Windows 10 IoT Enterprise: Here's what you need to know

Microsoft's embedded Windows 10 does a lot more than power ATMs and point-of-sale systems.

Microsoft has had embedded versions of desktop Windows for a long time. Early versions of Windows NT ran ATMs for many years, presenting complex applications via simple user interface. Those embedded systems are still a big part of the Windows business, powering many solutions from thousands of different vendors. 

The latest generation is Windows 10 IoT, which links the smallest devices to Microsoft's cloud, while building on Windows 10's developer tooling for everything from massive digital signs to restaurant management kiosks. 

What is Windows 10 IoT? 

The Windows 10 IoT platform encompasses two operating systems: Windows 10 IoT Core and Windows 10 IoT Enterprise. IoT Core is focused on small systems, usually single-board computers running kiosk-like user interfaces. It'll run on systems as small as a Raspberry Pi, with Arm as well as Intel. If you're building bespoke hardware that needs more processing power than an Arduino, or where you want an alternative to embedded Linux or a RTOS, IoT Core is an option that lets you build on existing Windows software development skills. While it supports a single UWP app running at a time, there's the option of running it 'headless', without a screen and built into devices. 

Larger-scale systems can use Windows 10 IoT Enterprise. This is a full version of Windows 10, functionally equivalent to Windows 10 Enterprise, but licensed separately. It's available with the standard semi-annual update model like most of the Windows 10 family, and with a Long-Term Servicing Channel (LTSC) option for embedded systems that are unlikely to require new features in a long life, like ATMs or point-of-sale systems. 

Using Windows 10 IoT Enterprise 

You can use IoT Enterprise with a standard Windows 10 user interface, or run it in Kiosk mode, locking down access to one app or to a selected group of tools. Kisok mode is an important option, as embedded devices don't need a Windows desktop. You want to be able to turn them on and let them do what they're intended to do. 

An advantage of building on the existing Windows ecosystem for Windows 10 IoT Enterprise is support for Windows' hardware- and virtualization-based security. That's important if you're building hardware like ATMs, where device and software health is critical. You need to be sure that software and hardware has not been compromised, and that file systems are encrypted.  

One interesting use case for Windows 10 IoT Enterprise is for devices that may have used the LTSC release of Windows 10 Enterprise -- systems that need to be supported for a long time because they handle specific regulated tasks. These systems have tended to be treated as general-purpose computers, and managed like normal PCs. The Long-Term Servicing Channel for Windows 10 provided a way of supporting those systems with security updates for 10 years, removing consumer-facing features like the Windows Store. 

A Windows for the long term 

However, recent changes from Microsoft mean that the LTSC model for Windows 10 Enterprise is changing, dropping support from 10 to only five years. While that may be suitable for workstations where hardware is refreshed every four or five years, it's not a suitable model for PCs that are running EDI gateways or other business-critical applications that don't require a server OS. That's where treating them as appliances starts to make sense. These aren't the laptops on our desks -- they're machines that sit in back offices running business-critical tasks that can't be interrupted and can't go wrong. 

Luckily there is an alternative, as the LTSC release of Windows 10 IoT Enterprise retains its 10-year support cycle, allowing it to be used instead of another Windows LTSC client. By treating those PCs as if they were embedded systems, they can take advantage of the Windows 10 ecosystem while offering a stable platform that only gets security updates. You will need to change licensing model if you're using this, as Windows 10 IoT has its own licensing and is not available through standard sales channels. However, where stability is key, especially if you're running software that's both highly regulated and business critical, choosing Windows 10 IoT Enterprise makes sense. 

SEE: Checklist: Securing Windows 10 systems (TechRepublic Premium)

A future release, due later in 2021, is expected to offer improved customisation, allowing you to strip back unwanted features and have only the services that support your applications. By removing unused Windows features, you're minimising the attack surface, while reducing the risk of unwanted software interactions. The same techniques used to harden a point-of-sale system can add extra protection to a dedicated application terminal -- all you need to do is take the time needed to configure and manage the OS. 

Keeping Windows 10 IoT secure 

Other aspects of Windows 10 IoT Enterprise include tools to manage start-up. It offers a Hibernate Once, Resume Many (HORM) option, together with a set of file system filters that ensure a device will always start up in the same state, using a saved hibernation file. You can set up a system, configure applications, and then save and lock a hibernation file. Each restart, applications and services will come up exactly as saved, with only data updated.  

This approach can help protect against ransomware, as well as other attacks, or even against well-intentioned attempts to update software without testing. As soon as there's any problem, all you need to do is restart and everything is back to a known good state. Applications will then automatically resume, so your point-of-sale terminal is ready to go without anyone having to launch from a menu. 

A closely related option is Windows' Unified Write Filter (UWF), which provides a temporary file system for user sessions that's wiped when a user logs off. They can install software and make changes, but nothing is permanent. Combining UWF with HORM protects PCs running as kiosks, resetting them between sessions while protecting system drives. Web cafes may be a thing of the past, but a PC running these tools would work well in a hotel business center or for self-service operations in a print shop. 

Microsoft's list of suggested uses for Windows 10 IoT Enterprise includes thin clients. This approach could work well for education users, where the upcoming Cloud PC service will allow the use of managed Windows and application environments. All that's needed is a host for the remote access client, providing a PC-like experience on PC-grade hardware, but with all software running from the cloud. 

A 10-year support cycle for software can be very useful, and the tools Microsoft provides for managing embedded Windows 10 can be useful in many different scenarios. Windows 10 IoT Enterprise is, at heart, a Windows like any other. It's just one that could be around a lot longer than the hardware it runs on. 

Also see