Windows IoT Enteprise Guide
Windows IoT Enteprise Guide
This article will give you an overview of the product and guide you through how to get started with Windows
IoT Enterprise.
NOTE
Windows 10 IoT Enterprise offers both LTSC and SAC options, and OEMs can choose the one they need for their devices.
At this time Windows 11 IoT Enterprise is only available as an annual release. For more information on how to reach out
to a Windows IoT Distributor or how to purchase a license, review Licensing & Usage.
TIP
If you are building any kind of OEM style appliance , such as a point-of-sale or retail device, industrial automation
equipment, digital signage, medical equipment or any appliance with a screen, Windows IoT Enterprise is the solution for
you.
See how our customers are using Windows IoT Enterprise to accomplish their business goals.
Documentation Overview
This documentation set will cover the technical breakdown of what's included when you choose to use Windows
IoT Enterprise.
Hardware Guidance
This section provides insight into the hardware needed to run Windows IoT Enterprise as your device's OS.
Articles include:
Hardware Requirements
Selecting SoCs and Custom Boards
Quickstarts
This section provides quick tutorials on how to get started with Windows IoT Enterprise.
Articles include:
How to Start Prototyping
Kiosk Mode
This section walks users through the features and functionalities of Kiosk Mode and how to enable those
features on Windows IoT Enterprise.
Articles include:
Kiosk Mode Overview
Assigned access single-app kiosk mode
Assigned access multi-app kiosk mode
Configure Shell Launcher
Browser Support
Manage the Edge Swipe Policy
Advanced Lockdown Features
This section highlights how to create a lock-down environment with Windows IoT Enterprise OS features.
Articles include:
Application Control
Put in Place Device Safeguards
Use a Keyboard Filter
Explore the Unified Write Filter
Enable Hibernate Once, Resume Many (HORM)
Branding Features
This section reviews how to create a custom user-experience that highlights your brand. Articles include:
Enable Custom Logon
Manage Microsoft Store Access
Control Page Visibility
Configure Layout Control
Enable Unbranded Boot
Manage Update Screen UI and Notifications
Device Management
Learn more about the device management solutions you can take advantage of with Windows IoT Enterprise.
Articles include:
Device Management Overview
Manage OS Updates
Manage App Updates
Reset & Recovery
IoT Device Features
This section gives an overview of many of the built-in functionalities of Windows IoT Enterprise devices.
Articles include:
Windows IoT Security
Enable Embedded Mode
Configure Device Drivers
Bus Providers
Manage Network Service Controls
Enable On-Screen Keyboard
Privacy Features
Accessibility Features
Commercialization
Learn how to commercialize your Windows IoT Enterprise devices.
Articles include:
Explore Licensing Options (LTSC, SAC)
Windows IoT Enterprise Manufacturing Guide
Soft Real-Time
Learn how to use Soft Real-Time capabilities with your Windows IoT Enterprise devices.
Overview
Device Configuration
Application Development
Additional Resources
These resources provide additional information and support to our customers and partners.
Articles include:
Azure IoT Edge for Linux on Windows
Downloads
Features by Release
Frequently Asked Questions
Contact Us
Minimum Hardware Requirements for Windows IoT
Enterprise
11/16/2021 • 2 minutes to read • Edit Online
This specification defines the minimum hardware requirements for Windows IoT Enterprise. Microsoft will build
and test the Windows IoT Enterprise OS against the requirements described in this specification.
Overview
This specification defines the minimum hardware requirements necessary to:
Boot and run Windows IoT Enterprise.
Update and service Windows IoT Enterprise.
The goal of this specification is to enable OEMs, ODMs, SoC vendors, and other component vendors to make
early design decisions for devices and computers that will run Windows IoT Enterprise.
This specification does not provide compatibility and certification requirements for devices and computers that
run Windows IoT Enterprise or implementation guidance for exceptional user experiences.
NOTE
Beginning with Windows 10, version 2004, all new Windows 10 systems will be required to use 64-bit builds and
Microsoft will no longer release 32-bit builds for OEM distribution. This does not impact 32-bit customer systems that are
manufactured with earlier versions of Windows 10; Microsoft remains committed to providing feature and security
updates on these devices, including continued 32-bit media availability in non-OEM channels to support various upgrade
installation scenarios.
Processor
Devices that run Windows IoT Enterprise must meet these processor requirements. Check out the processor
matrix to review the latest processor generations and models that are supported. Previous generations of
processors and models (indicated by "Up through"), remain supported in addition to the listed processors and
models.
TIP
Information on support is available at Microsoft Support Policy and Microsoft Lifecycle FAQ.
For specific hardware support, please refer to your Original Equipment Manufacturer (OEM) provider.
Memory
Devices that run Windows IoT Enterprise must meet the following RAM requirements.
Storage
Storage device size
Devices that run Windows IoT Enterprise must include a storage device that meets the following size
requirements.
Storage Controller Requirements
TPM Requirements
Trusted Platform Module Technology Overview
TPM Recommendations
Additional Resources
Shared Minimum Hardware Requirements for Windows OS
Minimum Hardware Requirements
Windows Processor Requirements
Hardware Component Guidelines
SoCs and Custom Boards
11/16/2021 • 2 minutes to read • Edit Online
Microsoft-enabled SoCs
Microsoft works alongside Intel, Qualcomm, and AMD to verify support for Windows IoT Enterprise on several
vendors' system on a chip (SoCs). These SoCs are used in hundreds of different devices that you can use to
prototype and commercialize your idea. The SoC you choose to adopt will depend on considerations such as
performance requirements, power profile, cost, physical connectivity options, long-term support, and operating
conditions.
You'll also need to decide whether you want to use an off-the-shelf board or device, build a custom device using
a system on a module (SoM) plus a custom carrier board, or build a complete custom board. Cost and the
degree of customization are the key factors in this decision, with both generally increasing as you customize
further.
Boards
If an off-the-shelf device is in a form factor that includes the connectivity options that work for your scenarios,
that will often be the most cost- and time-effective choice.
For most people, developing a complete custom board would make sense when the product is expected to be
sold in volumes greater than hundreds, or even thousands, of millions of units. For smaller volumes, using a
SoM and designing a custom carrier board, instead of designing a completely new board, can significantly
reduce your cost and time-to-market, as well as streamlining software development and integration.
Each of the platforms has unique features that need attention during implementation, please review the
following SoC provider's websites for more details.
Intel
AMD
Qualcomm
VIA Technologies
Additional Resources
Windows IoT Enterprise Manufacturing Guide
Windows Processor Requirements
Start Prototyping
11/16/2021 • 2 minutes to read • Edit Online
This guide will walk you through how to start prototyping with Windows IoT Enterprise.
Additional Resources
Windows IoT Enterprise Manufacturing Guide
Windows Processor Requirements
Kiosk mode
11/16/2021 • 3 minutes to read • Edit Online
Windows IoT Enterprise allows you to build fixed purpose devices such as ATM machines, point-of-sale
terminals, medical devices, digital signs, or kiosks. Kiosk mode helps you create a dedicated and locked down
user experience on these fixed purpose devices. Windows IoT Enterprise offers a set of different locked-down
experiences for public or specialized use: assigned access single-app kiosks, assigned access multi-app kiosks, or
shell launcher.
Kiosk configurations are based upon either assigned access or shell launcher. There are several kiosk
configuration methods that you can choose from, depending on your answers to the following questions.
NOTE
A benefit of using an assigned access kiosk mode is these policies are automatically applied to the device to optimize the
lock-down experience.
Assigned access Single-app kiosk (UWP) Auto launches a UWP app Digital signs & single
in full screen and prevents function devices
access to other system
functions, while monitoring
the lifecycle of the kiosk
app. Only supports one
single-app kiosk profile
under one account per
device.
Assigned access Single-app kiosk (Microsoft Auto launches Microsoft Public browsing kiosks &
Edge) Edge and prevents access digital signs
to other system functions,
while monitoring the
lifecycle of browser. Only
supports one single-app
kiosk profile under one
account per device.
Assigned access Multi-app kiosk Always auto launches a Firstline Worker shared
restricted Start menu in full devices
screen with the list of
allowed app tiles. Supports
configuring different multi-
app kiosk profiles for
different users/user groups
per device.
Shell launcher Shell launcher Auto launches an app that Fixed purpose devices with
the customer specifies and a custom shell experience
monitors the lifecycle of this
app. App can be used as a
‘shell’ if desired. No default
lockdown policies like
hotkey blocking are
enforced in Shell Launcher.
NOTE
Assigned access multi-app kiosk will not be available in the initial release of Windows 11 IoT Enterprise. See What's new in
Windows 11 IoT Enterprise for more information.
Additional Resources
Find the Application User Model ID of an installed app
Validate your kiosk configuration
Guidelines for choosing an app for assigned access (kiosk mode)
Policies enforced on kiosk devices
Assigned access XML reference
Use AppLocker to create a Windows 10 kiosk
Use Shell Launcher to create a Windows 10 kiosk
Use MDM Bridge WMI Provider to create a Windows 10 kiosk
Troubleshoot kiosk mode issues
Plan your kiosk mode transition to Microsoft Edge
Assigned access single-app kiosk
11/16/2021 • 2 minutes to read • Edit Online
A single-app kiosk uses the assigned access feature to run a single app above the lock screen. When the kiosk
account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device
outside of the kiosk app.
NOTE
Assigned access single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in
on the physical device that is set up as a kiosk.
TIP
You can also configure a kiosk account and app for single-app kiosk within XML in a provisioning package by using a
kiosk profile. Be sure to check the configuration recommendations before you set up your kiosk.
Additional Resources
Set up a single-app kiosk
Guidelines for choosing an app for assigned access
Kiosk apps for assigned access: Best practices
Configure kiosks and digital signs
Prepare a device for kiosk configuration
More kiosk methods and reference information
Assigned access multi-app kiosk
11/16/2021 • 2 minutes to read • Edit Online
An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a
customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a
locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared
by multiple people. Here's a guide on how to set up a multi-app kiosk.
NOTE
Assigned access multi-app kiosk will not be available in the initial release of Windows 11 IoT Enterprise. See What's new in
Windows 11 IoT Enterprise for more information.
NOTE
When you configure a multi-app kiosk, specific policies are enforced that will affect all non-administrator users on the
device.
Additional Resources
New features and improvements
Set up a multi-app kiosk
Kiosk apps for assigned access: Best practices
Guidelines for choosing an app for assigned access
Configure kiosks and digital signs
Prepare a device for kiosk configuration
More kiosk methods and reference information
Shell Launcher
11/16/2021 • 2 minutes to read • Edit Online
Using Shell Launcher, you can configure a kiosk device to run a Windows Desktop or Universal Windows
Application as the user interface. The application that you specify replaces the default shell (explorer.exe) that
usually runs when a user logs on. This type of single-app kiosk does not run above the lock screen.
Methods of controlling access to other desktop applications and system components can be used in addition to
using the Shell Launcher such as, Group Policy, AppLocker, and Mobile Device Management
NOTE
In Shell Launcher v1, available in Windows 10, you can only specify a Windows desktop application as the replacement
shell. In Shell Launcher v2, available in Windows 10, version 1809 and above, you can also specify a UWP app as the
replacement shell.
To use Shell Launcher v2 in version 1809, you need to install the KB4551853 update.
Additional Resources
Use Shell Launcher to create a Windows 10 Kiosk
Launch different shells for different user accounts
Perform an action when the shell exits
Shell Launcher user rights
Browser Support
11/16/2021 • 2 minutes to read • Edit Online
Today, you can use two browsers, Internet Explorer 11 and Microsoft Edge to create an assigned access single-
app or multi-app kiosk experience.
Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create,
manage, and provide the best experience for their customers. The following lockdown experiences are available:
Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
Internet Explorer 11
Internet Explorer 11 will be considered a legacy browser, in subsequent releases.
In anticipation of that, you can use Internet Explorer (IE) mode on Microsoft Edge. IE mode allows you to run
legacy web apps as well as modern web apps in a single browser.
NOTE
For in-support Windows 10 IoT Enterprise Semi-Annual Channel (SAC) releases, Internet Explorer 11 will reach end of
support on June 15, 2022.
Internet Explorer 11 follows the Long-Term-Servicing-Channel (LTSC) Lifecyle for LTSC SKUs.
Supported Versions
B RO W SER
Windows 10 IoT Enterprise Supported until OS EOL No browser security Edge and WebView2
LTSC 2019 (RS5) updates after March, 9, Runtime not in-box
2021 (removed where (requires app migration
applicable). In-box engine from EdgeHTML)
supported until OS EOL
B RO W SER
Windows 10 IoT Enterprise, End of support June 15, Removed & replaced with Included in-box or installed
Version 21H2, SAC 2022 New Edge Browser in May with May 2021 Update
2021 Update
Windows 10 IoT Enterprise Supported until OS EOL Not included Microsoft Edge included in-
LTSC 2021 box and follows Modern
Lifecycle Policy
Additional Resources
Configure Microsoft Edge kiosk mode
Plan your kiosk mode transition
Screen Swipe Policy
11/16/2021 • 2 minutes to read • Edit Online
If your Windows IoT device has a touchscreen, users have the option to swipe from the edge of a screen to
invoke a system user interface. Depending on the direction of the swipe, the action center, tablet mode or
taskbar can appear.
NOTE
By disabling this policy setting, users will not be able to invoke any system UI by swiping in from any screen edge.
If you enable or do not configure this policy setting, users will be able to invoke system UI by swiping in from the screen
edges.
Additional Resources
LockDown/AllowEdgeSwipe
Application Control
11/16/2021 • 2 minutes to read • Edit Online
Application control is a crucial scenario that enables an organization to create a lockdown experience. Windows
IoT Enterprise, includes two technologies, Windows Defender Application Control (WDAC) and AppLocker, which
can be used for application control to meet your organization's specific scenarios and requirements.
NOTE
When it comes to choosing between WDAC or AppLocker it is generally recommended that customers who are able to
implement application control using WDAC rather than AppLocker, do so. WDAC is undergoing continual improvements
and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive
security fixes, it will not undergo new feature improvements.
AppLocker
AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker
contains new capabilities and extensions that allow you to create rules to allow or deny apps from running
based on unique identities of files and to specify which users or groups can run those apps. Since AppLocker
rules specify which apps are allowed to run on the device, you can leverage AppLocker to create a Windows IoT
kiosk that runs multiple apps. AppLocker is ideal for organizations that currently use Group Policy to manage
their PCs. To learn more about if AppLocker can work for your organization, check out the following
documentation.
Additional Resources
WDAC and AppLocker feature availability
Device Safeguards
11/16/2021 • 3 minutes to read • Edit Online
Windows IoT Enterprise gives you the power as the administrator of your devices to set certain policies to
protect your IoT devices. Whether that be against device tampering, malware infections, data loss, or preventing
peripherals from gaining access to your device, Windows IoT Enterprise gives you the power to create a
customized experience that safeguards against these threats.
In a Windows IoT device restrictions profile, most configurable settings are deployed at the device level using
device groups.
The following guide reviews the various policies that can be configured to create a safe and secure device usage
experience.
NOTE
These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data
from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10
devices you can configure BitLocker and Windows Information Protection, which will encrypt company data even if it is
stored on a personal device, or use the Storage/RemovableDiskDenyWriteAccess CSP to deny write access to removable
disks. Additionally, you can classify and protect files on Windows devices (including their mounted USB devices) by using
Microsoft Defender for Endpoint and Azure Information Protection.
Device Installation Settings - MDM
If your organization manages devices through mobile device management, we recommend you review the
following device installation policies:
Allow Installation Of Matching Device IDs
Allow Installation Of Matching Device Instance IDs
Allow Installation Of Matching Device Setup Classes
Prevent Device Metadata From Network
Prevent Installation Of Devices Not Described By Other Policy Settings
Prevent Installation Of Matching Device IDs
Prevent Installation Of Matching Device Instance IDs
Prevent Installation Of Matching Device Setup Classes
Look up device ID
You can use Device Manager to look up a device ID.
1. Open Device Manager.
2. Click View and select Devices by connection .
3. From the tree, right-click the device and select Proper ties .
4. In the dialog box for the selected device, click the Details tab.
5. Click the Proper ty drop-down list and select Hardware Ids .
6. Right-click the top ID value and select Copy .
For information about Device ID formats, see Standard USB Identifiers.
For information on vendor IDs, see USB members.
The following is an example for looking up a device vendor ID or product ID (which is part of the device ID)
using PowerShell:
PowerShell
Get-WMIObject -Class Win32_DiskDrive |
Select-Object -Property *
Additional Resources
Policy CSP - DeviceInstallation
Defender/AllowFullScanRemovableDriveScanning
Perform a custom scan of a removable device
Device Control Power BI Template for custom reporting
Windows Information Protection
Keyboard Filter
11/16/2021 • 2 minutes to read • Edit Online
If your device is being use for a dedicated purpose, it may make sense to ensure that key combinations like
'Ctrl+Alt+Delete' do not alter the operation of the device by locking the screen or using Task Manager to close a
running application. Windows IoT Enterprise provides a feature called Keyboard Filter that allows you to
suppress undesirable key presses or key combinations.
NOTE
Turning on an off Keyboard Filter requires that you restart your device. Keyboard Filter is automatically enabled after the
restart.
Additional Resources
Keyboard Filter
Predefined Key Combinations
Keyboard Filter WMI provider reference
Windows PowerShell script samples for Keyboard Filter
Unified Write Filter
11/16/2021 • 2 minutes to read • Edit Online
The Unified Write Filter (UWF) is a Windows IoT Enterprise feature that helps to protect your drives by
intercepting and redirecting any writes to the drive (app installations, settings changes, saved data) to a virtual
overlay. The virtual overlay is a temporary location that is usually cleared during a reboot or when a guest user
logs off.
The Unified Write Filter is useful in the following scenarios:
Isolating writes to extend the life of storage media
Optimizing Application load timing on boot – it can be faster to resume from a HORM file on every boot
rather than reloading the system on each boot
Resetting systems like Thin Clients, which are used in shared workspaces (e.g. schools, libraries, hotels, etc.)
with frequent guests to ensure each guest receives a clean experience
TIP
You can install UWF for running PCs and devices, prepare it for customized Windows images, or manage it remotely using
CSP or WMI.
Additional Resources
Enable UWF
Unified Write Filter
Unified Write Filter WMI Provider Reference
UWF Command-line tool
Service UWF-protected devices
Hibernate Once/Resume Many (HORM)
11/16/2021 • 2 minutes to read • Edit Online
A device with HORM enabled can quickly be turned off or shut down, and then restarted into the preconfigured
state, even in the event of a sudden power loss.
Configure HORM
You can use the Hibernate Once/Resume Many (HORM) feature with Unified Write Filter (UWF) to start your
device in a preconfigured state. When HORM is enabled, your system always resumes and restarts from the last
saved hibernation file (hiberfil.sys).
UWF configuration
UWF must be enabled before you can enable or disable HORM. UWF must be configured in the following ways
to protect the hibernation file from becoming invalid:
All fixed volumes that are mounted on the system must be protected by UWF.
Your system must not have any file, folder, or registry exclusions configured for UWF.
The UWF overlay must be configured to use RAM mode. HORM does not support disk-backed overlays.
UWF does not filter hibernation files from being written to disk. If you want to protect the preconfigured state of
your device, lock down any functionality that can modify the hibernation file. For example, disable hibernation,
hybrid sleep, and fast startup on your device for standard user accounts so that the saved hibernation file is not
overwritten when entering a sleep, hibernate, or shutdown state.
To disable hybrid sleep and fast startup on your device, follow these steps.
To configure the UWF with HORM, check out this guide.
Custom Logon
11/16/2021 • 2 minutes to read • Edit Online
Custom Logon features allow you to take control of the welcome and shutdown screens for your device.
Feature Benefits
By using Custom Logon, you can suppress all elements of the Welcome screen UI and provide a custom logon
UI for your users. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end
applications while the OS waits for applications to close before a shutdown.
Custom Logon settings do not modify the credential behavior of Winlogon , so you can use any credential
provider that is compatible with Windows to provide a custom sign-in experience for your device.
Complementary Features
You may want to use or change some of the following features in conjunction with Custom Logon to further
customize the user experience.
Power button
We recommend that you remove the power button from the Welcome screen and block the physical power
button so that a user cannot turn off the device when using assigned access or shell launcher.
Go to Power Options > Choose what the power button does , change the setting to Do nothing , and then
Save changes .
Remove Wireless UI from the Welcome screen
You can also remove the Wireless UI option from the Welcome screen by using Group Policy.
To remove Wireless UI from the Welcome screen:
1. From a command prompt, run gpedit.msc to open the Local Group Policy Editor.
2. In the Local Group Policy Editor, under Computer Configuration > Administrative Templates > System
> Logon .
3. Double-tap or click Do not display network selection UI .
Welcome Screen
You also have the option to remove other buttons from the Welcome screen to create your own customized
experience.
This includes:
Language button
Ease of Access button
Switch user button
Additional Resources
Custom Logon
Complementary features to Custom Logon
Troubleshooting Custom Logon
Microsoft Store Access
11/16/2021 • 2 minutes to read • Edit Online
You have the option to decide how much access you would like your users to have when it comes to opening the
Microsoft Store on Windows IoT Enterprise. Access to the Microsoft store can be blocked or modified achieve a
desired customer experience or meet an organization's policy. You can use AppLocker or Group Policy to
configure access to Microsoft Store.
NOTE
The Long-Term-Servicing Channel (LTSC) has the store service for updating preinstalled apps, but does not include the
Store UI for browsing apps. The Semi-Annual Channel (SAC) has both the store service and UI.
Additional Resources
Configure access to Microsoft Store
Distribute apps using your private store
Manage access to private store
Settings Page Policy: Page Visibility
11/16/2021 • 2 minutes to read • Edit Online
Page Visibility is a feature that allows you to further customize the visibility of pages in the System Settings app.
Additional Resources
Page Visibility List
Policy CSP - Settings
Policy CSP
ms-settings: URI scheme reference
Layout Control
11/16/2021 • 4 minutes to read • Edit Online
In Windows IoT Enterprise, organizations can deploy a customized Start and Taskbar configuration to their
devices. We know how important it is for your devices to maintain your brand and customized user-experience.
IMPORTANT
If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each
time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's
change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to
make changes that will persist, apply your configuration by using Group Policy.
If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be
applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start
layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a
partial Start layout, users can make changes to the taskbar and to tile groups not defined in the partial Start layout.
Additional Resources
Customize the Start screen on your test computer
Export the Start layout
Configure a partial Start layout
Remove default apps
Remove default apps and add your own
Configure taskbar by country or region
Layout Modification Template schema definition
Secondary tile guidance
Pin secondary tiles
Add image for secondary Microsoft Edge tiles
Unbranded Boot and Errors
11/16/2021 • 2 minutes to read • Edit Online
Unbranded Boot enables you to suppress Windows elements that appear when Windows starts or resumes and
can suppress the crash screen when Windows encounters an error that it cannot recover from.
NOTE
If Windows has already been installed you cannot apply a provisioning package to configure Unbranded Boot; instead you
must use BDCEdit to configure Unbranded boot if Windows is installed.
BCDEdit is the primary tool for editing the startup configuration and is on your development computer in the
%WINDIR%\System32 folder. You have administrator rights for it. BCDEdit is included in a typical Windows Preinstallation
Environment (Windows PE) 4.0. You can download it from the BCDEdit Commands for Boot Environment in the Microsoft
Download Center if needed.
NOTE
BCDEdit is the primary tool for editing the startup configuration and is on your development computer in the
%WINDIR%\System32 folder. You have administrator rights for it. BCDEdit is included in a typical Windows Preinstallation
Environment (Windows PE) 4.0. You can download it from the BCDEdit Commands for Boot Environment in the Microsoft
Download Center if needed.
Exception Error
To ensure that there is no crash screen if Windows encounters an error it cannot recover from, enable the
DisplayDisabled setting using Unattend.
You can also configure the Unattend settings in the Microsoft-Windows-Embedded-BootExp component to add
Unbranded Boot features to your image during the design or imaging phase. You can manually create an
Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to
your answer file. For more information about the Unbranded Boot settings and XML examples, see the settings
in Microsoft-Windows-Embedded-BootExp.
Additional Resources
Replace the startup logo
Configure Components and Settings in an Answer File.
Manage Update Experience
11/16/2021 • 2 minutes to read • Edit Online
In Windows IoT Enterprise, we know that having your device ready for use at all time is very important. We have
many features to help you maximize control and customization over your devices' update screen UI and
notifications to ensure that you can plan and ahead and control when updates can occur. Below are some
common recommended configuration settings. Consider whether each individual configuration setting applies
to your device scenario.
NOTE
This setting also affects the color of accents within the UI of the OS.
TIP
Set the value to 1 to hide all notifications except restart warnings, or to 2 to hide all notifications, including restart
warnings.
Additional Resources
Windows Updates in Windows IoT Enterprise
Manage device restarts after updates
Manage additional Windows Update settings
Deploy feature updates during maintenance windows
Deploy feature updates for user-initiated installations
Device Management Overview
11/16/2021 • 3 minutes to read • Edit Online
Managing a device is now easier than ever on Windows 10 IoT Enterprise. There are multiple options that your
organization can choose from in order to best manage your devices, such as Microsoft Intune, Endpoint
Manager, and third-party OMA-DM based management tools. OEMs can also select Azure Device Agent, which
leaves it up to their customers to select the device management solution that fits them best.
NOTE
Starting in version 1910, Configuration Manager current branch is now part of Microsoft Endpoint Manager. Version
1906 and earlier are still branded System Center Configuration Manager (SCCM). The Microsoft Endpoint Manager brand
will appear in the product and documentation over the coming months.
Connected devices have the challenge of new security threats, updates are an essential tool to address this.
The Microsoft Security Response Center (MSRC) is part of the defender community and on the front line of
security response evolution. MSRC's mission is to protect customers from being harmed by security
vulnerabilities in Microsoft's products and services. By building your solution with Windows IoT Enterprise, you
have Microsoft Security Response Center's commitment towards security. Please review their Security Update
Guide to ensure your devices are up-to-date and secured.
Windows Update Advantage:
Keeps device up to date with critical security software updates
Utilize the Microsoft proven and scalable infrastructure
Updates can be easily managed and controlled by device owners
Windows IoT Enterprise gives you the power to manage and control updates as per device and organization
requirements.
IMPORTANT
Be sure to have a well-designed servicing strategy for your device. Disabling Windows Update capabilities leaves the
device in a vulnerable state if your device isn't getting updates in another way.
NOTE
By setting this policy, it will also stop performing updates from other machines on the local network. To confirm this
behavior, you can also turn off Delivery Optimization which is the subsystem for getting updates from others on your
local network.
Additional Resources
Update Notifications
Device Management
Application Updates
11/16/2021 • 2 minutes to read • Edit Online
OEMs and enterprise customers can deliver app updates to Windows IoT Enterprise devices in the following
ways:
Using Microsoft Store : The app is published and updated from the Microsoft Store
Using Azure IoT Device Management : The app is published to Azure Storage and updated through the
Azure DM channel New for Windows 10, version 1709
Using OMA-DM : The app is updated using an OMA-DM compliant device management channel such as
Intune.
Using Device Update Center : The app is published to Windows Update and updated like any other OEM
package (driver package). This feature is coming soon for Windows IoT Enterprise, it is currently in private
preview, please see Device Management for more information
NOTE
The first version of the app is always pre-packaged in the device during image time. The
ApplicationManagement/AllowAllTrustedApps setting should be set for enabling installation of trusted apps.
Appx Signing Store Signed Store signed or OEM Signed Store signed or OEM Signed
This article will give you an overview on Device Reset and Device Recovery features.
Device Reset
Device reset is a process to restore the device to its initial conditions (with all user data removed). This is useful
when you want to wipe out the user data/enterprise provisioning data and bring the device back to its pristine
state.
Device reset includes the following key operations:
Formats the data partition (all data stored there are lost)
OEM custom packages should not store files/data in the data partition if they want to use device reset.
Restores all registry settings to the initial values specified in the packaging
Removes extraneous files in the Main OS partition excluding the files specified in the packaging
Restores Microsoft Store Apps to the version packaged in the Image (via PPKG)
Store apps updates performed via the Microsoft Store will be reverted back
All changes to BCD settings performed at run-time will remain intact
All OS/OEM updates applied to the device will remain intact
NOTE
The Recovery process will also roll back the updates and put the device back to the factory condition.
F a c t o r y R e se t
Factory reset restores the state of the device back to its first-boot state plus any update packages. The reset will
not return device to the original factory state. To return the device to the original factory state, you must flash it
with the original factory image. All the provisioning applied to the device by the enterprise will be lost and will
need to be re-applied if needed.
R e se t u si n g M o b i l e D e v i c e M a n a g e m e n t
Device reset can also be triggered using the Azure Device Management using Remote Wipe API.
NOTE
The reset through this API performs additional functionality such as resetting the TPM.
Device Recovery
Device recovery is a process to recover inoperable devices due to incorrect or bad storage state. This is done by
booting into a known safe OS or recovery OS and re-flash the storage media.
The three key elements of recovery are:
1. Safe OS : This OS can be configured to launch on boot without UI. And in this state it can run a flashing app
to apply a recovery image from a predefined location.
2. Recover y SW : SW Image used to re-flash the devices
3. Recover y design choice : Based on the location of the Safe OS and the recovery software, various design
choices are available, see the various options below.
NOTE
This process does not recover from hardware failures of storage (e.g. catastrophic media failure).
In this option, the Recovery SW is picked up from the attached USB device/ SD card.
Hardware Requirements:
Requires either SD card interface or USB port (mass storage)
May require hardware key (or key combination) to trigger
BSP Changes:
Requires changes to respond to HW trigger (key/key combinations) to boot into the safe OS in separate
partition
Drivers for USB device / SD card interfaces may need to be added to Safe OS
Device layout changes to store safe OS (size can be smaller to accommodate only the safe OS)
Flashing tool to update only the main OS and Data partitions and skip updating the safe OS partition. This is
essential to preserve the safe OS to be able to retry recovery if there is a power loss during a recovery
process.
R e c o v e ry SW f ro m re c o v e ry p a rt i t i o n
This option is like earlier option, with only difference of storing the Recovery SW in the recovery partition itself.
The device layout for this approach may differ in the size of the recovery partition (larger to accommodate the
Recovery SW and potentially a backup Recovery SW).
TIP
A Recovery SW present in the device will become outdated over time and the OS version after the recovery may fall-off
the update train. One way to mitigate this issue is to refresh the Recovery SW image on the device using the BSP update
path on a yearly cadence.
R e c o v e ry SW f ro m c l o u d
In this option, the Recovery SW is downloaded from a predefined cloud service/web location. The cloud service
needs to be setup so that it can securely offer the Recovery SW to the device. To realize this option, the safe OS
must support network connectivity, so Wi-Fi drivers need to be added to the safe OS and in addition to that, the
Wi-Fi profile in the main OS should be also made available for safe OS to connect to the network.
Additional Resources:
Windows 10 Recovery Options
Network Service Controls
11/16/2021 • 2 minutes to read • Edit Online
NOTE
Microsoft is increasing transparency by categorizing the data we collect as required or optional. For more information, see
Changes to Windows diagnostic data.
Learn how to manage various network service control options in Windows IoT Enterprise. If you want to
minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of
settings for consideration.
This list displays the network connections to Microsoft services by default and shows you how to configure
these settings to control the data that is sent to Microsoft.
TIP
Microsoft strongly recommends customers to not turn off all network connections unless absolutely necessar y as
crucial security patches and updates may be missed, leaving devices vulnerable. Instead it is recommended customers
manage their network service controls and pick and choose which connections (if any) to disable.
Additional Resources
Manage Settings for Windows IoT Enterprise
Configure Windows diagnostic data in your organization
TPMPolicy CSP
Bus Providers
11/16/2021 • 2 minutes to read • Edit Online
Windows has in-box UWP APIs that provide direct access to GPIO, SPI, or I2C busses. This gives very easy access
to this hardware from a high-level API. However, there are many times when a device maker wants to use an off-
SoC controller to access a bus. It can be as simple as a cheap chip that adds 16 GPIO pins, or as rich as a full
MCU that not only adds GPIO, SPI, and I2C pins, but also supports PWM and ADC. With the "Bus Provider"
model, we give developers the ability to access these off-SoC busses using the in-box APIs, using a user-mode
provider that bridges the gap.
Someone building a provider implements a set of interfaces into a UWP class library and then any developer
who wants to talk to that hardware simply includes the component and tells the in-box APIs about it. If you look
at the sample code from the remote provider you can see how easy it is to configure the provider, and once set
as the default provider for that app, the rest of the code in the client app is identical to the code required to
access an on-SoC bus.
Providers.Provider.Configuration =
new Providers.ConnectionConfiguration("VID_2341", "PID_0043", 57600);
Windows.Devices.LowLevelDevicesController.DefaultProvider = new Providers.Provider();
Available Providers
We currently have a number of providers available on the Bus Providers GitHub repo. In addition to the code for
the provider, each provider has a sample VS solution that demonstrates how a client would use that provider.
ADC
Ads1x15
Mcp3008
PWM
PCA9685
Simulated with Gpio
In addition to the providers that give you access to real hardware, we have built a Simulated Provider that will
act as if it was an infinitely capable provider and is designed to let you write and debug your applications
without having to first deploy them to a working device. For a richer experience, you can customize it to
simulate your actual hardware. For example: updating the I2c provider to return back the result "75" when you
send it the command for a temperature reading on a device with the designated secondary address.
Additional Resources
Additional bus tools, sample codes, and building and testing on I2C, SPI, GPIO, MinComm/UART can be found
here.
Please reference Windows Runtime (WinRT) APIs and here's how to leverage the APIs from Win32 applications.
Review Windows Bus Providers
Device Drivers
11/16/2021 • 2 minutes to read • Edit Online
Device Drivers are essential for any IoT device. This section outlines how to write device drivers, how to driver
signing works in Windows IoT Enterprise (this is different than traditional client signing), and how to add device
drivers to images.
Device Signing
With Windows IoT Enterprise, you have two options on how to get your driver signed off by Microsoft. The first
is the traditional client signing process and the second is attestation signing.
Traditional Client Signing
For typical traditional client signing, if you are unfamiliar with the device and driver installation process, we
recommend that you start by reviewing Roadmap for Device and Driver Installation. You may also want to read
Overview of Device and Driver Installation for a high-level overview of this process and its components.
Attestation Signing
Follow this article to learn how attestation signing works for a kernel driver for public release.
NOTE
When a driver receives attestation signing, it is not Windows Certified. An attestation signature from Microsoft indicates
that the driver can be trusted by Windows, but because the driver has not been tested in HLK Studio, there are no
assurances made around compatibility, functionality, etc.
Embedded Mode is a Win32 service. In Windows it only starts if the user, an application, or another service
starts it. When the Embedded Mode service is started, it is runs as LocalSystem in a shared process of
svchost.exe along with other services. Embedded Mode is supported on Windows IoT Enterprise.
Embedded Mode enables:
Background Applications
Use of the lowLevelDevice capability
Use of systemManagement capability
3. Click Advanced provisioning . Name the project AllowEmbeddedMode and click Next .
4. Choose common to All Windows editions then Next .
5. Click Finish .
9. Click Next .
13. To install the embedded mode .PPKG on Windows IoT Enterprise double-click on the .PPKG.
14. Click Yes, add it .
Click yes on the LUA dialog if it appears, and the click Yes, add it on the dialog shown below.
Background Applications
Background Applications are created using the Background Application (IoT) template in Visual Studio.
Background applications run without stopping and without resource limits. Also, if the background application
stops for some reason and embedded mode is enabled the background application will be restarted by the
system.
While the system will automatically restart background applications, system lockdown features must be enabled
to prevent users from stopping or interfering with the operation of Background Applications.
systemManagment Capability
When you enable the systemManagment capabilities for your application, this is the set of APIs that gets
unlocked:
Windows.System.ProcessLauncher
Windows.System.TimeZoneSettings
Windows.System.ShutdownManager
Windows.Globalization.Language.TrySetInputMethodLanguageTag
Windows IoT Enterprise, provides developers with many on-screen keyboard features to enhance the user-
experience.
Key features
The keyboard implementation provides the following benefits to your headed device development:
Enable On-Screen Keyboard
The entire set of Windows keyboard language layouts
Support for input scopes (e.g., Email Address, Numeric PIN, Search Field, etc.)
Input Method Editor (IME)
Non-obscured text input fields
Dictation mode
A selection of user interface preferences
NOTE
To open the On-Screen Keyboard from the sign-in screen, select the Ease of Access button in the lower-right corner of
the sign-in screen, and then select On-Screen Keyboard .
NOTE
Text Prediction is available in English, French, Italian, German, and Spanish. If you want to use one of these languages
and it isn't installed, install the language files for that language.
If you're using either hovering mode or scanning mode and accidently minimize the On-Screen Keyboard, you can
restore it by pointing to it in the taskbar (for hovering mode) or by pressing the scan key (for scanning mode).
If you minimize the On-Screen Keyboard and switch to tablet mode, use the Task view button to get back to the On-
Screen Keyboard.
Feature packages
For prototyping (development) images, the on-screen keyboard feature is already included, but you will need to
enable it from Device Settings in the Windows Device Portal.
For commercialization, the following optional feature packages will add the on-screen keyboard to your image:
IOT_SHELL_ONSCREEN_KEYBOARD
IOT_SHELL_ONSCREEN_KEYBOARD_FOLLOWFOCUS
NOTE
Most of the registry settings documented here will take effect while the on-screen keyboard is visible. This allows you
during development to easily try different combinations of settings values, immediately seeing the resulting changes in
real time. If a setting does not take effect immediately, you will need to reboot the device in order to see the changes to
the keyboard UI.
Keyboard Height
By default, the touch keyboard will use the lower 45% of the screen's height. This may appear too large or small
on your device, depending on its size and resolution. You can adjust the height up to a maximum of two-thirds
the height of the screen. Any value not in range will be clamped into range. Because this is specified as a floating
point value, it allows for pixel-level precision.
Apply the following formula to calculate the percentage:
percentage = (100 * <desired_pixel_height>) / <screen_height>
As an example, to change the height to 56.783%, you would set the following registry value:
or from PowerShell:
NOTE
The registry value type must be a String ( REG_SZ ), so that the fractional values can be represented with. a decimal point.
Using DWord ( REG_DWORD ) will not work, even for whole number percentages.
Additional preferences
The remaining set of preferences is String values in the Preferences subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\IoTShellExtension\OSK\Preferences
REGIST RY VA L UE DEFA ULT VA L UE DESC RIP T IO N
EmojiKeyEnabled "0" "0" hides the Emoji key; "1" shows it,
allowing the user to enter Emoji
characters.
NOTE
Dictation mode requires a speech package to be installed for the selected input language, as well as an audio input device.
If a matching speech packages is not installed, the dictation button will not be shown.
All images include the en-US speech language. Other speech packages are installed as optional features. For more
information about IoT Features, see IoT Core Feature List and IoT Core manufacturing guide.
As an example, to enable only wide keyboard mode, in PowerShell you could do the following:
Introduction
Accessibility enables people of all abilities to intuitively and efficiently leverage all the functionalities that your
applications or devices offer, regardless of a person interacts with your application or device.
It is essential that accessibility is considered during the design phase of the product as this will avoid many
potential accessibility-related bugs. For example, during the design phase, consideration around the colors used
and the size of text (and how those might be customized by the user) can help a great many customers. And for
devices with a keyboard, during the design phase, consideration around how the keyboard can be used to
leverage all the functionality in the product, and also how to access the most frequently accessed functionality
with the fewest number of keystrokes.
For the developer, from an implementation perspective the good news is that Windows as a platform already
does a lot of work to provide some level of accessibility by default. For example, standard controls are
programmatically accessible by default through the UI Automation (UIA) API. If you choose not to use a standard
control and instead build custom UI, the work required to make the UI accessibility can be much more time-
consuming than simply building apps using standard controls provided by the platform.
Accessibility Testing
Below are tools we recommend using while building your application. While these tools will help when it comes
to auditing your own designs, please note that you will still need to account for features such as high contrast
and text requirements.
AccScope
The AccScope tool enables developers and testers to evaluate the accessibility of their app during the app's
development and design, potentially in earlier prototype phases, rather than in the late testing phases of an
app's development cycle. It's intended for testing Narrator accessibility scenarios with your app.
Inspect
Inspect enables you to select any UI element and view its accessibility data. You can view Microsoft UI
Automation properties and control patterns and test the navigational structure of the automation elements in
the UI Automation tree. Use Inspect as you develop the UI to verify how accessibility attributes are exposed in UI
Automation. In some cases, the attributes come from the UI Automation support that is already implemented for
default XAML controls. In other cases the attributes come from specific values that you have set in your XAML
markup, as AutomationProperties attached properties.
Want to learn more about accessibility testing? Read the Accessibility testing article for the full list.
A RT IC L E DESC RIP T IO N
Designing inclusive software Learn about evolving inclusive design with UWP apps for
Windows 10. Design and build inclusive software with
accessibility in mind.
Developing inclusive Windows apps This article is a roadmap for developing accessible UWP
apps.
Accessibility checklist Provides a checklist to help you ensure that your UWP app
is accessible.
Expose basic accessibility information Basic accessibility info is often categorized into name, role,
and value. This topic describes code to help your app expose
the basic information that assistive technologies need.
Keyboard accessibility If your app does not provide good keyboard access, users
who are blind or have mobility issues can have difficulty
using your app or may not be able to use it at all.
High-contrast themes Describes the steps needed to ensure your UWP app is
usable when a high-contrast theme is active.
Accessible text requirements This topic describes best practices for accessibility of text in
an app, by assuring that colors and backgrounds satisfy the
necessary contrast ratio. This topic also discusses the
Microsoft UI Automation roles that text elements in a UWP
app can have, and best practices for text in graphics.
Accessibility practices to avoid Lists the practices to avoid if you want to create an
accessible UWP app.
Custom automation peers Describes the concept of automation peers for Microsoft UI
Automation, and how you can provide automation support
for your own custom UI class.
Accessibility Features
Windows IoT Enterprise includes accessibility features that can be integrated to further support where vision,
hearing, physical, cognition, along with assistive technology is needed. This additional support makes it easier to
customize devices and gives users with different abilities options to improve their experience with Windows.
General Recommendations
Be aware of Ease of Access settings – Understand how these devices are being used. Help people in your
organization learn how they can customize Windows IoT Enterprise.
Do not block settings – Avoid using Group Policy or MDM settings that override Ease of Access settings.
Encourage choice – Allow for device customization based upon needs. That might mean installing an add-
on for a browser, or a non-Microsoft assistive technology.
Additional Resources
Accessibility Information for IT Professionals
Windows Accessibility
Privacy
11/16/2021 • 2 minutes to read • Edit Online
Windows IoT Enterprise provides users with many privacy options and features.
Privacy Features
With Windows IoT Enterprise, we provide you with even more control on your data and information. Please
review, Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals for more features.
Additional Resources
Windows Privacy
Microsoft's Privacy Statement if you have any questions or concerns.
Security
11/16/2021 • 5 minutes to read • Edit Online
Windows IoT Enterprise comes with a host of security offerings that you can leverage to best fit your Windows
IoT Enterprise solution.
1. Device Protection
Windows Security provides the following built-in security options to help protect your device from malicious
software attacks. Like they say, a strong defense, is a strong offense.
T r u st e d P l a t fo r m M o d u l e (T P M )
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A
TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes
multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper
with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
Generate, store, and limit the use of cryptographic keys.
Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned
into itself.
Help ensure platform integrity by taking and storing security measurements.
W i n d o w s D e v i c e H e a l t h A t t e st a t i o n
Modern malware is getting more and more sophisticated. Some of them, specifically bootkits, are capable of
starting before Windows. Device Health Attestation can be used to detect and remediate in the unlikely event
where a device is infected. The device's firmware logs the boot process, and Windows can send it to a trusted
Health Attestation Server that can objectively assess the device's health.
Se c u r e B o o t
Secure boot is a security standard developed by members of the PC industry to help make sure that a device
boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts,
the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known
as Option ROMs), and the operating system. If the signatures are valid, the PC boots, and the firmware gives
control to the operating system.
The OEM can use instructions from the firmware manufacturer to create Secure boot keys and to store them in
the PC firmware. When you add UEFI drivers, you'll also need to make sure these are signed and included in the
Secure Boot database.
For information on how the secure boot process works included Trusted Boot and Measured Boot, see Secure
the Windows boot process.
Bi t Lo c ker
Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long
history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the
Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided
encryption for full drives and portable drives. Windows consistently improves data protection by improving
existing options and by providing new strategies. To learn more, see BitLocker Overview and Requirements FAQ
2. Threat Resistance
We provide a security tools set for Windows to protect a wide range of threats against execution of
unauthorized code and scripts, network, and malware attacks. Effectively identifying, assessing, and remediating
endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat
and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening
endpoint surface area, and increasing organizational resilience.
W i n d o w s D e fe n d e r F i r e w a l l
Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules
that determine which network traffic is permitted to enter the device from the network and which network
traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol
security (IPsec), which you can use to require authentication from any device that is attempting to communicate
with your device. When authentication is required, devices that cannot be authenticated as a trusted device
cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted
to prevent it from being read by network packet analyzers that could be attached to the network by a malicious
user.
Deployment Guide
Best Practices
W i n d o w s D e fe n d e r
Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection,
automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects
advanced attacks and data breaches, automates security incidents, and improves security posture.
Transport Layer Security (TLS), like Secure Sockets Layer (SSL), is an encryption protocol intended to keep data
secure when being transferred over a network. These articles describe steps required to ensure that
Configuration Manager secure communication uses the TLS 1.2 protocol.
4. Cloud Security
Microsoft Azure includes tools to safeguard data according to your company's security and compliance needs.
To learn more, visit Azure Security
5. Response
Microsoft has all the tooling to provide immediate support and assistance.
Devi c e Man agem en t
Microsoft provides a whole suite of device management solutions to keep your devices safe and monitor activity
at all times. Managing a device is now easier than ever on Windows IoT Enterprise. There are multiple options
that your organization can choose from in order to best manage your devices, such as Microsoft Intune,
Endpoint Manager and third-party OMA-DM based management tools. OEMs can also select Azure Device
Agent, which leaves it up to their customers to select the device management solution that fits them best.
Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP
Devi c e Rec o ver y
In case something is to go wrong with your device, Windows IoT Enterprise supports two device recovery
options:
Option #1: Isolate the device using device management tools or network settings
Option #2: Reimage the device back to factory settings.
Windows IoT Device Health Attestation enables the operator to assess if a device is booted to a trusted and
compliant state, and takes appropriate remedial actions if necessary.
Additional resources
Azure Security Center
Azure Security Benchmark
Licensing & Usage
11/16/2021 • 4 minutes to read • Edit Online
In order to start your journey with Windows IoT Enterprise, you'll need to get a license.
You can retrieve a license by contacting a Windows IoT Distributor or use the Windows Enterprise 90 day
Evaluation.
Distributors
Microsoft offers many Windows IoT and Embedded SKUs. Authorized distributors of Windows IoT products can
help you pick the right SKU for your hardware and your budget by leveraging their development experiences,
and knowledge, to help you build secure and connected Windows IoT solutions. If you would like to work with
one of our distributors, please select a distributor in your region and contact the distributor directly for more
details.
Fixed purpose devices
Windows is well known as the operating system for laptops and desktops that have been used by consumers
and businesses worldwide for decades. Windows also powers many ATM machines, point-of-sale terminals,
industrial automation systems, thin clients, medical devices, digital signage, kiosks, and other fixed purpose
devices. Windows IoT Enterprise allows you to build these fixed purpose devices with specific allowances and
restrictions in the license agreement.
TIP
See your licensing agreement for complete guidance on all Windows IoT Enterprise usage scenarios. If you are an end-
user customer, your OEM should have provided you with the terms in an agreement. If you are an OEM, you can direct
questions to your distributor regarding your specific licensing agreement.
A fixed purpose device differs from a general-purpose device in the following ways:
The device is locked down to a single application or fixed set of applications through the Assigned Access or
Shell Launcher features.
The device experience is often immediate when the customer powers-on. This is achieved by configuring the
device image to skip the normal Windows out-of-box experiences.
Keyboards, USB ports, and device policies can be locked down to constrain the device to be used only in its
fixed purpose.
The IoT Device OEM licenses the device to the user with the software attached to the device as a complete
product and passes through specific Windows terms in their own IoT OEM agreements.
The OEM provides the customer support for their complete product, including the functions performed by
the operating system.
NOTE
There are currently two release channels for Windows 10 IoT Enterprise:
The Semi-Annual Channel receives feature updates twice per year and provides support for 18-30 months .
The Long Term Servicing Channel, which is designed to be used only for specialized devices (which typically don't run
Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to
three years and provides support for 10 years .
There is currently one annual release channel for Windows 11 IoT Enterprise - please see Windows 11 servicing and
Windows for IoT Product Lifecycle for more information.
Activation Guide
After you purchase your license and receive your keys for Windows IoT Enterprise, please make sure you get
yourself a copy of the Activation Guide. You can retrieve this document either by reaching out to your distributor
or by accessing it through your Device Partner Center account.
Additional Resources
Windows IoT Enterprise Manufacturing Guide
Windows Servicing
Servicing Channels
Windows 10 IoT Enterprise Manufacturing Guide
11/16/2021 • 2 minutes to read • Edit Online
We offer a Manufacturing Guide to help you walk through how to build, set-up, and commercialize your
Windows 10 IoT Enterprise devices.
Labs
In addition to our documentation set, we have a series of labs that you can follow, which cover how to build,
customize, and deploy a Windows 10 IoT Enterprise image.
Lab 0: Tooling
Lab 1a: Create a basic image
Lab 1b: Customize a reference device in Audit mode
Lab 2: Configure device lockdown features
Lab 3: Configure policy settings on IoT Enterprise devices
Lab 4: Sysprep, capture, and deploy
Lab 5: Configure Shell Launcher or assigned access
GitHub Repository
We also have guidance for a more automated solution.
If you want to try script-based image customization and deployment, please visit our GitHub repository.
Additional Resources
Reduce the size of a Windows Image
Soft Real-Time on Windows IoT Enterprise
11/16/2021 • 2 minutes to read • Edit Online
Windows 10 soft real-time is a new feature with Windows 10 IoT Enterprise, version 21H2 that allows device
makers to introduce soft real-time capabilities on their devices.
This real-time behavior is introduced through 4 key settings:
1. CPU isolation : migrates the system-level disturbances off of the isolated CPUs, reducing potential jitter
to the user's real-time application
2. Custom ISR/DPC pinning on isolated CPUs : All hardware interrupts are routed to the system and
non-real-time cores but by writing a Custom ISR/DPC driver you can route your device specific interrupts
to the real-time cores.
3. Priority inheritance for mutexes : This setting ensures the highest priority thread is executed, even in
complex multi-threaded scenarios.
4. Up to 16 RT thread priority levels : This allows the programmer to divvy up resources among real-
time tasks to ensure the most important ones get executed first.
This guide will walk you through how to set up your device for Real-Time Performance.
NOTE
The only way to use this feature is with an application and device custom-built for a specific purpose. The mapping of
processor core assignments in the application threads must match the physical device cores and their configuration for
real-time versus standard workloads.
2. Reference the Security guidelines for system services to disable the following services:
a. SysMain (Superfetch)
b. DPS (Diagnostic Policy Service)
c. Audiosrv (Windows Audio)
3. Disable Windows Update using this guidance.
NOTE
This will open up your device to vulnerabilities as security patches will not go through. That said, it is necessary as the
Windows Update agent does not respect CPU core isolation. We recommend having a plan to ensure device security and
install updates during times when the device can be taken down for maintenance
TIP
A good example of managing updates during downtime can be found in the UWF documentation: Service UWF-protected
devices If you are using UWF and Soft Real-time then this process should take care of the OS update need for both
features at the same time.
NOTE
This is hardware dependent and can only be done if the NIC supports RSS
sc query dps
sc stop dps
sc config dps start=disabled
sc query Audiosrv
sc stop Audiosrv
sc config Audiosrv start=disabled
sc query SysMain
sc stop SysMain
sc config SysMain start=disabled
sc query wuauserv
sc stop wuauserv
sc config wuauserv start=disabled
WindowsIoT
SoftRealTimeProperties
SetRTCores
A value greater than 0 and less than the total number of cores on the device must be provided to the SetRTCores
parameter. Feel free to set this CSP using whatever tool your organization uses to configure their devices or use
the steps below to use the MDM Bridge.
Use MDM Bridge WMI Provider to Configure the WindowsIoT CSP
This CSP will configure the system for real-time performance. You will need to provide the number of CPU cores
to allocate to real-time tasks, with the rest being allocated for running system or standard user tasks. A
numerical value must be provided in the SetRTCores node. This is the number of CPU Cores dedicated to real-
time workloads. Valid numeric values must be at least 1 and less than the number of physical cores in the CPU.
Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to
accomplish this. Here's an example to set the RealTime configuration with 3 real-time cores:
1. Download the psexec tool.
2. In Command Prompt, run:
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_WindowsIoT_SoftRealTimeProperties01"
$obj.SetRTCores = 3
TIP
You can use the same script for whatever number of real-time cores you need to have, just replacing the 3 in the second-
to-last line with the appropriate number. This will reserve cores starting with core 0 and going upwards. So reserving 3
cores on a 4 core CPU will reserve cores 0, 1, and 2 and leave core 3 for system and non-real-time tasks.
Next: Develop an Soft Real-Time Application
Developing a Soft Real-Time Application
11/16/2021 • 2 minutes to read • Edit Online
Once a device is configured for real-time performance, an application can be set to run in real-time using
standard Win32 APIs. The only factors that will give a thread or process real-time performance are the
thread/process priority rank and the CPU core affinity.
To get real-time performance on a particular thread or process, its priority should be in the range of real-time
performance and its affinity should be set to run on the real-time cores.
Azure IoT Edge for Linux on Windows allows you to run containerized Linux workloads alongside Windows
applications in Windows IoT deployments. Businesses that rely on Windows IoT to power their edge devices can
now take advantage of the cloud-native analytics solutions being built in Linux.
IoT Edge for Linux on Windows works by running a Linux virtual machine on a Windows device. The Linux
virtual machine comes pre-installed with the IoT Edge runtime. Any IoT Edge modules deployed to the device
run inside the virtual machine. Meanwhile, Windows applications running on the Windows host device can
communicate with the modules running in the Linux virtual machine.
Bi-directional communication between Windows process and the Linux virtual machine means that Windows
processes can provide user interfaces or hardware proxies for workloads run in the Linux containers.
Get started today.
Benefits
You might choose to build a device that includes Azure IoT Edge for Linux on Windows (EFLOW) as it comes with
many benefits.
EFLOW enables customers for the first time to run production Linux-based cloud-native workloads on Windows
IoT. Customers retain their existing Windows IoT assets plus benefit from the power of Windows IoT for
applications that require an interactive UX and high-performance hardware interaction. There is no longer a
need to choose between Windows or Linux; customers can now leverage the best of both platforms.
EFLOW provides the ability to deploy Linux IoT Edge modules onto a Windows IoT device. This opens a world of
capabilities for commercial IoT as well as AI/ML with the availability of pre-built modules from the Azure
Marketplace such as Live Video Analytics, SQL Edge, and OPC Publisher as a few examples.
As a developer, you may also choose to implement your own custom modules using the Linux distribution of
your choice to address specific business requirements. Running Linux modules on Windows IoT becomes a
seamless part of your solution.
In addition, Windows applications can easily interact with Linux modules running on the same physical device. A
Windows process that provides UI or accesses cameras, sensors, or other hardware can seamlessly
communicate with business logic or ML inferencing provided by a Linux module.
Additional Resources
EFLOW Documentation
IoT Show: Run Linux based IoT Edge modules on Windows IoT
Get started today.
Downloads
11/16/2021 • 2 minutes to read • Edit Online
If you would like to download Windows IoT Enterprise, please review the options below.
To select which edition of Windows IoT Enterprise you would like to work with, review Features by Release.
90 Day Evaluation
You can download a free 90 day evaluation copy of Windows Enterprise, a binary equivalent of Windows IoT
Enterprise.
Partner Center
If you are a Windows IoT Partner, check Partner Center for up-to-date information regarding access to the latest
bits.
Additional Resources:
Start Prototyping
Windows Developer Tools and SDK resources
Windows IoT Enterprise Manufacturing Guide
Features by Release
11/16/2021 • 3 minutes to read • Edit Online
Each Windows 10 IoT Enterprise release offers our latest features, including specific updates made to address
customer requests. One of the most obvious benefits of migrating to Windows 10 IoT Enterprise is the
continuous value add you’re always getting. As you can see, with each release, Windows just gets better and
better.
NOTE
We are highlighting some of the more prominent new features that have come out in each release of Windows 10 IoT
Enterprise – this doesn’t include every new feature, nor does it in include the continuous improvements and
enhancements we make to the existing features in the product with each release.
NOTE
With the 1903 release, we have created a new edition for Windows 10 IoT Enterprise. In the future, it can unlock IoT
scenarios with a tailored feature set. As of the 1903 & 1909 releases, the sole difference between the Desktop and IoT
versions is that reserved storage for updates and temporary files isn’t set aside during installation; this allows for the use
of smaller storage devices with an identical feature set. Also, with the new keys, the edition will now show up as Windows
10 IoT Enterprise.
Base
Mobile Device Management
AAD Join
Windows Store for Business
Windows Update for Business
Keyboard filter
Custom logon
Unbranded boot
Assigned access single app kiosk mode support
Shell launcher
Unified write filter
Start layout customization
Windows Defender Antivirus
Windows Hello
Microsoft Edge
Device Guard
Credential Guard
AppLocker
BitLocker
SmartScreen
Device provisioning
Windows as a service
In-place upgrades
Continuum
Cortana
Windows 10 core
Additional Resources
Windows 10 release information
What's new in Windows 10
Windows 10 update history
Frequently Asked Questions (FAQ)
11/16/2021 • 2 minutes to read • Edit Online
This document outlines the Frequently Asked Questions by our customers and partners.
If you require additional assistance, please Contact Us.
If you have questions, concerns or require support for Windows IoT Enterprise, please reach out to your
distributor or the appropriate groups below.
MVP Program
Consultants and MVPs are available for assistance.
Search for MVP Near You
Developer Community
Channel9
Windows Blogs
Stack Overflow
Microsoft Developer Blogs
Microsoft Developer Network (MSDN)
Microsoft Windows for IoT Tech Community
Microsoft IoT Developers YouTube Channel