I.

Introduction

Universal Windows Platform (UWP)

- Converged APIs – all Windows 10 editions

- Scale and get higher ROI
- re-use existing development skills
- supports python

- OneCore.lib

Embedded Mode

- extends policy management, enabling of headless mode to all windows 10 editions

- enabled by default on windows 10 iot core
- extending API sets
- enabled in Windows 10 IoT Core by default, mobile by a license file, windows 10 core by a
registry setting

Cloud enabled app processing

- Bing Cloud Speech (speech interpretation, search, dictation)

- Project Oxford (image and speech processing via web request) → Face Detection, Face
Verification, Feature Analysis, Vision Thumbnails, Optical Character Verification
- LUIS-Beta (Language Understanding Intelligent Services) – places, times, temperatures, common
requests

Retail peripherals supported

- barcode scanner, mag-stripe reader, receipt printer, cash drawer

- adapted from UnifiedPOS standard
- payment terminals (3rd party)
- Unified POS

Image Configuration Designer

- customize device experience

Windows 10 IoT editions

- 3 editions: Windows 10 IoT enterprise

Windows 10 IoT Enterprise (x64/x86)

Windows 10 IoT Mobile Enterprise (just ARM)
Windows 10 IoT Core (x86/arm) – two editions, Royalty Free/Pro
 II. Windows 10 Iot Enterprise

- full version of Windows 10 with lockdown capabilities powering a long range of industry devices
across retail, manufacturing, health, government and other industries

- 32 bit (1GB/16GB storage) / 64 bit (2GB/)

When to use?

Do you need desktop functionality/desktop apps? (Win32, .NET, Windows Presentation

Foundation)

Is the device an ATM, thin-client, POS device, medical or industrial device?

Does it require full capabilities like LoB (line-of-business use) lockdown

- does not contain Edge but contains IE11, Cortana, but basic apps are included, Outlook, Clock etc

Windows 10 Enterprise Activation

- Windows Product Key is injected or installed into each device during manufacturing

- Has never been connected to the Internet → Deferred Activation

- image is fully functional
- no access to MSFT, third party services
- no disruptive activation notifications or watermarks
- works as long as the device never connects to the internet
- does not show a watermark

- it could get this watermark if the device connects to the internet

- if you want to refresh but not lose the license count, you can assure it will never connect to the
internet or backup the activation state, then refresh the OS, then insert the activation state back

Internet Activation

- normal process, AVS server, an activation failurile will be showed, invalid activation marker (UX),
3 hours after the machine is online, until reboot and again after 3 hours, no automatic reboot as in
evaluation mode, no forced activation, no loss of features

3 states to activation:

1. Connect to the Internet

2. Activate
3. Windows is not Activated with watermark 3 hours
 III. Windows IoT Mobile Enterprise

- just ARM
- mobile POS, Industry Hand-Held Terminal (HHT)
- Chassis flexibility
- Screen size limit: 8 inches

Some aditional features only available in Mobile Enterprise:

1. Controlled Update
2. Unlimited self signed LoB apps running on the device (signature)
3. Enables Embedded Mode

- can use volume licenses and inject the license file to convert the device to IoT enteprise and get
Embedded mode

- OEMs can preload a license file into an image and then IoT features are enabled from startup,
custom UI layout

- any windows mobile 10 device, can be stepped-up to IoT →

- end users → by injecting a license file onto the device

- enterprise customers → can obtain from the Business Support Portal (BSP)
- OEMs preload the license file, automatically enabled from startup

Activation

UWP Apps

- customized experience based on roles (Nurse, Manager)

- Continuum second screen docking

IV. Windows 10 IoT Core

- no shell, UI customizable for your brand

- single application, boot straight to application
- works on arm/x86
- only supports universal apps, no Win32/.NET!
- devices with lower system requirements
- no windows certification requirements
- available royalty-free SKU

Windows 10 IoT Core PRO

- only for OEMs

- you can step up to control updates
- by injecting a license file , either at image creation or through device management
- wsus for enteprise updates, OEM at image creation time
- THERE IS NO ACTIVATION
Embedded mode (UWP)

- Access to system settings

- API access to busses (GPIO, custom hardware)
- Background services for long running tasks

- API Porting tool

- Leverage Universal Windows Driver

- with display (headed), without displays (headless), controlled by configuration read at boot-
time
- custom OEM shell for UI

V. Windows 10 IoT Management and Servicing

- OMA/DM
- MDM
- CSP
- MDM in Windows 10 – Enrollment,

- Field Medic

- Current Branch for Business

- Windows 10 IoT Editions on CB (Current Branch):

• Windows 10 IoT Core Free (Royalty Free)
Windows 10 IoT Editions on CBB (Current Branch for Business):
• Windows 10 Iot Mobile Enterprise
• Windows 10 IoT PRO
Windows 10 IoT Editions for LTSB:
• Windows 10 IoT Enteprise

WSUS (Windows Service Updates Service) vs WUfB (Windows Update for Business) – on LTSB

- with our without Software Assurance (SA)

- inplace upgrades, still needs SA to get updates, without SA it wont be updated

Controlling update behavior

- through policy and maintenance windows

- can connect directly to WU (Windows Update)
- Enterprises can control using WSUS and MDM

Edition specific

Enteprise

- My OEM (WSUS, Intune, System Center, 3rd party MDM) and Windows Updates
- New Devices (SOC)
- 10 year life cycle
- security updates
- no frequent feature updates
- LTS roll-up every 2-3 years

- move from one LTSB to another using in-place upgrade, can skin an LTSB
- manage update via WSUS
- you can move from LTSB to CBB

VI. Securing Windows IoT Devices

• Next Generation Crediantials (Two factor and SSO)

◦ Windows 10 IoT Enteprise ONLY
◦ two factor, phish proof
• Bitlocker (device encryption, secure key storage)
◦ full disk encryption
◦ automatically provisioned
◦ cold boot attacks
◦ available on ALL Windows 10 IoT editions
• Lockdown (security layers, predictable device experiences)
◦ predictable device experience
◦ Unified Write Filter(read only device)
▪ just on Enterprise and Core
▪ sector based protection, registry exclusion, file and folder exclusion
◦ USB Filter
▪ just Enterprise and Core
▪ can be deployed using group policy or image designer
◦ AppLocker
▪ Enterprise and Mobile Enterprise
▪ persist over application updates, RBAC
◦ Assigned Access
▪ Mobile and Enterprise
▪ device asks like a Kiosk
▪ an account with a universal windows app for a profile
◦ Shell Launcher
▪ just on enterprise
▪ launch classic windows apps as a custom shell
▪ multiple shells on a single device for multiple users
◦ Granular UX control
▪ task menu, autologon, configured using GPO or ICD
◦ Windows Firewall
▪ Image Configuration Designer, netsh advfirewall
◦ Secure Remote Device Connection
• Device Guard (only run trusted apps)
◦ only trusted apps will run
◦ works with Universal and Win32 apps
◦ on Windows 10 IoT Enterprise only
◦ lockdown at the hardware level
 ◦ Virtual Secure Mode
◦ apps need to be signed either by Microsoft or 3rd party
◦ secure web service can sign catalog or binaries
• TPM and Malware Protection (Secure Boot, Measured Boot, Authenticity protection)
◦ protect from Malware (Secure Boot, Measured Boot)
◦ on all devices

7. Connectivity

AllJoin integrated in all

•

Access to sensor hardware

Seamless connectivity to microsoft azure
Always on VPN is supported only for Universal Apps and Enterprise

Provisioning

- Windows Assesment and Deployment Kit (ADK)

- Image Configuration Designer (ICD)

Features on demand v2