What is lockdown and branding in Windows Embedded Standard 8, and where are my EEFs?

Microsoft

bloggers

discussions

What is lockdown and branding in Windows Embedded Standard 8, and where are my EEFs?

  • Comments 0

Posted By J.T. Kimbell
Program Manager

Over the next week we’re going to have a small series highlighting various Lockdown features on Windows Embedded Standard 8. In this first post Kevin Asgari gives us an overview of the Lockdown and Branding features found in Windows Embedded Standard 8.  If you have any questions or want to know about each feature, please let us know!  Kevin is a Writer for the Windows Embedded team and in his spare time enjoys reading, skiing, visiting wineries, and spending time with family.

Windows Embedded Standard provides a building block version of the Windows operating system, enabling you to create a smaller, customized version of Windows by removing functionality that your device does not need. In addition, Windows Embedded Standard provides additional functionality for embedded devices that is not available in the full Windows OS. In Windows Embedded Standard 7 and earlier, we called these new features “embedded enabling features”, or EEFs for short.

However, “embedded enabling features” is not a very descriptive term. In Windows Embedded Standard 8, we now call these features lockdown and branding features.

Lockdown features enable you to provide a controlled device experience, mainly by limiting the ways in which an end user can interact with the device. For example, your device may be a dedicated cashier device that runs a full screen cashier application, and you may want to prevent users from being able to use Windows shortcut keys like Alt+Tab to switch out of the application, or Alt+4 to close the application.

Branding features enable you to hide or change many of the parts of the OS that identify it as a Windows product. You may want the devices your company produces to show only your company’s branding to your customers for better brand recognition, or you may want to hide the underlying OS so that end users are less likely to try to break out of the tailored device experience.

Lockdown features in Windows Embedded Standard 8

Write Filters

You can use write filters in your OS to help protect your physical storage media and increase the stability of your OS.

Write filters intercept writes to protected volumes and redirect the writes to an overlay that records changes. Conceptually, an overlay is similar to a transparency overlay on an overhead projector. Any change that is made to the transparency overlay affects the projected picture as it is seen by the viewer. However, if the transparency overlay is removed, the underlying picture remains unchanged. If you restart your system, all changes in the overlay are lost, and any volume protected with write filters returns to its original state.

By redirecting attempted writes to an overlay, write filters can make a write-protected volume appear to function as a writeable volume. Write filters can also reduce the wear on solid state drives by eliminating or reducing the amount of writes that are actually written to the disk.

Depending on which write filter you use, you can exclude certain files or registry keys from filtering. For example, you could use write filters to prevent most changes to your system drive, but add exclusions that allow changes to network settings or user preferences to persist across restarts.

You can use write filters in any device where it’s important to be able to restart from a consistent state. For example, an OEM might use write filters with a thin client device to simplify servicing and supporting the device, since restarting the device will put the device in a known state which can easily be serviced. Another example might be for a medical device that sends confidential client information to a cloud service database, but discards all local information when the device is restarted.

Some of the benefits to using write filters include the following:

  • Reduced wear on write-sensitive media such as compact USB flash devices
  • Increased system reliability
  • Support for stateless device operation

Windows Embedded Standard 8 includes the following three different write filters:

  • Universal Write Filter (UWF)
  • Enhanced Write Filter (EWF)
  • File-Based Write Filter (FBWF)

UWF is a new feature in Windows Embedded Standard 8, and combines the functionality of both EWF and FBWF. EWF and FBWF are included in Windows Embedded Standard 8 mainly for backward compatibility.

Keyboard Filter

You can use Keyboard Filter to disable undesirable key presses or combinations. For example, you can disable common Windows key combinations like Ctrl+Alt+Delete and Alt+Tab. You can disable any key or key combination.

We redesigned Keyboard Filter for Windows Embedded Standard 8. It now works with both physical keyboards and Windows 8 on-screen keyboards. Keyboard Filter also detects dynamic layout changes, such as switching from one language set to another, and continues to suppress keys correctly, even if the location of suppressed keys has changed on the keyboard layout.

For example, let’s say that you want to create a wedding registry kiosk in your store. You don’t want customers to be able to lock the kiosk by pressing the Windows logo key+L or by pressing Ctrl+Alt+Delete, which could potentially make the kiosk unusable until an employee could enter a password to unlock the kiosk, so you could use Keyboard Filter to block those key combinations.

Dialog Filter

You can use Dialog Filter to control which popup windows are displayed on the screen, and to automatically handle pop-up windows by taking a default action, such as “close” or “show”. Also, in Windows Embedded Standard 8 you can configure Dialog Filter to always show pop-up windows from specific processes, regardless of the specified default action.

When you block a window by using Dialog Filter, you can specify how Dialog Filter handles the window. For example, if you want to prevent users from saving a file in Microsoft Word, you can block the “Save As” dialog window, and configure Dialog Filter to automatically select the “Cancel” option. Then, anytime that someone attempts to select “Save As”, nothing would appear to happen.

Edge Gesture Filter

You can use Edge Gesture Filter to disable the new edge gestures available in Windows 8. If your device is using a Metro style app as a dedicated app and your device has a touch screen, you may not want customers to be able to access the gestures that allow them to close the app. Edge Gesture Filter enables you to block each of the edge gestures (left, right, bottom, top, and each corner) individually. For example, you can enable the right charms bar, while disabling the top and left gestures that let users close a Metro style app.

Branding Features for Windows Embedded Standard 8

Custom Shell Launcher

You can use Custom Shell Launcher to replace the default Windows 8 shell with a custom shell. You can use any application or executable as your custom shell, such as a command window or a custom dedicated application. You can also configure Custom Shell Launcher to launch different shell applications for different users or user groups. Custom Shell Launcher processes the Run and RunOnce registry keys before starting the custom shell, so your custom shell doesn’t need to handle the automatic startup of other applications and services.

Custom Shell Launcher is typically used when you have a device that only needs a single dedicated application to run. For example, if you are designing an airport kiosk terminal, you probably don’t need the full Windows shell experience, and you can use Custom Shell Launcher to launch a dedicated application that meets your customers’ needs. You can configure Custom Shell Launcher to handle how to respond if the application exits or crashes, such as restarting the application, or restarting the device.

Custom Shell Launcher does not work with Metro style apps, because Metro style apps require the Windows 8 shell.

Metro Style App Launcher

The Metro Style App Launcher enables you to create a device that will automatically launch a specified Metro style app, and attempts to re-launch that app if the app exits. By using the Metro Style App Launcher, you can create a system that presents a single Metro style app experience to the user, even if the app exits.

The Metro Style App Launcher also supports the ability for specialized Metro style apps to indicate the action that the Metro Style App Launcher should take when the app exits. These actions include re-launch the app, restart the OS, shut down the OS, or do nothing.

Boot Experience

You can use Boot Experience to suppress Windows 8 elements that appear when Windows 8 boots or resumes. You can also use Boot Experience to suppress the crash screen when Windows 8 encounters an error that it cannot recover from.

You can use Boot Experience to do the following:

  • Hide the default Windows logo displayed during the loading screen (item 1 in figure A, below)
  • Hide the boot status text displayed during the loading screen (item 2 in figure A, below. Note that there is no status text displayed in CTP 2)
  • Hide the status indicator during the loading screen (item 3 in figure A, below)
  • Display a blank screen when Windows Embedded Standard 8 encounters an unrecoverable error
  • Disable the F8 and F10 keys during startup to prevent access to the advanced boot options menu

Boot Experience does not provide any functionality to add your own custom logo during startup.

boot1

Figure A – Windows Embedded Standard 8 loading screen. The numbered boxes correspond to the following items:

  1. Windows logo
  2. Boot Status Text
  3. Status Indicator

Embedded Logon

You can use Embedded Logon to suppress Windows 8 UI elements during the logon and shutdown sequences of your device.

You can use Embedded Logon to enable or disable the following:

  • Power Button UI on the logon screen (item 1 in figure B, below)
  • Input Method Selection UI on the logon screen
  • Ease of Access button UI on the logon screen (item 2 in figure B, below)
  • Status messages and progress indicators on the logon screen
  • Lock screen when no session is active
  • Blocked Shutdown Resolver (BSDR) screen
  • Logon screen transition animations

Embedded Logon does not give you any options to help you change the logon credential provider (item 3 in figure B, below), but you can replace the default credential provider by using any custom credential provider that is compatible with Windows 8.

boot2

Figure B – Windows Embedded Standard 8 logon screen. The numbered boxes correspond to the following items:

  1. Power Button
  2. Ease of Access button
  3. Logon credential provider

Unbranded Startup Screens and Windows Embedded Standard Startup Screens

These feature modules contain bitmaps and strings that display the edition branding on the startup and shutdown screens, as well on the system properties page. You have to select one of them when you create your OS image.

If you select the Windows Embedded Standard Startup Screens, then the Windows Embedded 8 logo is displayed. If you select Unbranded Startup Screens, then the logos are replaced with empty bitmaps, and no logo is displayed. You cannot select Unbranded Startup Screens with an evaluation license.

blog comments powered by Disqus