zereOS Embedded Configuration Manager
Windows IoT Enterprise includes many embedded features to customize your system. But the configuration of the new systems is very hard because the Embedded Lockdown Manager (this tool was included in Windows Embedded 8.1 Industry Pro for example) was not carried over to Windows 10 IoT Enterprise.
That’s why we created the Embedded Configuration Manager. The Embedded Configuration Manager has even more functionality than the original Microsoft Embedded Lockdown Manager. The new tool can be used as a central management place for all Embedded related settings. It allows to activate or deactivate features and also to manage and configure them with ease.
The tool is designed to work with the following operating systems:
- Windows Embedded 8 Standard
- Windows Embedded 8.1 Industry Pro
- Windows 10 IoT Enterprise 2015 LTSB
- Windows 10 IoT Enterprise 2016 LTSB
- Windows 10 IoT Enterprise 2016 CBB
How to start
To start the Embedded Configuration Manger please insert your received USB device, open your file explorer, go to the USB device directory and start “Embedded Configuration Manager.exe”.
How to use
Please read our manual carefully before using the ECM, do not ignore our warning messages and follow the given instructions.
To find out which embedded lockdown features are available for your Windows installation, just launch the Embedded Configuration Manager. On the first configuration page you will get a complete list of all available features. To enable them, just toggle the switch in front of their name and click on “Apply”. After a reboot the features are available for configuration.
The tool will list all available features that can be configured on the left side. Every setting is described in detail and can be configured with just a few mouse clicks.
With the Assigned Access configuration you can easily select a modern Universal Windows Platform App that should be the default shell for a specific user.
With the “Enable KioskMode” functionality, that is only available through the Embedded Configuration Manager on Windows 10 IoT Enterprise 2016 versions, you can also completely suppress the Windows Desktop to ensure the user cannot exit the app!
These settings allow to easily setup an automatic logon for a specific user and allows you to configure the branding settings. With the branding settings, you can easily suppress the complete Logon UI and hide certain elements, such as the power button or ease of access button from the logon screen!
The Embedded Boot settings allow to easily brand the boot experience. You can disable the boot logo, text and status ring, or block access to the F8 and F10 boot menu. These settings are important if you want to build a completely branded device.
The Keyboard Filter settings allow you to simply block keys or key combinations, such as Ctrl+Alt+Del. These combinations can be selected from a wide range of pre-defined keys, or you can easily add a custom combination that should be blocked. The keyboard filter allows to block keys based on the key ID, such as Z, the keys will be blocked regardless of the keyboard layout. If the keyboard layout changes and the key wanders to a different location it will be blocked there as well. Alternatively the keys can be blocked based on the keys scan code. In this case the physical key on the keyboard will be blocked, ignoring what key is currently mapped from the keyboard layout.
The keyboard filter also allows to change the breakout key or to completely disable it.
The breakout key allows a user to break out of an account that is locked down, e.g. with a custom shell. Pressing the breakout key 5 times in a row will get the user to the Welcome screen so he can login with another user account.
Per default the breakout key is the Windows key.
It is recommended to change the key or to completely disable the functionality and handle this scenario solely through the custom shell application.
The new feature allows you to easily modify the OEM Information of your devices.
This information is shown in the System properties and allows the end user to see who the manufacturer of the device is – and where to get support.
The Shell Launcher allows to setup different shells for different users or groups. With the Embedded Configuration Manager the programs that should be used as shell for a specific user can be configured very easily. With the shell launcher you can configure a default shell for the standard users, so they can use the shell application only but cannot access anything else in the system. Administrators however, can be configured to boot into the regular Windows Explorer shell so they can use the full desktop experience to configure and service the devices.
Unified Write Filter
Windows 10 IoT Enterprise contains the Unified Write Filter (referred as UWF in the following) feature to protect the system from unwanted changes. Unfortunately, Windows itself will fill up the overlay within a few minutes.
Because of this, the feature is unusable in production as Windows might crash the system.
The Embedded Configuration Manger now contains a feature that will optimize your system for the Unified Write Filter usage with just one click. Use the optimization before enabling the UWF.
This will reduce the writes of Windows itself to the overlay and allows the usage of UWF again!
The tool allows to configure the overlay settings, such as size and type.
You can easily add volumes to the protection and create exclusions based on files or folders and registry keys under HKEY_LOCAL_MACHINE.
NOTE: Enabling or changing settings of the Unified Write Filter requires a reboot!
USB Device Policy
The USB Device Policy allows you to create blacklists of devices that are not allowed to be connected to the system. Simply select a currently connected device and add it to the blacklist. The next time the device is being connected to the system it will no longer be allowed to be installed.
The filtering can be done based on the device ID or device classes. With the device classes you can block devices within a class in general, such as Bluetooth devices.
The tool also allows you to disable the filtering for Administrators or block removable devices in general.
Disabling the updates in Windows 10 IoT Enterprise is not an easy task as Windows will try to ensure that it can talk to the update service and download new files if needed.
It is possible to disable the automatic search and installation of the main updates but still Windows will perform other updates in the background.
The Embedded Configuration Manger now includes a single click solution to disable Windows Updates and Windows Defender updates.
With this feature you have full control to manage the updates on your system again.
With a simple click, the tool can disable toast notifications within Windows, Application Error Dialogs and “Application is not responding” dialogs. This is important to remove any unwanted notifications from other applications or Windows itself.
In the power settings, you can change the power profile to “high performance” to get the most power out of your hardware. The tool also allows you to configure the system, not to turn off the display after a given time and prevent it to go to sleep mode.
In most scenarios OneDrive is not needed on embedded devices. Therefore, the tool allows you to easily turn off OneDrive, so it does no longer run in the background and ask for a configuration.
In case OneDrive should not be disabled completely, the tool also supports to just remove OneDrive from the File Explorer and file open and save dialogs.
The tool allows you to disable touch gesture, such as swiping from the right side to open the Action Center. This is very helpful to ensure users stay within the application on touch-based devices.
It also allows to completely disable the whole touch functionality on a device. This can be useful on tablets where the touchscreen should not be used for interaction with the device.
Import / Export Feature & License Manager
You can export all settings into an XML file. This allows you to create several configuration templates that can easily be imported to other machines.
If you are interested in more information, please contact us!