Posted By Jeff Wettlaufer
Sr. Technical Product Marketing Manager
Hi everyone. Last week, we achieved a major milestone within the Windows teams: the RTM of Windows 8.1 for both Windows and Windows Embedded platforms. In this post, I would like to share with you some technical highlights with the new release of Windows Embedded 8.1 Industry, and talk about some of the key elements that are new from a technical perspective.
It is important to first note a big change for Windows Embedded: In the past, the Embedded versions of Windows, right up to the 8 wave, were released a short period of time after the RTM of Windows Client. With the release of 8.1, Windows Embedded is aligned at an engineering level that not only effects timing of release, but the code base. Windows Embedded 8.1 is now built fully on Windows Client with Embedded features added (think of Embedded as a superset of capabilities over Client), and also on the same dates.
This alignment spans several levels of the stack. The hardware and OS stack are much more closely aligned than ever before, bringing better consistency for drivers and chipsets. Above the OS stack, we have integration with other infrastructure, such as identity (think AD) and development, deployment and management tools (Visual Studio x, System Center, Windows ADK and more) and at an app layer (with some API support for modern apps and industry specific peripherals). Finally, this alignment is more cloud-enabled than ever before, supporting smart, connected scenarios and services for edge devices.
There are several areas of Windows Embedded that are either are improved or new. To start, let’s cover what is updated for 8.1:
Windows 8 Application Launcher
Windows Embedded is typically used in industry-specific scenarios, such as POS, kiosk, digital sign and HMI, to name a few. In these scenarios, the device needs to boot and launch an app in a locked-down scenario, sometimes even without user intervention. The Windows 8 Application Launcher manages this for modern apps just like Shell Launcher did (and still does) for Win32 app scenarios. The Windows 8 Application Launcher also monitors app processes, and can be configured to take action if the app exits (reboot, logout, do nothing etc). New for 8.1, this can now be configured to completely disable the Start screen.
With the increasing usage of touch-enabled devices, and the enriched user experience these screens bring, it is important to understand these also create a vector to access devices; exiting apps, accessing desktop and other local or network resources. The Gesture Filter for Windows Embedded ensures Windows settings are not accessible to users through touch gestures; for example, press, tap, slide, swipe (down, left, right), pinch and turn. Gesture Filter configuration settings now provide runtime configuration, meaning that settings take effect without requiring a reboot. In addition, role-based filtering (where different filter settings apply to different users) is now supported for 8.1 and in general, Gesture Filter applies to non-admin accounts.
While Windows Embedded scenarios do not always include interaction with a keyboard, it is important to consider blocking keyboard combinations. By blocking keyboard keystroke combinations, administrators can ensure the desired experience will consistently be delivered, and maintain a secure edge device. The Keyboard Filter blocks keyboard strokes and combinations, preventing uncontrolled activity on a device. So, the traditional Ctrl-Alt-Del could be restricted, or changed. In addition to keyboard, this capability also supports hardware button filtering on Windows 8.1-based devices. Admin access and ‘Breakout Mode’ are supported, permitting administrators to access a device when needed. This feature also supports on-screen keyboards.
Unified Write Filter
A key element to any Embedded use-case scenario is state preservation. By redirecting writes, or changes to an overlay, the performance of a system does not degrade. In a fixed-use device like a kiosk, POS or digital sign, write filters are critical to ensuring stability long-term. For Windows 8.1, the Unified Write Filter combines (with improvements) several older filter capabilities found in both the Enhanced Base Write Filter and the File Based Write Filters. UWF supports disk- or RAM-based overlays, HORM (Hibernate Once Resume Many), File/Folder/Registry exclusions and more. Faster boots, more granular control for exceptions and control over where to write change allow for system preservation while allowing for the ability to patch, update and maintain a device.
With the release of Windows Embedded 8.1, there are several new capabilities that are introduced. Here are some examples and highlights.
New to both Windows Client 8.1 and Windows Embedded 8.1 is a feature called Assigned Access. This feature allows an organization to lock down a device to one user and one modern app. When Assigned Access is applied, a predefined, fixed set of filters and restrictions are applied to the device. These filters include keyboard, gesture, hardware and system toast notifications. Look for an upcoming blog that will go deeper on this topic.
When a Windows Embedded device is locked down, it is important to provide support for accessing the device for service and maintenance. Breakout Mode provides a way for device administrators to access the standard Windows Logon screen during a locked-down session. Administrators can do local servicing of a device running in kiosk mode. A specific hardware key sequence can be selected and configured to unlock devices, allowing non-traditional hardware buttons to be used.
USB port technology has come a long way, with large capacity storage coming in very small form factors. These highly portable devices can be extremely useful to an organization--and also very risky. By placing restrictions on Class ID (eg. removable storage), device vendor ID (eg. ContosoUSB) and even a device product ID (eg. ContosoUSBData2) an organization can control what devices can be recognized where. The permission level is 3 levels: port level, class level and device level--and supports USB 1.1, 2.0 and 3.0.
System Toast Notification Filter
We have all seen that digital sign in the mall, or on the side of a bus, that has some app that has crashed, and some error or pop-up window is sitting there awaiting confirmation. While you can use Dialog Filter to block those classic style pop-ups, Dialog Filter cannot block the new Windows 8 toast notifications such as when the OS pops up a balloon to inform of a system event (battery low, lost network connection). With Industry 8.1, you can use the System Toast Notification Filter to block these types of notification. This filter can go a long way in ensuring the desired modern experience is delivered on a device.
Lockdown Baseline Tool
The new Lockdown Baseline tool (LBT) captures lockdown and branding features for replication to multiple target devices using System Center Configuration Manager's Desired Configuration Management function. This allows administrators to prepare a ‘golden image’ device, clone the settings and apply through a management tool like System Center. LBT captures UWF, Dialog Filter, Keyboard Filter, Toast Filter, Gesture Filter, the Windows 8 Application Launcher, Shell Launcher, USB Filter, Composite WMI Providers.
With the release of Windows Embedded 8.1, a significantly improved set of capabilities become available to customers and partners. Your direct feedback has resulted in key improvements that allow Embedded scenarios to evolve with technology, use cases and hardware developments. All of the great features of Windows are included in the Embedded 8.1 release, and, with strong alignment moving forward, we will continue to improve. Over the next several weeks, I’ll be back with more blogs on the powerful new technical capabilities of Windows Embedded 8.1; meantime, I encourage you to evaluate Windows Embedded 8.1 Industry today, and let us know what you think.