A common requirement for Windows Embedded Standard 7 devices is controlling what applications can run on the system. If the device only runs your own custom application, such as a kiosk or set-top box, then you might want to ensure that no other applications could be run to break out of the experience. If the device runs a more open shell, such as thin clients, you may want to restrict the set of applications that are allowed to run.
Since Windows Embedded Standard 7 is based on Windows 7, we can leverage a new technology that has been introduced: AppLocker. AppLocker builds and improves on Software Restriction Policies (SRPs) to allow for easy and flexible application lockdown. You can find a thorough summary of AppLocker at its Executive Overview and other articles around the web, but I will offer some highlights and an example. Some of its features are:
In terms of Windows Embedded Standard 7 specific information, in order to get AppLocker to work you must include the Application Security, Windows Installer, and Group Policy packages at a minimum. The packages necessary to configure it depend on which of its two configuration methods you want to use:
AppLocker is a powerful tool that you can use to help lock down your Windows Embedded Standard 7 devices. In my next tutorial, I will walk through using AppLocker on your device.
AppLocker may be exactly what I have been looking for when trying to build a very locked-down embedded device. My main concern with Windows Embedded is that owners of the device get other software on it than we have verified it for, which is a big no-no for e.g. medical devices. However, I wonder if there is another programmatic way, with a smaller footprint, of configuring AppLocker besides PowerShell.
Now, a downside seems to be that a domain GP can override the device AppLocker settings. Is it possible to be a member of a domain and only get a limited set of Group Policies applied? As a device maker, I want to be very much in control over which configuration changes that can be made, and among other things that means making it impossible to (even accidentally) push out e.g. Office to the device and disabling AppLocker (so the install runs).
1. PowerShell is the only supported scripting interface for AppLocker.
2. As for preventing domain Group Policy from being pushed down to your device, this article may be useful - http://blogs.technet.com/markrussinovich/archive/2005/04/30/circumventing-group-policy-settings.aspx