for all pages except those specified.
The mode will be specified by the policy string beginning with either the string showonly or hide .
Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-
settings:" prefix. Multiple page identifiers are separated by semicolons.
For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will
be just "bluetooth".
Enable Page Visibility Policy

Additional Resources
Page Visibility List
Policy CSP - Settings
Policy CSP
ms-settings: URI scheme reference
 Layout Control
11/16/2021 • 4 minutes to read • Edit Online

In Windows IoT Enterprise, organizations can deploy a customized Start and Taskbar configuration to their
devices. We know how important it is for your devices to maintain your brand and customized user-experience.

Configure Start Layout

A standard, customized Start layout can be useful on devices that are common to multiple users and devices
that are locked down for specialized purposes.
The easiest method for creating a customized Start layout to apply to other Windows devices is to set up the
Start screen on a test computer and then export the layout.
After you export the layout, decide whether you want to apply a full Start layout or a partial Start layout.
When a full Start layout is applied, the users cannot pin, unpin, or uninstall apps from Start. Users can view and
open all apps in the All Apps view, but they cannot pin any apps to Start.
When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can
move those groups, and can also create and customize their own groups.
You can deploy the resulting .xml file to devices using one of the following methods:
Group Policy
Windows Configuration Designer provisioning package
Mobile device management (MDM)
Secondary Tiles
Secondary tiles allow users to pin specific content and deep links from your app onto their Start menu,
providing easy future access to the content within your app.
By adding secondary tiles to your app, you help the user re-engage quickly and efficiently with your app,
encouraging them to return more often, thanks to the easy access that secondary tiles provide.

Configure Windows 10 taskbar

Configuring the taskbar layout allows an organization to pin useful apps and to remove apps that are pinned by
default to provide a specified user experience.
The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout.
You can also specify different taskbar configurations based on device locale and region. There is no limit on the
number of apps that you can pin. You specify apps using the Application User Model ID (AUMID) or Desktop
Application Link Path (the local path to the application).
If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't
appear on the taskbar.
The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right
of any existing apps pinned by the user.
To configure the taskbar:
1. Create the XML file.
If you are also customizing the Start layout, use Export-StartLayout to create the XML, and then add the
<CustomTaskbarLayoutCollection> section from the following sample to the file.
If you are only configuring the taskbar, use the following sample to create a layout modification XML file.
2. Edit and save the XML file. You can use AUMID or Desktop Application Link Path to identify the apps to pin to
the taskbar.
Add xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout" to the first line of the file, before
the closing >.
Use <taskbar:UWA> and AUMID to pin Universal Windows Platform apps.
Use <taskbar:DesktopApp> and Desktop Application Link Path to pin desktop applications.
3. Apply the layout modification XML file to devices using Group Policy or a provisioning package created in
Windows Imaging and Configuration Designer (Windows ICD).

IMPORTANT
If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each
time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's
change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to
make changes that will persist, apply your configuration by using Group Policy.
If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be
applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start
layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a
partial Start layout, users can make changes to the taskbar and to tile groups not defined in the partial Start layout.

Tips for finding AUMID and Desktop Application Link Path

In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to
pin an application, you need either its AUMID or Desktop Application Link Path.
The easiest way to find this data for an application is to:
1. Pin the application to the Start menu on a reference or testing PC.
2. Open Windows PowerShell and run the Export-StartLayout cmdlet.
3. Open the generated XML file.
4. Look for an entry corresponding to the app you pinned.
5. Look for a property labeled AppUserModelID or DesktopApplicationLinkPath .

Additional Resources
Customize the Start screen on your test computer
Export the Start layout
Configure a partial Start layout
Remove default apps
Remove default apps and add your own
Configure taskbar by country or region
Layout Modification Template schema definition
Secondary tile guidance
Pin secondary tiles
Add image for secondary Microsoft Edge tiles
 Unbranded Boot and Errors
11/16/2021 • 2 minutes to read • Edit Online

Unbranded Boot enables you to suppress Windows elements that appear when Windows starts or resumes and
can suppress the crash screen when Windows encounters an error that it cannot recover from.

Turn on Unbranded Boot settings

Unbranded Boot is an optional component and is not enabled by default in Windows IoT Enterprise. It must be
enabled prior to configuring. You can turn on Unbranded Boot by using Control Panel.

NOTE
If Windows has already been installed you cannot apply a provisioning package to configure Unbranded Boot; instead you
must use BDCEdit to configure Unbranded boot if Windows is installed.
BCDEdit is the primary tool for editing the startup configuration and is on your development computer in the
%WINDIR%\System32 folder. You have administrator rights for it. BCDEdit is included in a typical Windows Preinstallation
Environment (Windows PE) 4.0. You can download it from the BCDEdit Commands for Boot Environment in the Microsoft
Download Center if needed.

Configure Unbranded Boot

There are multiple ways to configure Unbranded Boot. Use the method that is appropriate for your organization.
BCDEdit
Unattend
Deployment Image Servicing and Management (DISM)
Microsoft-Windows-Embedded-BootExp

Suppress Crash Screens

Microsoft offers Windows 10 IoT Enterprise customers methods to manage crash screens.
Errors During Boot Phase
The noerrordisplay switch takes care of exhaustively suppressing all error display during the boot phase.
For example, if noerrordisplay to on, and if the boot manager hits a WinLoad Error or Bad Disk Error, the
system will sit at a black screen and require manual reset.
Review Configure Unbranded Boot settings at runtime using BCDEdit to enable the noerrordisplay setting.

NOTE
BCDEdit is the primary tool for editing the startup configuration and is on your development computer in the
%WINDIR%\System32 folder. You have administrator rights for it. BCDEdit is included in a typical Windows Preinstallation
Environment (Windows PE) 4.0. You can download it from the BCDEdit Commands for Boot Environment in the Microsoft
Download Center if needed.

Exception Error
To ensure that there is no crash screen if Windows encounters an error it cannot recover from, enable the
DisplayDisabled setting using Unattend.
You can also configure the Unattend settings in the Microsoft-Windows-Embedded-BootExp component to add
Unbranded Boot features to your image during the design or imaging phase. You can manually create an
Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to
your answer file. For more information about the Unbranded Boot settings and XML examples, see the settings
in Microsoft-Windows-Embedded-BootExp.

Additional Resources
Replace the startup logo
Configure Components and Settings in an Answer File.
 Manage Update Experience
11/16/2021 • 2 minutes to read • Edit Online

In Windows IoT Enterprise, we know that having your device ready for use at all time is very important. We have
many features to help you maximize control and customization over your devices' update screen UI and
notifications to ensure that you can plan and ahead and control when updates can occur. Below are some
common recommended configuration settings. Consider whether each individual configuration setting applies
to your device scenario.

Genericized Update Message Strings

Starting in Windows fall 2021 releases, update message strings have been rewritten to remove references to
terms such as ‘Windows’, ‘computer’, and ‘PC’, to keep the experienced focused on your fixed-purpose device.
See table below for examples.

O RIGIN A L ST RIN G N EW ST RIN G

Don't turn off your computer Please keep your device on

Getting Windows ready Getting things ready

Setting up Windows Updates are underway

Getting ready to retry Retrying a few things

We couldn't complete the updates Something didn't go as planned

Update Screen Accent Color

You can additionally customize the update experience on your devices by changing the background color of the
update screen from the traditional blue to whichever color best matches your branding of your organization.
To update the accent color:
1. Open the Settings app and navigate to Personalization.
2. In the menu on the left side, navigate to Colors.
3. Scroll to the bottom of the page and select a color from the list or use the custom color picker.

NOTE
This setting also affects the color of accents within the UI of the OS.

Control UI notifications from the Windows Update client

A device can be configured in a way to hide the UI experience for Windows Update while letting the service itself
run in the background and update the system. The Windows Update client still honors the policies set for
configuring Automatic Updates, this policy controls the UI portion of that experience.
1. Open the Group Policy Editor (gpedit.msc) and navigate to Computer Configuration\Administrative
 Templates\Windows Components\Windows Update\Display options for update notifications
2. Set the policy to Enabled .
3. Specify the update notifications display options to 1 or 2.

TIP
Set the value to 1 to hide all notifications except restart warnings, or to 2 to hide all notifications, including restart
warnings.

Additional Resources
Windows Updates in Windows IoT Enterprise
Manage device restarts after updates
Manage additional Windows Update settings
Deploy feature updates during maintenance windows
Deploy feature updates for user-initiated installations
 Device Management Overview
11/16/2021 • 3 minutes to read • Edit Online

Managing a device is now easier than ever on Windows 10 IoT Enterprise. There are multiple options that your
organization can choose from in order to best manage your devices, such as Microsoft Intune, Endpoint
Manager, and third-party OMA-DM based management tools. OEMs can also select Azure Device Agent, which
leaves it up to their customers to select the device management solution that fits them best.

Mobile Device Management

Windows 10 provides an enterprise management solution to help IT pros manage company security policies
and business applications, while avoiding compromise of the users’ privacy on their personal devices. A built-in
management component can communicate with the management server. Learn What's new in mobile device
enrollment and management to further understand the capabilities that are being offered.
Microsoft Intune
Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile
application management (MAM). You control how your organization’s devices are used and can configure
specific policies to control applications. Intune is part of Microsoft's Enterprise Mobility + Security (EMS) suite.
Intune integrates with Azure Active Directory (Azure AD) to control who has access, and what they can access. It
also integrates with Azure Information Protection for data protection. Here's a guide on how to enroll your
devices in Microsoft Intune.

Microsoft Endpoint Manager (Formerly SCCM)

Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings
together Configuration Manager and Intune, without a complex migration, and with simplified licensing.
Continue to leverage your existing Configuration Manager investments, while taking advantage of the power of
the Microsoft cloud at your own pace.

NOTE
Starting in version 1910, Configuration Manager current branch is now part of Microsoft Endpoint Manager. Version
1906 and earlier are still branded System Center Configuration Manager (SCCM). The Microsoft Endpoint Manager brand
will appear in the product and documentation over the coming months.

Azure IoT Device Agent

The Azure IoT Device Agent is supported on Windows 10 IoT Enterprise and enables remote device
management capabilities.
Azure IoT Device Agent provides a ready-to-build open source solution that:
Manages the device identity provisioning with IoT Hub.
Manages the cloud connection and its renewal.
Provides a plug-in model for platform components, which allows easy onboarding to various Azure services.
(This model includes discovery, initialization, error reporting, and state aggregation.)
Comes with a set of ready-to-ship plug-ins for very commonly used platform components.
Update Management
Device Update Center and Windows Server Update Services are update controls and mechanisms that are not
full device management solutions, but are included in the list for completeness.
Device Update Center
Device Update Center (DUC) is available for IoT Core today. DUC is update control that is staged before device
management in the control chain. DUC is a great solution if you are looking to push app updates or control OS
updates for a SKU of devices collectively (vs. individual devices as addressed above by Device Management).
This means that you can still use device management if you choose DUC for upstream control. This service is
often used with Azure Device Agent by appliance device builders.
We are working on bringing Device Update Center to Windows IoT Enterprise in the coming months, it is
currently in Private Preview.
To learn more about DUC, please review this animated YouTube video on Microsoft Device Update Center
Primer.
Windows Server Update Services (WSUS )
Windows Server Update Services (WSUS) enables organizations to deploy the latest Microsoft product updates
to their Windows IoT devices. You can use WSUS to fully manage the distribution of updates that are released
through Microsoft Update to devices on your network.
A WSUS server provides features that you can use to manage and distribute updates through a management
console. A WSUS server can also be the update source for other WSUS servers within the organization. The
WSUS server that acts as an update source is called an upstream server. In a WSUS implementation, at least one
WSUS server on your network must be able to connect to Microsoft Update to get available update information.
Deploy WSUS
Update Management with WSUS
 OS Updates
11/16/2021 • 4 minutes to read • Edit Online

Connected devices have the challenge of new security threats, updates are an essential tool to address this.
The Microsoft Security Response Center (MSRC) is part of the defender community and on the front line of
security response evolution. MSRC's mission is to protect customers from being harmed by security
vulnerabilities in Microsoft's products and services. By building your solution with Windows IoT Enterprise, you
have Microsoft Security Response Center's commitment towards security. Please review their Security Update
Guide to ensure your devices are up-to-date and secured.
Windows Update Advantage:
Keeps device up to date with critical security software updates
Utilize the Microsoft proven and scalable infrastructure
Updates can be easily managed and controlled by device owners
Windows IoT Enterprise gives you the power to manage and control updates as per device and organization
requirements.

Control Windows Updates

One of the most common requests from device partners is centered around controlling automatic updates on
Windows IoT Enterprise devices. The nature of IoT devices is such that unexpected disruptions, through
something like an unplanned update, can create a bad device experience.
Questions that you should ask when considering how to control Windows updates:
Is the device scenario such that any disruption of the workflow is unacceptable?
How are updates validated prior to deployment?
What is the update user experience on the device itself?
If you have a device where disruption of the user experience isn't acceptable, you should consider limiting
updates to only certain hours, disabling automatic updates, or deploying updates either manually or through a
controlled third-party device-management solution.

Limit reboots from updates

You can use the Active Hours Group Policy, MDM, or registry setting to limit updates to only certain hours.
1. Open the Group Policy Editor (gpedit.msc) and navigate to Computer Configuration\Administrative
Templates\Windows Components\Windows Update and open the Turn off auto-restar t for
updates during active hours policy setting. Enable the policy so you can set the start and end times for
active hours.
2. Set the Star t and End time to the Active Hours window. For example, set Active Hours to start at 4:00AM and
end 2:00AM. This allows the system to reboot from updates between the hours of 2:00 AM and 4:00 AM.

Disable Automatic Windows Updates

Security and stability are at the core of a successful IoT project, and Windows Update provides updates to
ensure Windows IoT Enterprise has the latest applicable security and stability updates. You might, however, have
a device scenario where updating Windows has to be handled completely manually. For this type of scenario, we
recommend disabling automatic updating through Windows Update. In previous versions of Windows device
partners could stop and disable the Windows Update service, but this is no longer the supported method for
disabling automatic updates. Windows has a number of policies that allow you to configure Windows Updates
in several ways.
To completely disable automatic updating of Windows with Windows Update:
1. Open the Group Policy Editor (gpedit.msc) and navigate to Computer Configuration\Administrative
Templates\Windows Components\Windows update\Configure Automatic Updates .
2. Explicitly set the policy to Disabled . When this setting is set to Disabled, any available updates from
Windows Update must be downloaded and installed manually, which you can do in the Settings app under
Update & security > Windows Update .

Disable access to the Windows Update user experience

In some scenarios, configuring Automatic Updates isn't enough to preserve a desired device experience. For
example, an end-user may still have access to the Windows Update settings, which would allow manual updates
via Windows Update. You can configure Group policy to prohibit access to Windows Update through settings.
To prohibit access to Windows update:
1. Open the Group Policy Editor (gpedit.msc) and navigate to Computer Configuration\Administrative
Templates\Windows Components\Windows update\Remove access to use all Windows update
features .
2. Set this policy to Enabled to prevent the "Check for updates" option for users. Note: Any background update
scans, downloads, and installations will continue to work as configured. This policy simply prevents the user
from accessing the manual check through settings. Use the steps in the previous section to also disable
scans, downloads, and installations.

IMPORTANT
Be sure to have a well-designed servicing strategy for your device. Disabling Windows Update capabilities leaves the
device in a vulnerable state if your device isn't getting updates in another way.

Completely Turn Off Windows Updates

You can configure Windows Update in several ways. As a general rule, IoT devices require special attention to
the servicing and management strategy to be used on the devices. If your servicing strategy is to disable all
Windows Update features, you have two possible approaches. You can turn off updates via Group Policy or
through Registry.

NOTE
By setting this policy, it will also stop performing updates from other machines on the local network. To confirm this
behavior, you can also turn off Delivery Optimization which is the subsystem for getting updates from others on your
local network.

Additional Resources
Update Notifications
Device Management
 Application Updates
11/16/2021 • 2 minutes to read • Edit Online

OEMs and enterprise customers can deliver app updates to Windows IoT Enterprise devices in the following
ways:
Using Microsoft Store : The app is published and updated from the Microsoft Store
Using Azure IoT Device Management : The app is published to Azure Storage and updated through the
Azure DM channel New for Windows 10, version 1709
Using OMA-DM : The app is updated using an OMA-DM compliant device management channel such as
Intune.
Using Device Update Center : The app is published to Windows Update and updated like any other OEM
package (driver package). This feature is coming soon for Windows IoT Enterprise, it is currently in private
preview, please see Device Management for more information

NOTE
The first version of the app is always pre-packaged in the device during image time. The
ApplicationManagement/AllowAllTrustedApps setting should be set for enabling installation of trusted apps.

Using the Microsoft Store

The Microsoft Store provides unique and secure means to update the IoT Enterprise apps, independent of the
OS/OEM Component updates.
This option is interesting for OEMs who have:
High update frequency : App update frequency higher than the driver updates and App updates are
independent of drivers.
Third-par ty ISV developers : Third-party ISV developed app, managed with a different release schedule.
In this option, the apps that are pre-packaged need to be Microsoft Store compliant apps (store signed).
Managing Store app updates
The following settings on the device side control the updates from Windows Store.
ApplicationManagement/AllowStore: Enable/disable store.
ApplicationManagement/AllowAppStoreAutoUpdate: Enable auto update of all store apps.
Self-updates
The Apps can be designed to control the updates by itself (either automatically or with user interaction with the
appx). Windows makes available APIs that give a developer the ability to query available updates, download
available updates, and install available updates.
See Download and install package updates for your app for more information on building this capability. In this
case, the AllowAppStoreAutoUpdate should be disabled.

Using Azure IoT Device Management

Azure IoT Device Management (AzureDM) is a highly scalable management solution available on Windows IoT
Enterprise. See Application Management for the details of installing and updating applications via AzureDM.
Using OMA-DM
The OMA-DM interface is supported in Windows IoT Enterprise and any OMA-DM compliant management
solution can be used to install and update applications. Read the documentation for
EnterpriseModernAppManagement CSP for usage instructions.

Comparisons of various options

IT EM USIN G M IC RO SO F T STO RE USIN G A Z UREDM USIN G O M A - DM

Appx Signing Store Signed Store signed or OEM Signed Store signed or OEM Signed

Distribution/Visibility Store private (not available Private Private

in store catalog)

Infrastructure Microsoft Store Azure IoT / Storage OEM Infrastructure

 Device Reset and Recovery
11/16/2021 • 4 minutes to read • Edit Online

This article will give you an overview on Device Reset and Device Recovery features.

Device Reset
Device reset is a process to restore the device to its initial conditions (with all user data removed). This is useful
when you want to wipe out the user data/enterprise provisioning data and bring the device back to its pristine
state.
Device reset includes the following key operations:
Formats the data partition (all data stored there are lost)
OEM custom packages should not store files/data in the data partition if they want to use device reset.
Restores all registry settings to the initial values specified in the packaging
Removes extraneous files in the Main OS partition excluding the files specified in the packaging
Restores Microsoft Store Apps to the version packaged in the Image (via PPKG)
Store apps updates performed via the Microsoft Store will be reverted back
All changes to BCD settings performed at run-time will remain intact
All OS/OEM updates applied to the device will remain intact

NOTE
The Recovery process will also roll back the updates and put the device back to the factory condition.

F a c t o r y R e se t

Factory reset restores the state of the device back to its first-boot state plus any update packages. The reset will
not return device to the original factory state. To return the device to the original factory state, you must flash it
with the original factory image. All the provisioning applied to the device by the enterprise will be lost and will
need to be re-applied if needed.
R e se t u si n g M o b i l e D e v i c e M a n a g e m e n t

Device reset can be triggered using the RemoteWipe CSP

R e se t u si n g A z u r e D e v i c e M a n a g e m e n t

Device reset can also be triggered using the Azure Device Management using Remote Wipe API.

NOTE
The reset through this API performs additional functionality such as resetting the TPM.

Device Recovery
Device recovery is a process to recover inoperable devices due to incorrect or bad storage state. This is done by
booting into a known safe OS or recovery OS and re-flash the storage media.
The three key elements of recovery are:
1. Safe OS : This OS can be configured to launch on boot without UI. And in this state it can run a flashing app
to apply a recovery image from a predefined location.
2. Recover y SW : SW Image used to re-flash the devices
3. Recover y design choice : Based on the location of the Safe OS and the recovery software, various design
choices are available, see the various options below.

NOTE
This process does not recover from hardware failures of storage (e.g. catastrophic media failure).

Recovery using bootable USB

In this method, we boot the device from USB (with bootable safe OS and the FFU) and flash the device with the
FFU present in the USB.
WinPE: Create USB bootable drive provides information on creating a bootable USB drive.
Deploy Windows using Full Flash Update(FFU) provides information on storing FFU files in USB.
Hardware Requirements:
Requires device to have an USB port
May require hardware key (or key combination) to trigger this
BSP Changes:
Requires changes to respond to HW trigger (key/key combinations) to boot from USB
Alternative design choice could be to prioritize boot from USB always, this way there is no explicit need to
trigger this. However, this also means anytime a bootable USB is detected the device will enter this state.
Recovery using built-in safe OS
In this method, the device contains a safe OS in a separate partition. Based on the location of the recovery SW,
there can be few options. They are detailed below.
R e c o v e ry SW f ro m USB d e v i c e / SD c a rd

In this option, the Recovery SW is picked up from the attached USB device/ SD card.
Hardware Requirements:
Requires either SD card interface or USB port (mass storage)
May require hardware key (or key combination) to trigger
BSP Changes:
Requires changes to respond to HW trigger (key/key combinations) to boot into the safe OS in separate
partition
Drivers for USB device / SD card interfaces may need to be added to Safe OS
Device layout changes to store safe OS (size can be smaller to accommodate only the safe OS)
Flashing tool to update only the main OS and Data partitions and skip updating the safe OS partition. This is
essential to preserve the safe OS to be able to retry recovery if there is a power loss during a recovery
process.
R e c o v e ry SW f ro m re c o v e ry p a rt i t i o n

This option is like earlier option, with only difference of storing the Recovery SW in the recovery partition itself.
The device layout for this approach may differ in the size of the recovery partition (larger to accommodate the
Recovery SW and potentially a backup Recovery SW).
 TIP
A Recovery SW present in the device will become outdated over time and the OS version after the recovery may fall-off
the update train. One way to mitigate this issue is to refresh the Recovery SW image on the device using the BSP update
path on a yearly cadence.

R e c o v e ry SW f ro m c l o u d

In this option, the Recovery SW is downloaded from a predefined cloud service/web location. The cloud service
needs to be setup so that it can securely offer the Recovery SW to the device. To realize this option, the safe OS
must support network connectivity, so Wi-Fi drivers need to be added to the safe OS and in addition to that, the
Wi-Fi profile in the main OS should be also made available for safe OS to connect to the network.

Additional Resources:
Windows 10 Recovery Options
 Network Service Controls
11/16/2021 • 2 minutes to read • Edit Online

NOTE
Microsoft is increasing transparency by categorizing the data we collect as required or optional. For more information, see
Changes to Windows diagnostic data.

Learn how to manage various network service control options in Windows IoT Enterprise. If you want to
minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of
settings for consideration.
This list displays the network connections to Microsoft services by default and shows you how to configure
these settings to control the data that is sent to Microsoft.

TIP
Microsoft strongly recommends customers to not turn off all network connections unless absolutely necessar y as
crucial security patches and updates may be missed, leaving devices vulnerable. Instead it is recommended customers
manage their network service controls and pick and choose which connections (if any) to disable.

Additional Resources
Manage Settings for Windows IoT Enterprise
Configure Windows diagnostic data in your organization
TPMPolicy CSP
 Bus Providers
11/16/2021 • 2 minutes to read • Edit Online

Windows has in-box UWP APIs that provide direct access to GPIO, SPI, or I2C busses. This gives very easy access
to this hardware from a high-level API. However, there are many times when a device maker wants to use an off-
SoC controller to access a bus. It can be as simple as a cheap chip that adds 16 GPIO pins, or as rich as a full
MCU that not only adds GPIO, SPI, and I2C pins, but also supports PWM and ADC. With the "Bus Provider"
model, we give developers the ability to access these off-SoC busses using the in-box APIs, using a user-mode
provider that bridges the gap.
Someone building a provider implements a set of interfaces into a UWP class library and then any developer
who wants to talk to that hardware simply includes the component and tells the in-box APIs about it. If you look
at the sample code from the remote provider you can see how easy it is to configure the provider, and once set
as the default provider for that app, the rest of the code in the client app is identical to the code required to
access an on-SoC bus.

Providers.Provider.Configuration =
new Providers.ConnectionConfiguration("VID_2341", "PID_0043", 57600);
Windows.Devices.LowLevelDevicesController.DefaultProvider = new Providers.Provider();

gpioController = await GpioController.GetDefaultAsync();

i2cController = await I2cController.GetDefaultAsync();
adcController = await AdcController.GetDefaultAsync();
pwmController = await PwmController.GetDefaultAsync();

GpioPin pin = gpioController.OpenPin(LED_PIN, GpioSharingMode.Exclusive);`

Available Providers
We currently have a number of providers available on the Bus Providers GitHub repo. In addition to the code for
the provider, each provider has a sample VS solution that demonstrates how a client would use that provider.
ADC
Ads1x15
Mcp3008
PWM
PCA9685
Simulated with Gpio
In addition to the providers that give you access to real hardware, we have built a Simulated Provider that will
act as if it was an infinitely capable provider and is designed to let you write and debug your applications
without having to first deploy them to a working device. For a richer experience, you can customize it to
simulate your actual hardware. For example: updating the I2c provider to return back the result "75" when you
send it the command for a temperature reading on a device with the designated secondary address.

Additional Resources
Additional bus tools, sample codes, and building and testing on I2C, SPI, GPIO, MinComm/UART can be found
here.
Please reference Windows Runtime (WinRT) APIs and here's how to leverage the APIs from Win32 applications.
Review Windows Bus Providers
 Device Drivers
11/16/2021 • 2 minutes to read • Edit Online

Device Drivers are essential for any IoT device. This section outlines how to write device drivers, how to driver
signing works in Windows IoT Enterprise (this is different than traditional client signing), and how to add device
drivers to images.

How to Write Device Drivers

Windows contains built-in drivers for many device types. If there is a built-in driver for your device type, you do
not need to write your own driver. Your device can use the built-in driver. However if you need to write a device
driver for your device, please leverage the programming reference for Windows Driver Kit (WDK).

Device Signing
With Windows IoT Enterprise, you have two options on how to get your driver signed off by Microsoft. The first
is the traditional client signing process and the second is attestation signing.
Traditional Client Signing
For typical traditional client signing, if you are unfamiliar with the device and driver installation process, we
recommend that you start by reviewing Roadmap for Device and Driver Installation. You may also want to read
Overview of Device and Driver Installation for a high-level overview of this process and its components.
Attestation Signing
Follow this article to learn how attestation signing works for a kernel driver for public release.

NOTE
When a driver receives attestation signing, it is not Windows Certified. An attestation signature from Microsoft indicates
that the driver can be trusted by Windows, but because the driver has not been tested in HLK Studio, there are no
assurances made around compatibility, functionality, etc.

How to Add Device Drivers to Images

With Windows IoT Enterprise, you can add device drivers to a Windows image before, during, or after you
deploy the image. When planning how to add drivers to your Windows deployment, it's important to
understand how driver folders are added to the image, how driver ranking affects deployment, and the digital
signature requirements for drivers. To understand more about how to add drivers, check out the following
article, Device Drivers.
 Embedded mode
11/16/2021 • 2 minutes to read • Edit Online

Embedded Mode is a Win32 service. In Windows it only starts if the user, an application, or another service
starts it. When the Embedded Mode service is started, it is runs as LocalSystem in a shared process of
svchost.exe along with other services. Embedded Mode is supported on Windows IoT Enterprise.
Embedded Mode enables:
Background Applications
Use of the lowLevelDevice capability
Use of systemManagement capability

Enable Embedded Mode

To enable embedded mode, you will need to create a provisioning package in Imaging and Configuration
Designer (ICD) that sets AllowEmbeddedMode=1. To install ICD, you need to download and install the Windows
ADK for Windows 10.
Download the Windows ADK for Windows 10
Learn about what's new in the Windows ADK for Windows 10
1. When installing the ADK select Imaging and Configuration Designer (ICD)
2. After installation is complete, run Windows Imaging and Configuration Designer (WICD) .

3. Click Advanced provisioning . Name the project AllowEmbeddedMode and click Next .
4. Choose common to All Windows editions then Next .

5. Click Finish .

6. In the search box type EmbeddedMode and then click on AllowEmbeddedMode .

7. In the center pane set the value of AllowEmbeddedMode to Yes

 8. Click Expor t > Provisioning Package

9. Click Next .

10. Click Next .

11. Click Next .

12. Click Build .

13. To install the embedded mode .PPKG on Windows IoT Enterprise double-click on the .PPKG.
14. Click Yes, add it .
Click yes on the LUA dialog if it appears, and the click Yes, add it on the dialog shown below.
Background Applications
Background Applications are created using the Background Application (IoT) template in Visual Studio.
Background applications run without stopping and without resource limits. Also, if the background application
stops for some reason and embedded mode is enabled the background application will be restarted by the
system.
While the system will automatically restart background applications, system lockdown features must be enabled
to prevent users from stopping or interfering with the operation of Background Applications.

lowLevel device Capability and lowLevelDevice capability

The lowLevel device Capability gives access to low-level hardware interfaces like GPIO, SPI, and I2C.
Blinky Sample(GPIO)
Accelerometer Sample
The lowLevelDevices Capability allows apps to access custom devices when a number of additional
requirements are met. This capability should not be confused with the lowLevel device capability, which allows
access to GPIO, I2C, SPI, and PWM devices.
Refer to App capability declarations for details.

systemManagment Capability
When you enable the systemManagment capabilities for your application, this is the set of APIs that gets
unlocked:
Windows.System.ProcessLauncher
Windows.System.TimeZoneSettings
Windows.System.ShutdownManager
Windows.Globalization.Language.TrySetInputMethodLanguageTag

Debugging Background Applications

If you are debugging on a device and you see either of the following error messages you need to ensure
AllowEmbeddedMode is enabled on the device and that the Embedded Mode service is running:
There are no more endpoints available from the endpoint mapper.
This program is blocked by group policy. For more information, contact your system administrator.
 On-screen keyboard
11/16/2021 • 7 minutes to read • Edit Online

Windows IoT Enterprise, provides developers with many on-screen keyboard features to enhance the user-
experience.

Key features
The keyboard implementation provides the following benefits to your headed device development:
Enable On-Screen Keyboard
The entire set of Windows keyboard language layouts
Support for input scopes (e.g., Email Address, Numeric PIN, Search Field, etc.)
Input Method Editor (IME)
Non-obscured text input fields
Dictation mode
A selection of user interface preferences

Enable On-Screen Keyboard

Windows has a built-in Ease of Access tool called the On-Screen Keyboard that can be used instead of a physical
keyboard. You don’t need a touchscreen to use the On-Screen Keyboard. It displays a visual keyboard with all
the standard keys, so you can use your mouse or another pointing device to select keys, or use a physical single
key or group of keys to cycle through the keys on the screen.
To open the On-Screen Keyboard
Go to Star t > then select Settings > Ease of Access > Keyboard , and turn on the toggle under Use the On-
Screen Keyboard . A keyboard that can be used to move around the screen and enter text will appear on the
screen. The keyboard will remain on the screen until you close it.

NOTE
To open the On-Screen Keyboard from the sign-in screen, select the Ease of Access button in the lower-right corner of
the sign-in screen, and then select On-Screen Keyboard .

To change how info is entered into the On-Screen Keyboard

With the On-Screen Keyboard open, select the Options key, and choose the options you want:
Use click sound. Use this option if you want to hear a sound when you press a key.
Show keys to make it easier to move around the screen. Use this option if you want the keys to
light up as you type.
Turn on numeric keypad. Use this option to expand the On-Screen Keyboard to show a numeric
keypad.
Click on keys. Use this mode if you prefer to click or tap the on-screen keys to enter text.
Hover over keys. Use this mode if you use a mouse or joystick to point to a key. The characters you
point to are entered automatically when you point to them for a specified time.
 Scan through keys. Use this mode if you want the On-Screen Keyboard to continually scan the
keyboard. Scan mode highlights areas where you can type keyboard characters by pressing a keyboard
shortcut, using a switch input device, or using a device that simulates a mouse click.
Use Text Prediction. Use this option if you want the On-Screen Keyboard to suggest words for you as
you type so you don't need to type each complete word.

NOTE
Text Prediction is available in English, French, Italian, German, and Spanish. If you want to use one of these languages
and it isn't installed, install the language files for that language.
If you're using either hovering mode or scanning mode and accidently minimize the On-Screen Keyboard, you can
restore it by pointing to it in the taskbar (for hovering mode) or by pressing the scan key (for scanning mode).
If you minimize the On-Screen Keyboard and switch to tablet mode, use the Task view button to get back to the On-
Screen Keyboard.

Feature packages
For prototyping (development) images, the on-screen keyboard feature is already included, but you will need to
enable it from Device Settings in the Windows Device Portal.
For commercialization, the following optional feature packages will add the on-screen keyboard to your image:
IOT_SHELL_ONSCREEN_KEYBOARD
IOT_SHELL_ONSCREEN_KEYBOARD_FOLLOWFOCUS

Windows keyboard language layouts

With this release, the supported language layouts have expanded to include the full set of those available in the
desktop Windows edition. To allow your users to select between different language layouts, you would typically
include selection UI in your application's Settings area. The following API is provided to enable your application
to set the language that the on-screen keyboard will use:
Windows.Globalization.Language.TrySetInputMethodLanguageTag
An example of this API can be seen in the IoTCoreDefaultApp sample application, in the LanguageManager.cs file.

Support for input scopes

In previous releases, only the EmailSmtpAddress input scope was available. In this release, the full set of input
scopes is available. The following topic explains input scopes and how to use them in your applications:
Use input scope to change the touch keyboard

Input Method Editor (IME)

This release provides an Input Method Editor, which is required for any language that has more graphemes than
there are keys on the keyboard, such as Chinese, Japanese, and Korean.

Non-obscured text input fields

In previous releases, the touch keyboard might obscure the focused text field so that the user was unable to see
what they were typing. This release fixes this problem by automatically scrolling the text field into view so that
it's no longer obscured by the touch keyboard.
Dictation mode
When the input language is set to the OS language, which is the default, the voice recognition input feature is
available. To show the dictation button in the keyboard, refer to the following section on User Interface
configuration.

User Interface configuration

The on-screen keyboard provides several configurable options for its user interface. These are configured via the
registry. During development, you can use PowerShell or Secure Shell (SSH). For creating an OEM image, the
preferred mechanism for setting registry values is the OEMInput.xml file discussed here:
Runtime customizations

NOTE
Most of the registry settings documented here will take effect while the on-screen keyboard is visible. This allows you
during development to easily try different combinations of settings values, immediately seeing the resulting changes in
real time. If a setting does not take effect immediately, you will need to reboot the device in order to see the changes to
the keyboard UI.

Keyboard Height
By default, the touch keyboard will use the lower 45% of the screen's height. This may appear too large or small
on your device, depending on its size and resolution. You can adjust the height up to a maximum of two-thirds
the height of the screen. Any value not in range will be clamped into range. Because this is specified as a floating
point value, it allows for pixel-level precision.
Apply the following formula to calculate the percentage:
percentage = (100 * <desired_pixel_height>) / <screen_height>

As an example, to change the height to 56.783%, you would set the following registry value:

set OskRootKey=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\IoTShellExtension\OSK

reg.exe ADD "%OskRootKey%" /v MaxHeightPercentage /t REG_SZ /d "56.783" /f

or from PowerShell:

set OskRootKey "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\IoTShellExtension\OSK"

cd $OskRootKey
Set-ItemProperty -Path . -Name MaxHeightPercentage -Type String -Value 56.783

NOTE
The registry value type must be a String ( REG_SZ ), so that the fractional values can be represented with. a decimal point.
Using DWord ( REG_DWORD ) will not work, even for whole number percentages.

Additional preferences
The remaining set of preferences is String values in the Preferences subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\IoTShellExtension\OSK\Preferences
 REGIST RY VA L UE DEFA ULT VA L UE DESC RIP T IO N

AudioFeedback_Disabled "0" "0" enables the key click audio

feedback; "1" disables it.

Dictation_Disabled "1" "0" shows the dictation (voice

recognition) button; "1" hides it.
(see note below)

KeyboardModeEnabled_full "0" "0" disables the full keyboard mode;

"1" enables it.

KeyboardModeEnabled_narrow "1" "0" disables the narrow keyboard

mode; "1" enables it.

KeyboardModeEnabled_wide "1" "0" disables the wide keyboard mode;

"1" enables it.

ModeOrder "wide;narrow;full" The order (from left to right) in which

the modes are listed in the mode
drop-down menu, if enabled

SettingsMenuKey_Collapsed "0" Hides the mode drop-down menu. Set

this to "1" if only one mode is enabled.

Paste_Disabled "0" "0" shows the Paste button; "1" hides

it.
Change takes effect after reboot.

CloseButton_Disabled "0" "0" shows the Close button; "1" hides

the Close button
Change takes effect after reboot.

EmojiKeyEnabled "0" "0" hides the Emoji key; "1" shows it,
allowing the user to enter Emoji
characters.

NOTE
Dictation mode requires a speech package to be installed for the selected input language, as well as an audio input device.
If a matching speech packages is not installed, the dictation button will not be shown.
All images include the en-US speech language. Other speech packages are installed as optional features. For more
information about IoT Features, see IoT Core Feature List and IoT Core manufacturing guide.

As an example, to enable only wide keyboard mode, in PowerShell you could do the following:

set OskRootKey "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\IoTShellExtension\OSK"

cd $OskRootKey
mkdir Preferences
cd Preferences
Set-ItemProperty . -Name KeyboardModeEnabled_full -Value "0" # Optional, since the default is "0"
Set-ItemProperty . -Name KeyboardModeEnabled_narrow -Value "0"
Set-ItemProperty . -Name KeyboardModeEnabled_wide -Value "1" # Optional, since the default is "1"
Set-ItemProperty . -Name SettingsMenuKey_Collapsed -Value "1"
Additional Resources
Use the On-Screen Keyboard to type
On-screen keyboard for headed devices
 An Overview of Accessibility for Windows IoT
Enterprise
11/16/2021 • 4 minutes to read • Edit Online

Introduction
Accessibility enables people of all abilities to intuitively and efficiently leverage all the functionalities that your
applications or devices offer, regardless of a person interacts with your application or device.
It is essential that accessibility is considered during the design phase of the product as this will avoid many
potential accessibility-related bugs. For example, during the design phase, consideration around the colors used
and the size of text (and how those might be customized by the user) can help a great many customers. And for
devices with a keyboard, during the design phase, consideration around how the keyboard can be used to
leverage all the functionality in the product, and also how to access the most frequently accessed functionality
with the fewest number of keystrokes.
For the developer, from an implementation perspective the good news is that Windows as a platform already
does a lot of work to provide some level of accessibility by default. For example, standard controls are
programmatically accessible by default through the UI Automation (UIA) API. If you choose not to use a standard
control and instead build custom UI, the work required to make the UI accessibility can be much more time-
consuming than simply building apps using standard controls provided by the platform.

Accessibility Testing
Below are tools we recommend using while building your application. While these tools will help when it comes
to auditing your own designs, please note that you will still need to account for features such as high contrast
and text requirements.
AccScope
The AccScope tool enables developers and testers to evaluate the accessibility of their app during the app's
development and design, potentially in earlier prototype phases, rather than in the late testing phases of an
app's development cycle. It's intended for testing Narrator accessibility scenarios with your app.
Inspect
Inspect enables you to select any UI element and view its accessibility data. You can view Microsoft UI
Automation properties and control patterns and test the navigational structure of the automation elements in
the UI Automation tree. Use Inspect as you develop the UI to verify how accessibility attributes are exposed in UI
Automation. In some cases, the attributes come from the UI Automation support that is already implemented for
default XAML controls. In other cases the attributes come from specific values that you have set in your XAML
markup, as AutomationProperties attached properties.
Want to learn more about accessibility testing? Read the Accessibility testing article for the full list.

Accessibility in UWP apps

The UWP team at Microsoft has put together a comprehensive guide on accessibility for UWP app design and
development. For your convenience, we've included the list below, but you can also learn more by reading our
overview on accessibility.
In addition, an introduction to the UI Automation API and some tools available to help you learn about the
programmatic representation of your UI, is available below.

A RT IC L E DESC RIP T IO N

Designing inclusive software Learn about evolving inclusive design with UWP apps for
Windows 10. Design and build inclusive software with
accessibility in mind.

Developing inclusive Windows apps This article is a roadmap for developing accessible UWP
apps.

Accessibility checklist Provides a checklist to help you ensure that your UWP app
is accessible.

Expose basic accessibility information Basic accessibility info is often categorized into name, role,
and value. This topic describes code to help your app expose
the basic information that assistive technologies need.

Keyboard accessibility If your app does not provide good keyboard access, users
who are blind or have mobility issues can have difficulty
using your app or may not be able to use it at all.

High-contrast themes Describes the steps needed to ensure your UWP app is
usable when a high-contrast theme is active.

Accessible text requirements This topic describes best practices for accessibility of text in
an app, by assuring that colors and backgrounds satisfy the
necessary contrast ratio. This topic also discusses the
Microsoft UI Automation roles that text elements in a UWP
app can have, and best practices for text in graphics.

Accessibility practices to avoid Lists the practices to avoid if you want to create an
accessible UWP app.

Custom automation peers Describes the concept of automation peers for Microsoft UI
Automation, and how you can provide automation support
for your own custom UI class.

Accessibility Features
Windows IoT Enterprise includes accessibility features that can be integrated to further support where vision,
hearing, physical, cognition, along with assistive technology is needed. This additional support makes it easier to
customize devices and gives users with different abilities options to improve their experience with Windows.

General Recommendations
Be aware of Ease of Access settings – Understand how these devices are being used. Help people in your
organization learn how they can customize Windows IoT Enterprise.
Do not block settings – Avoid using Group Policy or MDM settings that override Ease of Access settings.
Encourage choice – Allow for device customization based upon needs. That might mean installing an add-
on for a browser, or a non-Microsoft assistive technology.

Additional Resources
Accessibility Information for IT Professionals
Windows Accessibility
 Privacy
11/16/2021 • 2 minutes to read • Edit Online

Windows IoT Enterprise provides users with many privacy options and features.

Privacy Features
With Windows IoT Enterprise, we provide you with even more control on your data and information. Please
review, Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals for more features.

Manage your Data

Under privacy settings, you can now delete the diagnostic data your device has sent to Microsoft. You can also
view this diagnostic data using the Diagnostic Data Viewer application.

End-User Privacy Policy Standard

In some cases, you may configure default settings and features on your customer system on behalf of the end-
user.
However, if you turn on these settings and features by default or if diagnostics are above the basic setting, you
must:
Notify the end-user that these features have been enabled, and provide the end-user with the link to
Microsoft's Privacy Statement web page.
Secure consent from the relevant end user to enable such features by default (as required by applicable law).
Provide end-users the ability to change the Diagnostics setting back to the basic setting.
If you enable Microsoft Accounts and you have access to end-user data, if the end user deletes the Microsoft
Account, you must enable simultaneous deletion of all the end -user's Microsoft Account data on the device.

Additional Resources
Windows Privacy
Microsoft's Privacy Statement if you have any questions or concerns.
 Security
11/16/2021 • 5 minutes to read • Edit Online

Windows IoT Enterprise comes with a host of security offerings that you can leverage to best fit your Windows
IoT Enterprise solution.

Microsoft Security Response Center

The world is more connected today than it has ever been. Technology is wound deep into our lives and has
become part of our routine. With great advances, we have also seen a greater dynamic playing out between
threat actors and the defenders. The Microsoft Security Response Center (MSRC) is part of the defender
community and on the front line of security response evolution. For over twenty years MSRC has been working
to improve security for our customers, learning from both successes and failures. Time has only reasserted
MSRC's commitment to better protect customers and the broader ecosystem.
MSRC's mission is to protect customers from being harmed by security vulnerabilities in Microsoft's products
and services. By building your solution with Windows IoT Enterprise, you have Microsoft Security Response
Center's commitment towards security. Please review their Security Update Guide to ensure your devices are
up-to-date and secured.

Comprehensive Security Features

Windows IoT Enterprise, brings Enterprise security to your IoT devices.
Windows IoT Enterprise is built on a five-point comprehensive security platform:
1. Device protection
2. Threat Resistance
3. Data Protection in Motion
4. Cloud Security
5. Response

1. Device Protection
Windows Security provides the following built-in security options to help protect your device from malicious
software attacks. Like they say, a strong defense, is a strong offense.
T r u st e d P l a t fo r m M o d u l e (T P M )

Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A
TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes
multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper
with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
Generate, store, and limit the use of cryptographic keys.
Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned
into itself.
Help ensure platform integrity by taking and storing security measurements.
W i n d o w s D e v i c e H e a l t h A t t e st a t i o n

Modern malware is getting more and more sophisticated. Some of them, specifically bootkits, are capable of
starting before Windows. Device Health Attestation can be used to detect and remediate in the unlikely event
where a device is infected. The device's firmware logs the boot process, and Windows can send it to a trusted
Health Attestation Server that can objectively assess the device's health.
Se c u r e B o o t

Secure boot is a security standard developed by members of the PC industry to help make sure that a device
boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts,
the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known
as Option ROMs), and the operating system. If the signatures are valid, the PC boots, and the firmware gives
control to the operating system.
The OEM can use instructions from the firmware manufacturer to create Secure boot keys and to store them in
the PC firmware. When you add UEFI drivers, you'll also need to make sure these are signed and included in the
Secure Boot database.
For information on how the secure boot process works included Trusted Boot and Measured Boot, see Secure
the Windows boot process.
Bi t Lo c ker

Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long
history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the
Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided
encryption for full drives and portable drives. Windows consistently improves data protection by improving
existing options and by providing new strategies. To learn more, see BitLocker Overview and Requirements FAQ

2. Threat Resistance
We provide a security tools set for Windows to protect a wide range of threats against execution of
unauthorized code and scripts, network, and malware attacks. Effectively identifying, assessing, and remediating
endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat
and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening
endpoint surface area, and increasing organizational resilience.
W i n d o w s D e fe n d e r F i r e w a l l

Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules
that determine which network traffic is permitted to enter the device from the network and which network
traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol
security (IPsec), which you can use to require authentication from any device that is attempting to communicate
with your device. When authentication is required, devices that cannot be authenticated as a trusted device
cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted
to prevent it from being read by network packet analyzers that could be attached to the network by a malicious
user.
Deployment Guide
Best Practices
W i n d o w s D e fe n d e r

Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection,
automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects
advanced attacks and data breaches, automates security incidents, and improves security posture.

3. Data Protection in Motion

Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms. This
includes discover, classify, protect, and monitor sensitive data assets using access control, encryption, and
logging.
X .5 0 9 / T L S- B a se d H a n d sh a k e a n d En c r y p t i o n

Transport Layer Security (TLS), like Secure Sockets Layer (SSL), is an encryption protocol intended to keep data
secure when being transferred over a network. These articles describe steps required to ensure that
Configuration Manager secure communication uses the TLS 1.2 protocol.

4. Cloud Security
Microsoft Azure includes tools to safeguard data according to your company's security and compliance needs.
To learn more, visit Azure Security

5. Response
Microsoft has all the tooling to provide immediate support and assistance.
Devi c e Man agem en t

Microsoft provides a whole suite of device management solutions to keep your devices safe and monitor activity
at all times. Managing a device is now easier than ever on Windows IoT Enterprise. There are multiple options
that your organization can choose from in order to best manage your devices, such as Microsoft Intune,
Endpoint Manager and third-party OMA-DM based management tools. OEMs can also select Azure Device
Agent, which leaves it up to their customers to select the device management solution that fits them best.
Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP
Devi c e Rec o ver y

In case something is to go wrong with your device, Windows IoT Enterprise supports two device recovery
options:
Option #1: Isolate the device using device management tools or network settings
Option #2: Reimage the device back to factory settings.
Windows IoT Device Health Attestation enables the operator to assess if a device is booted to a trusted and
compliant state, and takes appropriate remedial actions if necessary.

Additional resources
Azure Security Center
Azure Security Benchmark
 Licensing & Usage
11/16/2021 • 4 minutes to read • Edit Online

In order to start your journey with Windows IoT Enterprise, you'll need to get a license.
You can retrieve a license by contacting a Windows IoT Distributor or use the Windows Enterprise 90 day
Evaluation.

Distributors
Microsoft offers many Windows IoT and Embedded SKUs. Authorized distributors of Windows IoT products can
help you pick the right SKU for your hardware and your budget by leveraging their development experiences,
and knowledge, to help you build secure and connected Windows IoT solutions. If you would like to work with
one of our distributors, please select a distributor in your region and contact the distributor directly for more
details.
Fixed purpose devices
Windows is well known as the operating system for laptops and desktops that have been used by consumers
and businesses worldwide for decades. Windows also powers many ATM machines, point-of-sale terminals,
industrial automation systems, thin clients, medical devices, digital signage, kiosks, and other fixed purpose
devices. Windows IoT Enterprise allows you to build these fixed purpose devices with specific allowances and
restrictions in the license agreement.

TIP
See your licensing agreement for complete guidance on all Windows IoT Enterprise usage scenarios. If you are an end-
user customer, your OEM should have provided you with the terms in an agreement. If you are an OEM, you can direct
questions to your distributor regarding your specific licensing agreement.

A fixed purpose device differs from a general-purpose device in the following ways:
The device is locked down to a single application or fixed set of applications through the Assigned Access or
Shell Launcher features.
The device experience is often immediate when the customer powers-on. This is achieved by configuring the
device image to skip the normal Windows out-of-box experiences.
Keyboards, USB ports, and device policies can be locked down to constrain the device to be used only in its
fixed purpose.
The IoT Device OEM licenses the device to the user with the software attached to the device as a complete
product and passes through specific Windows terms in their own IoT OEM agreements.
The OEM provides the customer support for their complete product, including the functions performed by
the operating system.
 NOTE
There are currently two release channels for Windows 10 IoT Enterprise:
The Semi-Annual Channel receives feature updates twice per year and provides support for 18-30 months .
The Long Term Servicing Channel, which is designed to be used only for specialized devices (which typically don't run
Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to
three years and provides support for 10 years .
There is currently one annual release channel for Windows 11 IoT Enterprise - please see Windows 11 servicing and
Windows for IoT Product Lifecycle for more information.

Semi-Annual Channel (SAC)

In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. This
servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as
developers who need to work with the latest features immediately. Once the latest release has gone through
pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
Please review Semi-Annual Servicing Channel for more information.

Long-term Servicing Channel (LTSC)

Specialized systems, such as PCs that control medical equipment, point-of-sale systems, and ATMs, often require
a longer servicing option because of their purpose. These devices typically perform a single important task and
don’t need feature updates as frequently as other devices in the organization. For these fixed-purpose devices,
we recommend the long-term servicing channel, since it’s more important that these devices be kept as stable
and secure as possible than that they be up to date with UI changes. The LTSC servicing model prevents
Windows 10 IoT Enterprise LTSC devices from receiving the usual feature updates and provides only quality
updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately
available to Windows 10 IoT Enterprise LTSC clients, but customers can choose to defer them by using a
servicing tool.
Please review Long-term Servicing Channel for more information.
LTSC Model
Microsoft makes available a new Windows 10 IoT Enterprise LTSC release approximately every three years. Each
Windows 10 IoT Enterprise LTSC release is its own SKU and contains all the new capabilities and support
updates included in the Windows 10 IoT Enterprise features updates since the previous LTSC release. To access
these feature updates, a new Windows 10 IoT Enterprise LTSC SKU license must be purchased. For example, to
get access to the new security, deployment, and management updates and features released since the launch of
Windows 10 IoT Enterprise 2016 LTSC, a license for Windows 10 IoT Enterprise 2019 LTSC must be purchased,
and an update applied to the device. Please note that due to the long life of the LTSC releases and the benefit of
remaining on a specific release for 10 years, an upgrade fee will be charged for customers moving from one
LTSC release to another.
Please review the Fixed Lifecycle Policy for more information.
Windows for IoT Releases
Please visit the Windows for IoT product lifecycle for more information on each product's latest releases and
servicing information.

Activation Guide
After you purchase your license and receive your keys for Windows IoT Enterprise, please make sure you get
yourself a copy of the Activation Guide. You can retrieve this document either by reaching out to your distributor
or by accessing it through your Device Partner Center account.

Additional Resources
Windows IoT Enterprise Manufacturing Guide
Windows Servicing
Servicing Channels
 Windows 10 IoT Enterprise Manufacturing Guide
11/16/2021 • 2 minutes to read • Edit Online

We offer a Manufacturing Guide to help you walk through how to build, set-up, and commercialize your
Windows 10 IoT Enterprise devices.

Labs
In addition to our documentation set, we have a series of labs that you can follow, which cover how to build,
customize, and deploy a Windows 10 IoT Enterprise image.
Lab 0: Tooling
Lab 1a: Create a basic image
Lab 1b: Customize a reference device in Audit mode
Lab 2: Configure device lockdown features
Lab 3: Configure policy settings on IoT Enterprise devices
Lab 4: Sysprep, capture, and deploy
Lab 5: Configure Shell Launcher or assigned access

GitHub Repository
We also have guidance for a more automated solution.
If you want to try script-based image customization and deployment, please visit our GitHub repository.

Additional Resources
Reduce the size of a Windows Image
 Soft Real-Time on Windows IoT Enterprise
11/16/2021 • 2 minutes to read • Edit Online

Windows 10 soft real-time is a new feature with Windows 10 IoT Enterprise, version 21H2 that allows device
makers to introduce soft real-time capabilities on their devices.
This real-time behavior is introduced through 4 key settings:
1. CPU isolation : migrates the system-level disturbances off of the isolated CPUs, reducing potential jitter
to the user's real-time application
2. Custom ISR/DPC pinning on isolated CPUs : All hardware interrupts are routed to the system and
non-real-time cores but by writing a Custom ISR/DPC driver you can route your device specific interrupts
to the real-time cores.
3. Priority inheritance for mutexes : This setting ensures the highest priority thread is executed, even in
complex multi-threaded scenarios.
4. Up to 16 RT thread priority levels : This allows the programmer to divvy up resources among real-
time tasks to ensure the most important ones get executed first.

What is a Real-Time Operating System?

When running a program, a normal operating system gives deterministic results but allows for a
nondeterministic time to complete a task. In a real-time operating system both the results of program execution
and the time taken to get those results are (at least partially) deterministic.
Hard Real-Time vs. Soft Real-Time
A hard real-time operating system is one where the time taken is deterministic to an exact moment. These
operating systems are deployed in use cases where failure to get results on time represents a total system
failure. Examples include microcontrollers within a car engine or airplane, printers, laser cutters, etc. Azure Real-
Time OS is an example of such an OS.
A soft real-time operating system is one where there is a small window of time for program completion rather
than a precise moment due to a bit of jitter from the operating system. Soft real-time systems, though less
precise, can be run on multiple cores and impose fewer restrictions on applications. This is the type of real-time
performance that you can expect from Windows 10 IoT Enterprise after using this guide.
When do I need Real-Time Performance?
Real-time performance is not necessarily faster performance. It is just predictable performance. If you want
better overall system performance – soft real-time might not be your best route to achieving it. However, if you
have a real-world constraint (such as a calculation that must be performed before a robot’s environment
changes or a motor that must be activated before a conveyor belt moves along) then soft real-time might be
what you need.
Soft real-time devices are more often used within a broader control loop to trigger behaviors from a state
machine. Smaller hard real-time control loops sit within the broader loop and operate on independent
microcontrollers until the soft real-time machine provides an input to change their behavior. Many command-
and-control loops have strenuous cycle time demands and need to use a hard real-time device in the loop for
direct control.
Next: How to set up a Device for Real-Time Performance
 How to set up a Device for Real-Time Performance
11/16/2021 • 4 minutes to read • Edit Online

This guide will walk you through how to set up your device for Real-Time Performance.

NOTE
The only way to use this feature is with an application and device custom-built for a specific purpose. The mapping of
processor core assignments in the application threads must match the physical device cores and their configuration for
real-time versus standard workloads.

1. Disable idle states with powercfg.exe

2. Reference the Security guidelines for system services to disable the following services:
a. SysMain (Superfetch)
b. DPS (Diagnostic Policy Service)
c. Audiosrv (Windows Audio)
3. Disable Windows Update using this guidance.

NOTE
This will open up your device to vulnerabilities as security patches will not go through. That said, it is necessary as the
Windows Update agent does not respect CPU core isolation. We recommend having a plan to ensure device security and
install updates during times when the device can be taken down for maintenance

TIP
A good example of managing updates during downtime can be found in the UWF documentation: Service UWF-protected
devices If you are using UWF and Soft Real-time then this process should take care of the OS update need for both
features at the same time.

4. Set the WindowsIoT CSP for real-time performance.

5. Configure RSS to migrate ISRs/DPCs to CPU0

NOTE
This is hardware dependent and can only be done if the NIC supports RSS

6. Optional: Disable threaded DPCs for debugging

7. Optional: Deploying a custom DPC pinning driver for certain hardware interrupts by following this
guidance.

Performing this Configuration from the Command Line

Note that this will configure the device while it remains powered on. To ensure that the device maintains soft-RT
performance, you should configure the machine to run these commands as a script every time the machine
powers on using this guidance.
1. Run these three commands in a cmd prompt. This disables CPU idle states, where a CPU with no instructions
to run will go into a power-saving state. This is undesirable in real-time scenarios as idle CPUs have a delay
in starting to execute new instructions:

powercfg.exe /setacvalueindex SCHEME_CURRENT SUB_PROCESSOR IdleDisable 1

powercfg.exe /setactive SCHEME_CURRENT

2. Run these three commands in a cmd prompt to disable DPS:

sc query dps
sc stop dps
sc config dps start=disabled

3. Run these three commands in a cmd prompt to disable Audiosrv:

sc query Audiosrv
sc stop Audiosrv
sc config Audiosrv start=disabled

4. Run these three commands in a cmd prompt to disable SysMain:

sc query SysMain
sc stop SysMain
sc config SysMain start=disabled

5. Run these 3 commands in a cmd prompt to disable Windows Update:

sc query wuauserv
sc stop wuauserv
sc config wuauserv start=disabled

6. Run this command to disable threaded DPCs

reg add "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v ThreadDpcEnable /t REG_DWORD /f /d

0

Ensuring the Device Stays Set up for Real-Time

Before deploying a real-time device to a production environment, there is additional setup needed to ensure the
device can receive updates and maintain real-time performance:
Set up a script that can reenable Windows Update, install updates, and turn off Windows Update once
again
Set up checks to ensure that on-device services remain disabled

What is the WindowsIoT CSP?

The WindowsIoT CSP is used to configure Windows IoT devices. Currently the only functionality available in this
CSP is to configure a device for Soft Real-Time performance. Note that this is not the only work that needs to be
done in order to use soft real-time with a device. You must also perform the other 6 steps above. Using this CSP
to set soft real-time cores without also performing this additional configuration work will result in system
malfunction and will require reimaging to recover.
The hierarchy of this CSP is as follows:

WindowsIoT

SoftRealTimeProperties

SetRTCores

A value greater than 0 and less than the total number of cores on the device must be provided to the SetRTCores
parameter. Feel free to set this CSP using whatever tool your organization uses to configure their devices or use
the steps below to use the MDM Bridge.
Use MDM Bridge WMI Provider to Configure the WindowsIoT CSP
This CSP will configure the system for real-time performance. You will need to provide the number of CPU cores
to allocate to real-time tasks, with the rest being allocated for running system or standard user tasks. A
numerical value must be provided in the SetRTCores node. This is the number of CPU Cores dedicated to real-
time workloads. Valid numeric values must be at least 1 and less than the number of physical cores in the CPU.
Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to
accomplish this. Here's an example to set the RealTime configuration with 3 real-time cores:
1. Download the psexec tool.
2. In Command Prompt, run:

3. In the command prompt launched by psexec.exe, enter powershell.exe to open PowerShell.

4. Execute the following script:

$nameSpaceName="root\cimv2\mdm\dmmap"

$className="MDM_WindowsIoT_SoftRealTimeProperties01"

$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className

Add-Type -AssemblyName System.Web

Set-CimInstance -CimInstance $obj

$obj.SetRTCores = 3

Set-CimInstance -CimInstance $obj

TIP
You can use the same script for whatever number of real-time cores you need to have, just replacing the 3 in the second-
to-last line with the appropriate number. This will reserve cores starting with core 0 and going upwards. So reserving 3
cores on a 4 core CPU will reserve cores 0, 1, and 2 and leave core 3 for system and non-real-time tasks.
Next: Develop an Soft Real-Time Application
 Developing a Soft Real-Time Application
11/16/2021 • 2 minutes to read • Edit Online

Once a device is configured for real-time performance, an application can be set to run in real-time using
standard Win32 APIs. The only factors that will give a thread or process real-time performance are the
thread/process priority rank and the CPU core affinity.
To get real-time performance on a particular thread or process, its priority should be in the range of real-time
performance and its affinity should be set to run on the real-time cores.

Configure a Process for Real-Time

Use the SetPriorityClass Function to:
1. Set the process’ ProcessPriorityClass attribute to PROCESS_PRIORITY_CLASS_REALTIME .
2. Set the process’ ProcessBasePriority attribute to LOW_REALTIME_PRIORITY .
Use the SetProcessAffinityMask Function to set the process to run exclusively on the cores which are reserved
for the real-time application

Configure a Thread for Real-Time

1. Use the NtSetInformationThread function to set the thread’s ThreadBasePriority to a value between 16 and
31
2. Use the SetThreadAffinityMask function to set the thread to run exclusively on the cores which are reserved
for the real-time application
 Azure IoT Edge for Linux on Windows (EFLOW)
11/16/2021 • 2 minutes to read • Edit Online

Azure IoT Edge for Linux on Windows allows you to run containerized Linux workloads alongside Windows
applications in Windows IoT deployments. Businesses that rely on Windows IoT to power their edge devices can
now take advantage of the cloud-native analytics solutions being built in Linux.
IoT Edge for Linux on Windows works by running a Linux virtual machine on a Windows device. The Linux
virtual machine comes pre-installed with the IoT Edge runtime. Any IoT Edge modules deployed to the device
run inside the virtual machine. Meanwhile, Windows applications running on the Windows host device can
communicate with the modules running in the Linux virtual machine.

Bi-directional communication between Windows process and the Linux virtual machine means that Windows
processes can provide user interfaces or hardware proxies for workloads run in the Linux containers.
Get started today.

Benefits
You might choose to build a device that includes Azure IoT Edge for Linux on Windows (EFLOW) as it comes with
many benefits.
EFLOW enables customers for the first time to run production Linux-based cloud-native workloads on Windows
IoT. Customers retain their existing Windows IoT assets plus benefit from the power of Windows IoT for
applications that require an interactive UX and high-performance hardware interaction. There is no longer a
need to choose between Windows or Linux; customers can now leverage the best of both platforms.
EFLOW provides the ability to deploy Linux IoT Edge modules onto a Windows IoT device. This opens a world of
capabilities for commercial IoT as well as AI/ML with the availability of pre-built modules from the Azure
Marketplace such as Live Video Analytics, SQL Edge, and OPC Publisher as a few examples.
As a developer, you may also choose to implement your own custom modules using the Linux distribution of
your choice to address specific business requirements. Running Linux modules on Windows IoT becomes a
seamless part of your solution.
In addition, Windows applications can easily interact with Linux modules running on the same physical device. A
Windows process that provides UI or accesses cameras, sensors, or other hardware can seamlessly
communicate with business logic or ML inferencing provided by a Linux module.

Additional Resources
EFLOW Documentation
IoT Show: Run Linux based IoT Edge modules on Windows IoT
Get started today.
 Downloads
11/16/2021 • 2 minutes to read • Edit Online

If you would like to download Windows IoT Enterprise, please review the options below.
To select which edition of Windows IoT Enterprise you would like to work with, review Features by Release.

90 Day Evaluation
You can download a free 90 day evaluation copy of Windows Enterprise, a binary equivalent of Windows IoT
Enterprise.

Visual Studio Subscriptions

You can download Windows IoT Enterprise using your Visual Studio Subscription.

Windows IoT Distributor

You can reach out to a Windows IoT Distributor. Distributors can leverage their Windows IoT development
experiences, and knowledge, to help you build secure and connected Windows IoT solutions. Please select a
distributor in your region and contact the distributor directly for more details.

Partner Center
If you are a Windows IoT Partner, check Partner Center for up-to-date information regarding access to the latest
bits.

Additional Resources:
Start Prototyping
Windows Developer Tools and SDK resources
Windows IoT Enterprise Manufacturing Guide
 Features by Release
11/16/2021 • 3 minutes to read • Edit Online

Each Windows 10 IoT Enterprise release offers our latest features, including specific updates made to address
customer requests. One of the most obvious benefits of migrating to Windows 10 IoT Enterprise is the
continuous value add you’re always getting. As you can see, with each release, Windows just gets better and
better.

NOTE
We are highlighting some of the more prominent new features that have come out in each release of Windows 10 IoT
Enterprise – this doesn’t include every new feature, nor does it in include the continuous improvements and
enhancements we make to the existing features in the product with each release.

Release 21H2 - October 2021

Genericized Update Message Strings
Update Screen Accent Color
Soft Real-Time Support
Read Only Media mode (UWF)
Allowing Swapfile, Disk Overlay (UWF)
Full Volume Commit in Read-Only Media (UWF)
GPU Compute Support
WPA H2E Standards Support

Release 21H1 - April 2021

Windows Hello Multi-Camera
Performance Updates for WDAG
Performance Improvements for WMI GPSVC

Release 20H2- October 2020

Windows Shell Updates
New Windows Sandbox Policies
New Chromium-based Microsoft Edge Browser

Release 2004 - April 2020

Assigned access global lockdown profile support
MSIX installation options
Specialized displays
Task Manager improvements
Settings page multi-select and list management
Bluetooth pairing improvements
Network camera support
Application Guard for Edge and Office
 WSL v2
East Asian IMEs
Cloud recovery
Windows Setup improvements
Delivery Optimization PowerShell commands
Accessibility enhancements

Release 1909 - September 2019

BitLocker key-rolling
CPU rotation
Improved Inking
Narrator improvements
Streamlined notifications
TLS 1.3
Servicing improvements for H2 builds
Microsoft Connected Cache (preview)
Windows Virtual Desktop (GA)
Desktop Analytics (GA)

NOTE
With the 1903 release, we have created a new edition for Windows 10 IoT Enterprise. In the future, it can unlock IoT
scenarios with a tailored feature set. As of the 1903 & 1909 releases, the sole difference between the Desktop and IoT
versions is that reserved storage for updates and temporary files isn’t set aside during installation; this allows for the use
of smaller storage devices with an identical feature set. Also, with the new keys, the edition will now show up as Windows
10 IoT Enterprise.

Release 1903 - March 2019

Unique product ID for Windows 10 IoT Enterprise
Qualcomm Snapdragon 850 support
Windows Virtual Desktop (preview)
Assigned access file explore restriction
Microsoft Defender Advanced ThreatProtection enhancements
Attack Surface Reduction enhancements
Next Generation Protection enhancements
Tamper Proofing Capabilities
Windows Sandbox
Application Guard enhancements
Sign-on with password-less Microsoft accounts
Accessibility Improvements
Windows Shell enhancements
Windows Timeline
Device Management Policies
Intune Security Baselines
Enhanced Enrollment Status Page
Setup Diag
 Automatic Restart Sign On (ARSO)
Improved Delivery Optimization (DO)

Release 1809 - September 2018

Shell Launcher v2
Microsoft Edge kiosk mode
Azure IoT Edge
Azure IoT Hub Device Management
Windows Artificial Intelligence (AI) platform
UWF freespace passthrough
Camera based barcode scanning
IoT Enterprise Manufacturing and deployment guide
ROS on Windows support
Microsoft Defender ATP new attacksurface area reduction controls
Web Authentication in Microsoft Edge
Windows Hello with FIDO 2.0
30 months of support for September releases
10 years of lifecycle support with LTSC release 2019
S Mode Block Switch
Desktop Analytics (preview)—Intelligent Pilot Selection and ConfigMgr Integration
Microsoft Edge experience improvements
Accessibility enhancements

Release 1803 - March 2018

Kiosk error reporting via MDM
Assigned access multi-monitor support
Nano Server Container
Windows Analytics – Spectre & Meltdown, Delivery Optimization, Application Reliability Logon Health
WDATP Automated Remediation
Conditional Access based on WDATP device risk
Threat Analytics
Emergency Outbreak Updates
Advanced hunting
Cloud Credential Guard
Diagnostic data viewer
Shared Windows Devices

Release 1709 - September 2017

Assigned access multi-app kiosk mode
Windows Defender Exploit Guard, System Guard, Application Guard, Application Control
Mobile Device Management
Windows Analytics Update Compliance
Windows Analytics Device Health
Co-management
Fluent Design
Release 1703 - March 2017
Windows Configuration Designer
Windows Defender ATP
Windows Defender Security Center
Express update delivery
Hyper-V
Windows Insider Program for Business
Miracast on existing wireless network or LAN
Desktop Bridge
Line display POS API

Release 1607 - July 2016

Hibernate Once/Resume Many (HORM)
Windows Hello for Business
Windows Analytics Upgrade Readiness
App-V, UE-V
Hybrid Azure Active Directory Join
Windows Ink

Base
Mobile Device Management
AAD Join
Windows Store for Business
Windows Update for Business
Keyboard filter
Custom logon
Unbranded boot
Assigned access single app kiosk mode support
Shell launcher
Unified write filter
Start layout customization
Windows Defender Antivirus
Windows Hello
Microsoft Edge
Device Guard
Credential Guard
AppLocker
BitLocker
SmartScreen
Device provisioning
Windows as a service
In-place upgrades
Continuum
Cortana
Windows 10 core
Additional Resources
Windows 10 release information
What's new in Windows 10
Windows 10 update history
 Frequently Asked Questions (FAQ)
11/16/2021 • 2 minutes to read • Edit Online

This document outlines the Frequently Asked Questions by our customers and partners.
If you require additional assistance, please Contact Us.

What Windows for IoT Products are available today?

There are presently three Windows for IoT operating systems available: Windows IoT Enterprise, Windows 10
IoT Core, and Windows Server IoT 2022.

What's the difference between Windows 10 IoT Enterprise and

Windows 11 IoT Enterprise?
Windows 11 IoT Enterprise is the next evolution of Windows for IoT, and is built on the same foundation as
Windows 10 IoT Enterprise. See the Fall 2021 Windows IoT Enterprise Release Guide for a full comparison.

What is the difference between Windows IoT Enterprise and Windows

10 IoT Core?
Windows IoT Enterprise is binary-equivalent to standard Windows Enterprise. We have incorporated all IoT
features into both versions, but the IoT edition includes a few minor configuration differences at activation and
has dramatically different pricing and licensing terms. Windows 10 IoT Core is the smallest version of the
Windows 10 editions that leverages the Windows 10 common core architecture. These editions enable building
low-cost devices with fewer resources. Development for Windows 10 IoT Core leverages the Universal Windows
Platform.
See Windows IoT Overview for more information.

How do I know if I am running Windows 10 IoT Enterprise?

Prior to version 1903, Windows 10 IoT Enterprise was sold as Windows 10 Enterprise with special keys.
However, version 1903 and onward, Windows 10 IoT Enterprise is sold as a separate edition.
Windows 10 IoT Enterprise Version 1903 and beyond, you will be able to confirm you are running Windows 10
IoT Enterprise under System Information.
How do people typically manage their IoT Solutions?
Listed below are the four most-commonly used management methods for IoT solutions. Review our Device
Management Documentation for more information.
 Contact Us
11/16/2021 • 2 minutes to read • Edit Online

If you have questions, concerns or require support for Windows IoT Enterprise, please reach out to your
distributor or the appropriate groups below.

Microsoft Customer Service and Support

Contact Microsoft Support
Support for Business

Ecosystem Partner Services Offering

If you would like to purchase system integration support from Microsoft, please contact
[email protected].

MVP Program
Consultants and MVPs are available for assistance.
Search for MVP Near You

Developer Community
Channel9
Windows Blogs
Stack Overflow
Microsoft Developer Blogs
Microsoft Developer Network (MSDN)
Microsoft Windows for IoT Tech Community
Microsoft IoT Developers YouTube Channel