Get access to the new Intel® IoT Developer Kit, a complete hardware and software solution that allows developers to create exciting new solutions with the Intel® Galileo and Intel® Edison boards. Visit the Intel® Developer Zone for IoT.
Introduction
This document describes the steps needed to deploy a Microsoft* Windows* 10 IoT Gateway and explains how to set up security features, software access points, and other management and development tools. It is intended for OEMs, ODMs, SIs, and other users who wish to set up a Windows 10 IoT Gateway. Because Microsoft has already documented many of the processes needed, this guide introduces users to topics and provides a link to the relevant Microsoft document, rather than re-creating the same material.
This Getting Started Guide also introduces users to the Windows Configuration Software for the Intel® IoT Gateway, which includes the Intel® IoT Gateway Module for Microsoft Windows PowerShell.
The target Windows 10 editions are Windows 10 IoT Enterprise and Windows 10 IoT Core.
You Must Provide
- Gateway: This is the computer hardware included in the gateway kit. Windows 10 IoT is set up on the gateway.
-
Development Computer: This is the Windows 10 computer that one uses to prepare the installation media of the gateway and to remotely control the gateway via Microsoft Windows PowerShell.
-
A Local Area Network containing the Gateway and Development Computer (for example, via a router): This is to enable remote PowerShell from the development computer to the gateway.
-
Internet Access: This is to enable access to Microsoft information and tools to download for the development computer.
Required Experience Level
This guide assumes the reader has experience with the following:
- Installing computer hardware
- Installing and configuring Windows software
- Executing Windows commands and creating and executing scripts
- Using a Windows PowerShell locally and remotely
Document Terminology and Conventions
- Terminology
- Gateway: Hardware included in your gateway kit.
- Development Computer: Windows 10 computer that you provide to prepare the installation media of the gateway, to remotely control the gateway via Microsoft Windows PowerShell, and to develop applications for the gateway.
- Deployment: The process to prepare for a gateway operating system and to install it on the gateway.
- Legacy Manufacturing Process: This is the main deployment process used before Windows 10 by computer manufacturers. It is still applicable for Windows 10, but Windows 10 has new tools/processes available.
- Reference Gateway: A gateway where the operating system is installed and is set up as desired, and the applications required are also installed. One can save the software (including operating system, drivers, and applications) of this reference gateway into a file, and then use that file to duplicate the same installation on other gateways.
- ffu file: The Full Flash Update (
.ffu
) file is used by Microsoft to save the operating system and other software installed on a computer. See Deploy Windows using Full Flash Update (FFU) for more details.
- .wim file: The Windows Imaging (wim) file is used by Microsoft to save the operating system and other software installed on a computer. See Windows Imaging File Format (WIM) for more details.
- Customization assets: These are the extra drivers, software applications, and updates that one wants to install on the gateway, but are not included in the default operating system release.
- TPM: Trusted Platform Module.
- UEFI: Unified Extensible Firmware Interface is a replacement for the older BIOS firmware interface and the Extensible Firmware Interface (EFI) 1.10 specifications.
- Conventions
Windows 10 IoT (Enterprise or Core) Deployment
Microsoft describes the deployment scenarios and various tools for deployment at Deploy Windows 10. This document focuses on the new Windows 10 process using the Windows Imaging and Configuration Designer (Windows ICD). We describe the legacy manufacturing process (the main deployment process used before Windows 10 by computer manufacturers) in the Appendix.
Gateway Preparation
Before installing the Windows IoT (Enterprise or Core) operating system, make sure that the gateway hardware and firmware [for example, UEFI BIOS or Trusted Platform Module (TPM)] meet the requirements listed in the Intel® IoT Gateway Specification, which is available on the Intel Business Link by searching for document number 544820. Some extra reminders are
- To install Windows on a real UEFI environment, check the Manufacturing Requirements section at Secure Boot Overview to disable the compatibility support module (CSM) in the gateway UEFI settings.
- Currently, for Windows IoT Core, only 32-bit UEFI BIOS is supported.
- Different gateway hardware may have different UEFI BIOS settings. Consult with the gateway manufacturer for the UEFI BIOS settings. For example, for Windows IoT Core on a MinnowBoard Max* device, follow Set Up MBM to set up the correct BIOS settings.
Deployment Tools
- Windows 10 Assessment and Deployment Kits (ADK). ADK includes various tools needed to generate installation image files, to prepare for installation environment, and to prepare for installation media.
- Windows 10 IoT Core ISO file (including imaging tool). This includes the
.ffu
files for the gateway devices currently supported by Microsoft and an imaging tool to install the .ffu
files to a removable media for installation.
Installation Process with a Bootable Windows Installation Media
If the following bootable Windows 10 installation media are available, then simply boot from that media and follow the installation prompt.
- Windows 10 DVD purchased from Microsoft.
- Bootable removable media with Windows 10 ISO file (downloaded from Microsoft and burned into the removable media).
For Windows 10 IoT Core, if the .ffu
file for the gateway device is available, then follow the instructions under "Installing Windows 10 IoT Core" in the next section.
Image Creation Process Using Windows Imaging and Configuration Designer (ICD)
The Windows ICD creates and deploys a Windows image. Check Windows Imaging and Configuration Designer for an introduction to Windows ICD.
Install Windows 10 IoT Enterprise
Follow Build and deploy an image for Windows 10 for desktop editions (Home, Pro, and Enterprise) to use Windows ICD to create a new Windows 10 IoT Enterprise image.
The method above assumes that the base Windows Imaging .wim
file is available. There are several ways to get .wim
files:
- Open a Windows installation/setup DVD, and find
install.wim
at the sources folder.
- Mount a Windows installation ISO file, and find
install.wim
at the sources folder.
- Obtain a reference gateway’s
.wim
file. Follow Deployment Using Legacy Manufacturing Process for more details.
Install Windows 10 IoT Core
- Follow Build and deploy a Windows 10 IoT Core image to use Windows ICD to create a new Windows 10 IoT Core Image. This document assumes that you already have the board support package (BSP).
To create a BSP, one needs to be in the Microsoft Ecosystem Engineering Access Program (EEAP). This is not for the general public. For instructions to create a BSP, refer to the Windows 10 IoT Core BSP Creation document in the BSP folder included in Windows Configuration Software for the Intel® IoT Gateway. You can download it at Intel Download Center https://downloadcenter.intel.com/ by searching for Windows Configuration Software for the Intel(R) IoT Gateway.
- After completing Step 1, a Full Flash Update
.ffu
file is generated. (Check Install Windows 10 IoT Core in Appendix A to find other ways to obtain the .ffu
file.) Use one of two ways to deploy the image onto the gateway.
- If the storage device for operating system is a removable media, use Microsoft’s WindowsIoTImageHelper tool, as described at Set Up MBM. Although this document is for a MinnowBoard Max device, the steps about WindowsIoTImageHelper are generic.
If the WindowsIoTImageHelper tool is not available, use the Windows ICD tool instead. Launch the Windows Imaging and Configuration Designer application. Click the Deploy button at top of the Windows ICD application, and follow the instructions shown.
- Follow Install Windows 10 IoT Core in Appendix A to use legacy tools.
Customization Using Provisioning Package
Users may want to set up the gateway differently from the default operating system. For example, they may want to install some extra applications, or they may want to change some operating system settings from default settings. Microsoft provides the Windows Provisioning customization framework to help deliver such customization capabilities.
For an introduction to the Windows Provisioning framework and the types of supported customization, see the following:
- Customize using the Windows Provisioning framework.
- Supported Windows customizations.
Note: If the system image format is a .ffu
file, the customization assets (for example, the custom drivers and the custom software applications, except for the Microsoft Universal Windows Platform App) cannot be included in a provisioning package. Instead, include the assets into a board support package (BSP) before generating the .ffu
file. Microsoft Universal Windows Platform App can be configured as a customization/runtime settings by Window ICD, instead of as an asset.
Use Windows Imaging and Configuration Designer (Windows ICD) to create a provisioning package:
Summary:
- For Windows desktop imaging:
- If the customization assets need to be added to a provisioning package, create a provisioning package and use that during image creation (that is, at deployment time).
- If the customization settings are the only items in a provisioning package, the provisioning package can be applied either at deployment time or at runtime.
- For Windows mobile imaging (including Windows IoT Core):
- The customization assets cannot be added to a provisioning package. The assets need to be included in the board support package (BSP) and to be included during image creation (that is, at deployment time).
- If the customization settings are the only items in a provisioning package, the provisioning package can be applied either at deployment time or at runtime.
Security SKUs
Windows Security Features
Security is important for gateways and Windows provides many security features to manage security. This document provides simple guidelines to set up different levels of security and a PowerShell module (Intel® IoT Gateway Module for Microsoft Windows PowerShell, part of the Windows Configuration Software for the Intel® IoT Gateway) to help set up these security features.
Key Windows security features:
Title |
Description |
Purpose |
UEFI |
Unified Extensible Firmware Interface. A replacement for the older BIOS firmware interface and the Extensible Firmware Interface (EFI) 1.10 specifications. |
Provides faster boot and resume times, ability to use security features, and support for UEFI firmware drivers, applications, and option ROMs. |
Secure Boot |
A security standard developed by members of the PC industry to help make sure that your PC boots using only the bootloader that is trusted by the PC manufacturer. |
Ensures that your PC boots using only the bootloader that is trusted by the PC manufacturer. |
Trusted Platform Module (TPM) |
An international standard for a secure cryptographic processor. |
Provides hardware-based, security-related functions, such as cryptographic operations. TPM chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. |
Trusted Boot |
A process that protects the rest of the boot process (after Secure Boot) by verifying that all Windows* boot components have integrity and can be trusted. |
Makes sure that your PC boots using only the software that is trusted by Windows. |
Early Launch Anti-Malware (ELAM) |
A driver that starts before other boot-start drivers and enables the evaluation of those drivers and helps the Windows kernel decide whether they should be initialized. |
Detects malware that starts early in the boot cycle. |
User Account Control |
A process that enables users to perform common tasks as nonadministrators, called standard users, and as administrators without having to switch users, log off, or use Run As. |
Helps prevent unwanted system-wide changes in a way that is predictable and requires minimal effort. |
Windows Firewall |
A set of network in-bound and out-bound rules to allow or disallow certain types of network traffic. |
Helps to protect computers from unsolicited network traffic. |
Windows Update |
A process to get latest bug fixes, security patches, and feature improvement from Microsoft. |
Helps your Windows system be up to date. |
Windows Address Space Layout Randomization (ASLR) |
An operating system feature that loads system code into different, unpredictable locations in memory. |
Defends against buffer overrun exploits. |
Windows Defender |
Anti-malware software. |
Helps protect computers against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. |
BitLocker |
A data protection feature that provides drive encryption and integrates with the operating system. |
Addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
Measured Boot and Remote Attestation |
Measured Boot takes measurements of each aspect of the boot process and then signs and securely stores the measurements in a TPM. Upon request, these measurements can be sent to a trusted third-party known as a Remote Attestation service that can compare the measurements with known good values. |
Allows a trusted server on the network to verify the integrity of the Windows startup process and to take corresponding actions. |
Code Integrity |
A feature that validates the integrity of a driver or system file or software executable, each time it is loaded into memory or is executed. |
Prevents untrusted software from running. |
Virtualization Based Security (VBS) |
A Hyper-V protected container that isolates the sensitive Windows 10 Enterprise processes. |
Helps protect system memory and kernel mode apps and drivers from possible tampering. |
AppLocker |
An application control that helps prevent the execution of unwanted and unknown applications/scripts. |
Prevents untrusted software from running. |
USB Filter |
A USB port and device base filter. |
Allows trusted USB devices to connect to a system. |
Keyboard Filter |
A key press filter. |
Suppresses undesirable key presses or key combinations. |
Information about Windows security (overview):
Information about UEFI, Secure Boot, and TPM:
Information about ELAM:
Information about User Account Control:
Information about Windows Firewall:
Information about Windows Update:
Information about ASLR:
Information about Windows Defender:
Information about BitLocker:
Information about Measured Boot and Remote Attestation:
Information about Code Integrity and Virtualization Based Security (VBS), components in Device Guard:
Information about AppLocker:
Information about USB Filter and Keyboard Filter:
Security SKU Definition
Windows provides many different security features, and sometimes they can be overwhelming and confusing. However, this large assortment of features allows users to implement security features that best meet their customers' real-world needs. Intel's goal is to define "Security for Humans" Best-Known-Configuration (BKC). The different SKUs are defined by Intel, based on human-understandable security features/levels.
Basic SKU Goals:
- Recommended minimum security.
- Meet security requirements for least effort.
- Intended to catch all known attacks, but susceptible to zero-day attacks.
Medium SKU Goals:
- Additive to Basic.
- Additional protection to handle zero-day attacks.
- Assumes customers have network infrastructure (for example, Windows Server and clients) to set up features that requires the infrastructure.
High SKU Goals:
- Additive to Medium.
- Best protection provided by available security features on Windows.
For each security feature, customers can adjust the detailed settings suited for real-world use. Such settings can be implemented by the tools mentioned in Microsoft Management Tools. Intel’s definitions here provide a generalized guidance for customers to start.
Intel's Security SKU definition does not include security features that heavily depend on specific real-world use (instead of a generalized setup), for example, Active Directory, Direct Access, or IPSec VPN. Customers should contact Microsoft for documents/instructions on using those features.
Security SKU definition table for Basic Security:
Security Features for Basic |
Basic SKU for IoT Core |
Basic SKU for IoT Enterprise |
Anti-Malware |
- Windows Defender and Early Launch Anti-Malware (ELAM) (Trusted Boot) - Windows default
|
|
√ |
Resiliency |
|
√ |
√ |
- User Account Control (UAC) - Windows default
|
|
√ |
|
√ |
√ |
- Windows Firewall - Windows default
|
√ |
√ |
- Windows Update - Windows default
|
√ |
√ |
|
√ |
√ |
Data Protection |
|
√ |
√ |
|
√ |
√ |
Security SKU definition table for Medium Security:
Security Features for Medium (on top of Basic) |
Medium SKU for IoT Core |
Medium SKU for IoT Enterprise |
Anti-Malware |
- Code Integrity (PcaCertificate-based with Hash fallback to OS drive, Hash-based to Program Files\WindowsPowerShell and Windows\system32\WindowsPowerShell folders, only Audit mode to generate logs)
|
No setup tool for Configurable User Mode Code Integrity on IoT Core. |
√ |
- AppLocker (allow all signed exe/msi/script/packaged apps and Windows default AppLocker policy)
|
|
√ |
Resiliency |
- Measured Boot and Remote Attestation
|
√ (not including measurement from ELAM) |
√ |
Data Protection |
|
|
- BitLocker (TPM + Network Unlock)
|
√ (TPM only) |
√ |
Security SKU definition table for High Security:
Security Features for High (on top of Medium) |
High SKU for IoT Core |
High SKU for IoT Enterprise |
Anti-Malware |
- Code Integrity (Enforce the policies from Medium SKU)
|
No setup tool for Configurable User Mode Code Integrity on IoT Core. |
√ |
- AppLocker (allow only already installed exe/msi/script and packaged apps with same publisher as existing packaged apps, also allow signed script)
|
|
√ |
- USB Removable Media Lock Down
|
√ |
√ |
|
|
√ |
|
|
√ |
Resiliency |
- Virtualization Based Security
|
|
√ |
Note: For Virtualization Based Security, we do not enable "Hypervisor based Code Integrity (HVCI)". HVCI requires driver compatibility support.
Intel provides the Intel® IoT Gateway Module for Microsoft Windows PowerShell, a custom Windows PowerShell module, to help set up most of these features. See Intel IoT Gateway Module for Microsoft Windows PowerShell later in this section for more details.
Intel IoT Gateway Module for Microsoft Windows PowerShell
Module Introduction
Intel provides a custom PowerShell module IntelIoTGatewaySetup, officially named Intel® IoT Gateway Module for Microsoft Windows PowerShell. It is used to set up Windows features for the Intel® IoT Gateways, so it sets up the Security SKU defined. This module is part of Windows Configuration Software for the Intel® IoT Gateway. You can download it at the Intel Download Center by searching for Windows Configuration Software for the Intel® IoT Gateway. IntelIoTGatewaySetup supports only the English version of Windows 10 IoT Enterprise and Windows 10 IoT Core.
Specifically, IntelIoTGatewaySetup sets up the following security features defined in Security SKU Definition earlier in this section:
- Windows Update, Windows Defender, Windows Firewall, Windows User Account Control, USB Removable Media Lockdown, Virtualization Based Security, App Locker, Code Integrity.
- Bit Locker with only TPM unlock for Windows 10 IoT Enterprise: Although the SKU definition specifies TPM + Network Unlock for Medium and High SKUs, the PowerShell module only sets up BitLocker with TPM unlock, as Network Unlock requires extra network infrastructure support.
Although IntelIoTGatewaySetup sets up many of the security features defined in Security SKU Definition earlier in this section, it does not set up the features below:
- UEFI, Secure Boot, and TPM: These are part of the hardware and firmware requirements for Intel-supported gateways. A gateway should have these enabled already.
- Account privileges: An account can be created with an administrative role or with a regular normal account, based on the specific usage.
- ASLR: This is already supported and active in the Windows operating system. There is nothing to set up.
- Measured Boot: This is implemented by UEFI firmware, TPM, and Windows. There is nothing to set up.
- Remote Attestation: This requires setup of support network structure and implementation of extra software. See Windows Security Features earlier in this section for reference documents.
- BitLocker + Network Unlock: Network Unlock requires setup of support network structure and DHCP driver capability in UEFI, so the PowerShell module only sets up BitLocker with TPM unlock. See Windows Security Features earlier in this section for reference documents.
- USB Filter: Use Group Policy to set this up based on the specific usage to control USB devices by Device or Class ID. See Windows Security Features earlier in this section for reference documents.
- Keyboard Filter: Use Windows ICD tool to configure this filter. See Windows Security Features earlier in this section for reference documents.
IntelIoTGatewaySetup folder includes the following major components:
- Readme.rtf: This is a simple readme file for users to get started.
- ModuleInstallation.ps1: This is the script file that has a command to help install the IntelIoTGatewaySetup module.
- IntelIoTGatewaySetup folder: This is the folder for the IntelIoTGatewaySetup module.
Module Installation
If a user is with a gateway and the gateway has a display and a keyboard, PowerShell commands can be run directly at the gateway to install our module. After installing the module, run the PowerShell commands provided by our module directly at the gateway. We call this local installation and local execution.
The gateway may be remotely located and/or the gateway may not have a display. In this case, use another computer, the development computer, to remotely control and set up the gateway. For the remaining of this document, we assume that a user is under this second scenario. We call this remote installation and remote execution.
To install this PowerShell module on the gateway from the development computer (which involves temporarily having the development computer mapping a network drive to the gateway), these systems need to be in the same subnet.
To install the module, do the following steps.
The steps on the gateway to enable remote PowerShell:
- For Windows IoT Core, currently, there is nothing to be done.
- For Windows IoT Enterprise, enable and use remote commands in Windows PowerShell, based on information at Enable and Use Remote Commands in Windows PowerShell and Enable-PSRemoting.
For example, run the following PowerShell commands to enable remote PowerShell:
#Get NIC index of the active NIC
Get-NetAdapter
#$index is the index found.
#Set the target active connection to private.
#Line break is space+backtick.
Set-NetConnectionProfile -InterfaceIndex $index `
-NetworkCategory Private
#Enable remoting
Enable-PSRemoting -Force
On the development computer, follow these steps on PowerShell environment.
- Make sure that the following two accounts have an administrative role at their corresponding computers:
- Account for the development computer that the user is currently logged in with, and
- Account for the gateway that will be used later
- Run PowerShell environment as administrator.
- To run the ModuleInstallation.ps1 script, PowerShell execution policy needs to be
AllSigned
or RemoteSigned
. Check Get-ExecutionPolicy
and Set-ExecutionPolicy
Cmdlet for more details.
For example, run the following to set the execution policy to RemoteSigned
:
Set-ExecutionPolicy RemoteSigned
- Dot-source the ModuleInstallation.ps1 script.
To dot source a script, type a dot (.) and a space before the script path. For example,
. .\ModuleInstallation.ps1
See about_Scripts for more details.
- Then do the following to check help and examples of using
Install-IntelIoTGatewaySetup
command:
Get-Help Install-IntelIoTGatewaySetup –Full
- Then run
Install-IntelIoTGatewaySetup
command (based on help and example information) to install the module from the development computer to the gateway. For example, run the following:
#$path is the path to module folder you downloaded,
# e.g., ‘C:\IntelIoTGatewaySetup’
#$remoteip is the ip address of the remote gateway,
# e.g., ‘192.168.2.5’
#$remoteaccount is the account of the remote gateway,
# e.g., ‘Tester’ or ‘Domain\Tester’
# Linebreak is space+backtick.
Install-IntelIoTGatewaySetup –ModuleLocalPath $path `
-RemoteGateway $remoteip `
-RemoteAccount $remoteaccount -Verbose
(For a local installation, a user can also run Install-IntelIoTGatewaySetup
directly at gateway.)
(For uninstallation, a user can use Uninstall-IntelToTGatewaySetup
command. Check its help information for details and examples.)
- After the installation, use remote PowerShell to run the commands in our module on the gateway. Check Remoting Week: Remoting Sessions for details about how to use remote PowerShell. For example, run the following PowerShell commands in order:
- Start WinRM service if it is not started yet.
if ((Get-Service WinRM).Status.ToString() -ne 'Running') {
# Start WinRM service
Write-Verbose "Start WinRM service."
net start WinRM
}
- Add the remote gateway to TrustedHosts list.
#This will remove the original TrustedHosts and use $remoteip.
#Can also concatenate a value to TrustedHosts list.
# Try Get-Help Set-Item.
#$remoteip is the ip address of the remote gateway.
# Linebreak is space+backtick.
Set-Item WSMan:\localhost\Client\TrustedHosts `
-Value $remoteip -Force
- Create a remote PowerShell session for the remote gateway.
#$remoteip is the ip address of the remote gateway
#$remoteaccount is the account with Admin privilege
# of the remote gateway.
#Linebreak is space+backtick.
$s = New-PSSession -ComputerName $remoteip `
-Credential "localhost\$remoteaccount"
- Run the commands on the remote gateway.
# Run remote script for testing
Invoke-Command -Session $s -ScriptBlock {
#Run the PowerShell commands you want in this block.
#These commands will be run at the remote gateway.
# check our module information
Get-Command -Module IntelIoTGatewaySetup
Get-Module IntelIoTGatewaySetup
}
- Remove the remote PowerShell session, after finishing the commands that need to be run.
Remove-PSSession -Session $s
Module Usage
Similar to module installation, we assume that a development computer is used to remotely control the gateway. To use the module, complete the following steps.
On the gateway, follow the same procedures as used in Module Installation to enable the remote PowerShell if it is not done yet.
On the development computer, do the following steps:
- Follow similar steps as Step 7 of Module Installation. For the remaining description of module usage, the command should be put inside
Invoke-Command
’s ScriptBlock
to run on the remote gateway.
- Once the module is installed, use
Get-Help
with the -Full
parameter to receive more information about each command in the module. Use the following command to get all the commands available in the module:
Get-Command -Module IntelIoTGatewaySetup
- For setting up the Intel Security SKU, the main commands are
Enable-IoTWinSecurities
and Disable-IoTWinSecurities
. They call other commands in this module. Check their help information for more details (Get-Help Enable-IoTWinSecurities -Full
). For example,
- To enable the "Basic" SKU with this sample BitLocker recovery password, run the following:
#$RecoveryPW is the recovery password for BitLocker
# that you want to use.
#For example, $RecoveryPW =
# '099825-222222-607607-626285-132319-115621-083204-229482'
#Linebreak is space+backtick.
Enable-IoTWinSecurities -SKU "Basic" `
-BitLockerRecoveryPW $RecoveryPW `
-AddPowerShellRemotingFirewallRule -ErrorLog -Verbose
Read the output to see if there is any warning or error for each to-be-enabled feature.
For example, a warning may instruct the user to restart the system to finish installing required Windows features first, and then re-run this function again.
- To disable/remove the Security SKU settings, run the following command:
Disable-IoTWinSecurities -ErrorLog -Verbose
Individual command (used by Enable-IoTWinSecurities
or Disable-IoTWinSecurities
) can also be used to set up specific security features.
If TPM is not "ready for use", it needs to be set up first; otherwise, BitLocker cannot be enabled. Follow TPM Management to set it up.
If AppLocker is set up for "High" SKU, users will not be able to use PowerShell to add new Windows features, since by design DISMHOST.EXE
at the user’s account’s temp folder (created and used by PowerShell) is blocked. As a result, users will not be able to use our command to enable VBS, as this command will try to install the required Windows features. In the Enable-IoTWinSecurities
command, we do VBS setup first. If Windows features need to be installed, do a system restart to finish the feature installation and to re-run the command again.
For User Mode Code Integrity, we need to set registry entry to allow our module location to enter the Full Language Mode for Code Integrity Policy. Our custom module is designed to be installed in %Program Files%\WindowsPowerShell\Module
. If this is not the case, we need to manually set the following registry entry:
- Put the path where the custom module is (for example,
%Program Files%\WindowsPowerShell\Module
) in a REG_MULTI_SZ entry called "TestPath" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\TRSData
.
Software Access Point
Wireless Hosted Network
Starting with Windows* 7, Microsoft provides a wireless Hosted Network feature to provide the capability of software AP. See the following documents for more details:
An important note from the document above is the limitation for system sleep (standby) or hibernate. If the wireless Hosted Network is running when the computer goes to sleep (standby), hibernate, or before the computer restarts, the wireless Hosted Network is stopped.
Intel provides the Intel® IoT Gateway Module for Microsoft Windows PowerShell to help set up this feature. See Intel IoT Gateway Module for Microsoft Windows PowerShell below for more details.
Currently Known Issues
For Windows 10 IoT Core, although the Hosted Network can be enabled, Internet Connection Sharing is not supported. Therefore, Software AP on IoT Core does not provide Internet access for other connected devices. Also, the default IoT Core startup App (released by Microsoft) is interfering with the Hosted Network capability. For a stable Software AP, use a different IoT Core startup App or uninstall the default startup App.
Also, for Windows 10 IoT Core, the following limitation makes our PowerShell module store un-encrypted SSID, SSID key, and other Software AP parameters in config files:
Intel IoT Gateway Module for Microsoft Windows PowerShell
Check Intel IoT Gateway Module for Microsoft Windows PowerShell in the previous chapter for general module introduction, installation, and usage. That section describes how to run the following commands on the gateway from a development computer.
For Software AP setup, the main commands are Install-IoTGatewayAP
, Uninstall-IoTGatewayAP
, and Update-IoTGatewayAP
. They call other commands in this module. Check their help information for more details (Get-Help Install-IoTGatewayAP -Full
).
For example, to install the Software AP, run the following command:
#$ssid is the ssid you want to use for AP.
#$pw_ssid is the password of the AP.
Install-IoTGatewayAP -SSID $ssid -KeySSID $pw_ssid -ErrorLog
For example, to uninstall the Software AP (using information saved during installation), run the following command:
Uninstall-IoTGatewayAP -ErrorLog
Individual commands (used by those three main commands above) can also be called to set up individual features. For example, Enable-IoTGatewayAP
lets the user enable Software AP and Internet Connection Sharing. However, it is auto-disabled once the computer restarts if Install-IoTGatewayAP
has not been run yet.
Microsoft Management Tools
Manageability is important for IoT gateways. Microsoft employs a number of management tools, including PowerShell, Microsoft Intune, System Center Configuration Manager, and Group Policy. Read the following documents for an overview of Windows 10 Device Management:
Windows PowerShell
Remote Windows PowerShell is a popular tool to manage devices. There are many PowerShell modules that provide various functionalities to control Windows settings. (Among them, Intel provides the Intel® IoT Gateway Module for Microsoft Windows PowerShell to help implement settings for IoT gateways.) Lots of books and tutorials are available. The following resources provide a good introduction to PowerShell:
To use the PowerShell, follow these general overview steps:
- Enable remote PowerShell on gateways. Currently, for Windows IoT Core, there is nothing to be set up.
- Enable remote PowerShell on the development computer.
- On the development computer do the following:
- Create a new session for the gateway. The account for the gateway needs to have Administrator privilege if the PowerShell commands to be used require that.
- Run PowerShell script block for this session.
- Remove this session.
Microsoft Intune
Microsoft Intune provides mobile device management from the Internet cloud. Read the following document for more details:
Microsoft Intune uses the Configuration Service Provider (CSP) to manage Windows 10 mobile devices. Read the following documents for more details.
To use custom polices via OMA-URI, the Windows 10 devices need to be enrolled as mobile devices. Read the following document for more details:
Combining Microsoft Intune with Azure Active Directory makes device enrollment easy. Read the following document for more details:
System Center Configuration Manager
The System Center Configuration Manager provides mobile device management inside a corporate network in Active Directory. Furthermore, through integration with Microsoft Intune, "System Center Configuration Manager + Intune" can be used to manage devices from the Internet cloud. Read the following document for more details:
Group Policy
Group Policy is a popular tool for Enterprise to manage multiple computers inside a corporate network in Active Directory. Read the following for more details:
Managing Windows 10 Telemetry/Privacy Settings
Windows 10 relies on telemetry information (reported to cloud services) to enable many services. To change the telemetry settings, read Configure telemetry and other settings in your organization.
Application Development
Software applications provide unique features that the default operating system does not deliver. This document points the user to some starting points of Windows application development.
For general Windows application development, read the following documents for more details:
For Windows 10 IoT Core, read the following documents for more details:
Note: When developing applications on an IoT device, do not set the device to "Medium", or "High" Security SKU. The application under test/development may get blocked otherwise.
Deployment Using Legacy Manufacturing Process
Microsoft posted a series of demo videos at Deploying Windows 8: Video demos for system builders. Although the videos are intended for Windows 8, the information still applies to Windows 10. Watch those videos to obtain general understanding of the process. This document briefly describes each step and points the reader to Microsoft documents for more detailed instructions.
Install Windows 10 IoT Enterprise
The following steps should be performed in order.
- Install Windows Preinstallation Environment (WinPE) onto a bootable USB drive:
The WinPE is a minimum Windows operating system with minimal resources, and is used to copy disk images, to prepare a computer for Windows installation, and to initiate Windows setup. Follow these Microsoft's document for instructions:
If the WinPE environment needs to be customized for more advanced setup, follow WinPE: Mount and Customize.
- Capture Windows image from a reference gateway:
This step is only required if a custom Windows image (.wim
) file needs to be captured from a reference gateway. If a .wim
file is already available, save it to a USB storage drive or a network drive, so that the WinPE environment can access it later.
To capture Windows image, follow these Microsoft documents for instructions:
- Deploy Windows image onto the gateway:
This step creates disk partitions and installs a Windows image onto the gateway and sets up the system partition. Follow these Microsoft documents for instructions:
For more advanced setup for Windows recovery partition, refer to these documents:
Install Windows 10 IoT Core
First, obtain Windows 10 IoT Core’s flash image .ffu
file for the gateway. There are several options to obtain the .ffu file
:
- One can download the file released by Microsoft (for example, for MinnowBoard Max, see Set-up MBM).
- Use the imggen tool. The steps are:
- Assume that you have the tools installed already, as mentioned in Deployment Tools.
- Open elevated (as Admin) Deployment and Imaging tools command prompt.
- Set the following environment variables (in order):
SET PATH=%KITSROOT%tools\bin\i386;%PATH%
SET AKROOT=%KITSROOT%
- Build the image with the following command:
imggen.cmd IoTCore.ffu "%KITSROOT%OEMInputSamples\MBM\ProductionOEMInput.xml" "%KITSROOT%MSPackages" x86
The first parameter is the output .ffu file name. The second parameter is the OEM Input file with full path. This should be part of your BSP. Please check Image Creation Process Using Windows Imaging and Configuration Designer (ICD) for more information about the BSP. The third parameter is the path to the root directory that contains the Microsoft packages. By default, this directory is %ProgramFiles(x86)%\Windows Kits\10\MSPackages
. If the BSP is not available, this command will fail.
- Use Windows Imaging and Configuration Designer (Windows ICD) to generate
.ffu
file. More details about Windows ICD are described in Image Creation Process Using Windows Imaging and Configuration Designer (ICD) under "Installing Windows 10 IoT Core".
Then, apply the .ffu
image on the storage device.
Steps if the gateway uses removable media (SD card or USB drive) as the storage device:
- Refer to Using DISM to flash micro SD card for Windows IoT Core device for instructions.
Steps if the gateway has internal storage device (for example, hard drive):
- First, prepare a custom WinPE on a bootable USB drive, by following the steps below:
- Currently, Windows 10 IoT Core requires 32-bit WinPE. Follow WinPE: Mount and Customize to create WinPE files and Mount the WinPE boot image. Only complete the "Create WinPE files" and "Mount WinPE boot image" sections.
- Then copy the
.ffu
file to the mount folder. For example, if the WinPE folder in the procedure above is C:\WinPE_x86
, then we copy the .ffu
file to C:\WinPE_x86\mount
folder.
- Next insert the USB drive (at least 4 GB), and format the USB drive into NTFS format, following the example in WinPE: Create USB Bootable drive. Only check "Troubleshooting" section and only complete the "diskpart" part, not the "MakeWinPEMedia" part. We will run "MakeWinPEMedia" command in the next step, after we un-mount and commit the changes.
- Then un-mount WinPE and create media on the USB drive, following WinPE: Mount and Customize. Only check "Un-mount….." section. After un-mounting, run
dism /cleanup-wim
to ensure that the image is un-mounted. Remember to use the correct 32 bit WinPE folder name and the correct USB drive letter in those commands.
- Then deploy the flash image onto gateway, by following the steps below:
- Insert the bootable USB drive into the gateway, and boot from the USB drive.
- This should boot into the WinPE environment.
- Then use a command similar to one as Using DISM to flash micro SD card for Windows IoT Core device to apply the image into the gateway’s internal storage. The disk number used should be the number of the gateway’s internal storage. Remember to assign the correct path for the
.ffu
file. The .ffu
file should be already copied to this bootable WinPE USB drive in the previous step, so use that path.
- Then shut down the device by running
wpeutil shutdown
.
- Remove the bootable WinPE USB drive, and choose the internal storage as the #1 boot priority.
Reference to Solution Briefs
In addition to this document and to Microsoft documents, Intel has made other documents available to help with gateways. These documents can be found on the Intel Developer Zone for IoT Gateways section by searching for "solution brief" or "recipe" for Windows operating system. A selection of documents includes (but is not limited to):
- IoT Recipe - Connecting Windows* 10 IoT Device to MeshCentral
- IoT Recipe - Using Cloud9 Desktop as on-device Development Tool for Windows* 10 Enterprise Gateway
- Solution Brief - IoT Device Telemetry using Azure Event Hubs with .NET
- Solution Brief - Using Node.js and Node-RED for IoT applications with Windows* 10 Enterprise
- Solution Brief - IoT Device Telemetry using Azure Event Hubs with Node.js
- Solution Brief – Connecting Windows* 10 Enterprise IoT Gateway to Wind River* Helix Device Cloud