Windows IoT Enterprise includes many embedded features to customize your system. But the configuration of the new systems is very hard because the Embedded Lockdown Manager (this tool was included in Windows Embedded 8.1 Industry Pro for example) was not carried over to Windows 10 IoT Enterprise.
That’s why we created the Embedded Configuration Manager. The Embedded Configuration Manager has even more functionality than the original Microsoft Embedded Lockdown Manager. The new tool can be used as a central management place for all Embedded related settings. It allows to activate or deactivate features and also to manage and configure them with ease.
The tool is designed to work with the following operating systems:
- Windows Embedded 8 Standard
- Windows Embedded 8.1 Industry Pro
- Windows 10 IoT Enterprise 2015 LTSB
- Windows 10 IoT Enterprise 2016 LTSB
- Windows 10 IoT Enterprise 2016 CBB
To find out which embedded lockdown features are available for your Windows installation, just launch the Embedded Configuration Manager. On the first configuration page you will get a complete list of all available features. To enable them, just toggle the switch in front of their name and click on “Apply”. After a reboot the features are available for configuration.
The tool will list all available features that can be configured on the left side. Every setting is described in detail and can be configured with just a few mouse clicks.
With the Assigned Access configuration you can easily select a modern Universal Windows Platform App that should be the default shell for a specific user.
With the “Enable KioskMode” functionality, that is only available through the Embedded Configuration Manager on Windows 10 IoT Enterprise 2016 versions, you can also completely suppress the Windows Desktop to ensure the user cannot exit the app!
The Embedded Boot settings allow to easily brand the boot experience. You can disable the boot logo, text and status ring, or block access to the F8 and F10 boot menu. These settings are important if you want to build a completely branded device. The Embedded Boot settings allow to easily brand the boot experience. You can disable the boot logo, text and status ring, or block access to the F8 and F10 boot menu. These settings are important if you want to build a completely branded device.
These settings allow to easily setup an automatic logon for a specific user and allows you to configure the branding settings. With the branding settings, you can easily suppress the complete Logon UI and hide certain elements, such as the power button or ease of access button from the logon screen!
The Keyboard Filter settings allow you to simply block keys or key combinations, such as Ctrl+Alt+Del. These combinations can be selected from a wide range of pre-defined keys, or you can easily add a custom combination that should be blocked. The keyboard filter allows to block keys based on the key ID, such as Z, the keys will be blocked regardless of the keyboard layout. If the keyboard layout changes and the key wanders to a different location it will be blocked there as well. Alternatively the keys can be blocked based on the keys scan code. In this case the physical key on the keyboard will be blocked, ignoring what key is currently mapped from the keyboard layout.
The keyboard filter also allows to change the breakout key or to completely disable it.
The breakout key allows a user to break out of an account that is locked down, e.g. with a custom shell. Pressing the breakout key 5 times in a row will get the user to the Welcome screen so he can login with another user account.
Per default the breakout key is the Windows key.
It is recommended to change the key or to completely disable the functionality and handle this scenario solely through the custom shell application.
The Shell Launcher allows to setup different shells for different users or groups. With the Embedded Configuration Manager the programs that should be used as shell for a specific user can be configured very easily.
With the shell launcher you can configure a default shell for the standard users, so they can use the shell application only but cannot access anything else in the system.
Administrators however, can be configured to boot into the regular Windows Explorer shell so they can use the full desktop experience to configure and service the devices.
Unified Write Filter
The write filter that can protect you system from any unwanted changes can be configured in detail as well.
The tool allows to configure the overlay settings, such as size and type.
You can easily add volumes to the protection and create exclusions based on files or folders and registry keys under HKEY_LOCAL_MACHINE.
USB Device Policy
The USB Device Policy allows you to create blacklists of devices that are not allowed to be connected to the system. Simply select a currently connected device and add it to the blacklist. The next time the device is being connected to the system it will no longer be allowed to be installed.
The filtering can be done based on the device ID or device classes. With the device classes you can block devices within a class in general, such as Bluetooth devices.
The tool also allows you to disable the filtering for Administrators or block removable devices in general.
Additionally the tool allows you to disable touch gesture, such as the swiping from the right side to open the Action Center. This is very helpful to ensure users stay within the application on touch based devices.
It also allows to completely disable the whole touch functionality on a device. This can be useful on tablets where the touchscreen should not be used for interaction with the device.
With a simple click the tool can also disable all toast notifications within Windows. This is important to remove any unwanted notifications from other applications or Windows itself.
In most scenarios OneDrive is not needed on embedded devices. Therefore the tool allows you to easily turn off OneDrive so it does no longer run in the background and ask for a configuration.
In case OneDrive should not be disabled completely, the tool also supports to just remove OneDrive from the File Explorer and file open and save dialogs.