Windows IoT device lockdown is probably one of the most misunderstood topics. The two most frequently asked questions I get asked by OEMs (original equipment manufacturers) who get started with Windows IoT operating systems are:
- “How do we secure our IoT devices?” – Asked by OEMs that require their device to be very secure and do not want the end-user to know that Windows is the underlying operating system. They want to lock the device down so the end-user can do nothing but what the device was intended to do.
- “How secure does Microsoft require Windows IoT to be configured?” – Asked by companies that shy away from Windows IoT because they believe that Windows IoT requires a complete lockdown with no flexibility.
In truth, the license terms are flexible simply since so many industry verticals and millions of devices require different levels of lockdown. Let’s start with the terms stated in the Windows 10 IoT license.
What do the Windows 10 IoT License Terms State?
Licensing terms for Windows IoT reference the ‘Guidelines for Designing Embedded Systems with Windows 10 IoT Enterprise’ white paper. This white paper is available on the Device Partner Center or DPC (formerly MyOEM). It provides guidelines on securing or locking your IoT device and clarifies the relevant license terms for implementing the restrictions. We can assist in providing you access to this document if you have trouble locating it on DPC.
- End User Interface and Embedded Applications
-
- Company may use the shell included in the deliverables as the end user interface to support Windows 10 compatible Embedded Applications
- Company must comply with the ‘Guidelines for Designing Embedded Systems with Windows 10 IoT Enterprise’ white paper posted on MyOEM, which may be updated from time to time
- To take advantage of the Windows 10 shell or user interface, Company may add one or more Embedded Applications that end users can access and execute via the user interface
There are many terms for locking down the device, such as Kiosk Mode, Assigned Access, Shell Launcher, AppLocker, and others. Many options and methods are available to match your device’s security requirements.
Let’s start with Kiosk Mode and follow that with Assigned Access.
What is Windows Kiosk Mode?
Windows IoT Enterprise allows you to build fixed-purpose devices such as ATMs, point-of-sale terminals, medical devices, digital signs, or kiosks. Kiosk Mode helps you create a dedicated, locked-down user experience on these fixed-purpose devices. Windows IoT Enterprise offers a set of different locked-down experiences for public or specialized use:
The image below explains the different experiences.
Get started with Kiosk Mode here
What is Assigned Access?
Assigned access in Windows IoT Enterprise editions is a feature to allow admins to manage end-user experience by denying some functionalities. It helps to eliminate the risk of compromising the system by configuring a user account and adding up the apps the user is to be allowed access to within the account. The assigned access account will not access system features other than the designated applications, ensuring the device’s security as the entire system is essentially locked down.
Assigned access offers two kiosk experiences by locking the devices to either a single app or multiple apps based on whether the devices are used for public or fixed-purpose use.
For public access terminals where you want a high degree of control over the device, consider running Windows Single App Kiosk Mode. The kiosk app runs on the full screen above the lock screen in a restricted user account, and users can’t switch out of the application. Before setting up Kiosk Mode, it is recommended to pre-configure the following settings to improve the kiosk security and provide a safer kiosk experience:
- Disable the power button
- Disable camera
- Disallow removable media
- Hide the power button and ease of access features from the sign-in screen
- Use keyboard filters to block the key combinations that enable accessibility functions
- Use a virtual machine to test the kiosk configuration before applying it to the actual machine
Advanced Lockdown Features
If your device or appliance needs additional security or you want to lock it down further, you can consider these other features.
- AppLocker: AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. Since AppLocker rules identify which apps may run on the device, you can leverage AppLocker to create a Windows IoT kiosk that runs multiple apps.
- Keyboard Filter: If your device is for a dedicated purpose, it may make sense to ensure that key combinations like ‘Ctrl+Alt+Delete’ do not alter the operation of the device by locking the screen or using Task Manager to close a running application. Windows IoT Enterprise provides a Keyboard Filter feature that allows you to suppress undesirable key presses or key combinations.
- Unified Write Filter: The Unified Write Filter (UWF) is a Windows IoT Enterprise feature that helps to protect your drives by intercepting and redirecting any writes to the drive (app installations, settings changes, saved data) to a virtual overlay. The virtual overlay is a temporary location usually cleared during a reboot or when a guest user logs off.
In Summary
For OEMs that need to secure their Windows IoT devices, many features and options allow you to customize your IoT device to the level required to fit your industry. For additional information, contact our experts at windowsiot@arrow.com or fill out the contact form. We will reply to you in less than 24 hours.
