Intel IoT Gateway: Windows 10 Getting Started Guide

Intel

0/5 (0 vote)

Jan 19, 2016

CPOL

34 min read

33965

This document describes the steps needed to deploy a Microsoft Windows 10 IoT Gateway and explains how to set up security features, software access points, and other management and development tools.

Get access to the new Intel® IoT Developer Kit, a complete hardware and software solution that allows developers to create exciting new solutions with the Intel® Galileo and Intel® Edison boards. Visit the Intel® Developer Zone for IoT.

Introduction

Note: For a downloadable PDF version of this document, see https://software.intel.com/en-us/Intel-IoT-Gateway-Windows10-GSG-PDF.

This document describes the steps needed to deploy a Microsoft* Windows* 10 IoT Gateway and explains how to set up security features, software access points, and other management and development tools. It is intended for OEMs, ODMs, SIs, and other users who wish to set up a Windows 10 IoT Gateway. Because Microsoft has already documented many of the processes needed, this guide introduces users to topics and provides a link to the relevant Microsoft document, rather than re-creating the same material.

This Getting Started Guide also introduces users to the Windows Configuration Software for the Intel^® IoT Gateway, which includes the Intel^® IoT Gateway Module for Microsoft Windows PowerShell.

The target Windows 10 editions are Windows 10 IoT Enterprise and Windows 10 IoT Core.

You Must Provide

Gateway: This is the computer hardware included in the gateway kit. Windows 10 IoT is set up on the gateway.
Development Computer: This is the Windows 10 computer that one uses to prepare the installation media of the gateway and to remotely control the gateway via Microsoft Windows PowerShell.
A Local Area Network containing the Gateway and Development Computer (for example, via a router): This is to enable remote PowerShell from the development computer to the gateway.
Internet Access: This is to enable access to Microsoft information and tools to download for the development computer.

Required Experience Level

This guide assumes the reader has experience with the following:

Installing computer hardware
Installing and configuring Windows software
Executing Windows commands and creating and executing scripts
Using a Windows PowerShell locally and remotely

Document Terminology and Conventions

Terminology
- Gateway: Hardware included in your gateway kit.
- Development Computer: Windows 10 computer that you provide to prepare the installation media of the gateway, to remotely control the gateway via Microsoft Windows PowerShell, and to develop applications for the gateway.
- Deployment: The process to prepare for a gateway operating system and to install it on the gateway.
- Legacy Manufacturing Process: This is the main deployment process used before Windows 10 by computer manufacturers. It is still applicable for Windows 10, but Windows 10 has new tools/processes available.
- Reference Gateway: A gateway where the operating system is installed and is set up as desired, and the applications required are also installed. One can save the software (including operating system, drivers, and applications) of this reference gateway into a file, and then use that file to duplicate the same installation on other gateways.
- ffu file: The Full Flash Update (.ffu) file is used by Microsoft to save the operating system and other software installed on a computer. See Deploy Windows using Full Flash Update (FFU) for more details.
- .wim file: The Windows Imaging (wim) file is used by Microsoft to save the operating system and other software installed on a computer. See Windows Imaging File Format (WIM) for more details.
- Customization assets: These are the extra drivers, software applications, and updates that one wants to install on the gateway, but are not included in the default operating system release.
- TPM: Trusted Platform Module.
- UEFI: Unified Extensible Firmware Interface is a replacement for the older BIOS firmware interface and the Extensible Firmware Interface (EFI) 1.10 specifications.
Conventions
- This Courier font is used for commands, API names, parameters, filenames, directory paths, and executables.
- This Bold font is used for graphical user interface entries, buttons, and keyboard keys and for Intel document titles and Intel software names.
```
This font in a gray box is used for commands or scripts you must type.
```

Windows 10 IoT (Enterprise or Core) Deployment

Microsoft describes the deployment scenarios and various tools for deployment at Deploy Windows 10. This document focuses on the new Windows 10 process using the Windows Imaging and Configuration Designer (Windows ICD). We describe the legacy manufacturing process (the main deployment process used before Windows 10 by computer manufacturers) in the Appendix.

Gateway Preparation

Before installing the Windows IoT (Enterprise or Core) operating system, make sure that the gateway hardware and firmware [for example, UEFI BIOS or Trusted Platform Module (TPM)] meet the requirements listed in the Intel^® IoT Gateway Specification, which is available on the Intel Business Link by searching for document number 544820. Some extra reminders are

To install Windows on a real UEFI environment, check the Manufacturing Requirements section at Secure Boot Overview to disable the compatibility support module (CSM) in the gateway UEFI settings.
Currently, for Windows IoT Core, only 32-bit UEFI BIOS is supported.
Different gateway hardware may have different UEFI BIOS settings. Consult with the gateway manufacturer for the UEFI BIOS settings. For example, for Windows IoT Core on a MinnowBoard Max* device, follow Set Up MBM to set up the correct BIOS settings.

Deployment Tools

Windows 10 Assessment and Deployment Kits (ADK). ADK includes various tools needed to generate installation image files, to prepare for installation environment, and to prepare for installation media.
Windows 10 IoT Core ISO file (including imaging tool). This includes the .ffu files for the gateway devices currently supported by Microsoft and an imaging tool to install the .ffu files to a removable media for installation.

Installation Process with a Bootable Windows Installation Media

If the following bootable Windows 10 installation media are available, then simply boot from that media and follow the installation prompt.

Windows 10 DVD purchased from Microsoft.
Bootable removable media with Windows 10 ISO file (downloaded from Microsoft and burned into the removable media).

For Windows 10 IoT Core, if the .ffu file for the gateway device is available, then follow the instructions under "Installing Windows 10 IoT Core" in the next section.

Image Creation Process Using Windows Imaging and Configuration Designer (ICD)

The Windows ICD creates and deploys a Windows image. Check Windows Imaging and Configuration Designer for an introduction to Windows ICD.

Install Windows 10 IoT Enterprise

Follow Build and deploy an image for Windows 10 for desktop editions (Home, Pro, and Enterprise) to use Windows ICD to create a new Windows 10 IoT Enterprise image.

The method above assumes that the base Windows Imaging .wim file is available. There are several ways to get .wim files:

Open a Windows installation/setup DVD, and find install.wim at the sources folder.
Mount a Windows installation ISO file, and find install.wim at the sources folder.
Obtain a reference gateway’s .wim file. Follow Deployment Using Legacy Manufacturing Process for more details.

Install Windows 10 IoT Core

Follow Build and deploy a Windows 10 IoT Core image to use Windows ICD to create a new Windows 10 IoT Core Image. This document assumes that you already have the board support package (BSP).
To create a BSP, one needs to be in the Microsoft Ecosystem Engineering Access Program (EEAP). This is not for the general public. For instructions to create a BSP, refer to the Windows 10 IoT Core BSP Creation document in the BSP folder included in Windows Configuration Software for the Intel® IoT Gateway. You can download it at Intel Download Center https://downloadcenter.intel.com/ by searching for Windows Configuration Software for the Intel(R) IoT Gateway.
After completing Step 1, a Full Flash Update .ffu file is generated. (Check Install Windows 10 IoT Core in Appendix A to find other ways to obtain the .ffu file.) Use one of two ways to deploy the image onto the gateway.
- If the storage device for operating system is a removable media, use Microsoft’s WindowsIoTImageHelper tool, as described at Set Up MBM. Although this document is for a MinnowBoard Max device, the steps about WindowsIoTImageHelper are generic.
  If the WindowsIoTImageHelper tool is not available, use the Windows ICD tool instead. Launch the Windows Imaging and Configuration Designer application. Click the Deploy button at top of the Windows ICD application, and follow the instructions shown.
- Follow Install Windows 10 IoT Core in Appendix A to use legacy tools.

Customization Using Provisioning Package

Users may want to set up the gateway differently from the default operating system. For example, they may want to install some extra applications, or they may want to change some operating system settings from default settings. Microsoft provides the Windows Provisioning customization framework to help deliver such customization capabilities.

For an introduction to the Windows Provisioning framework and the types of supported customization, see the following:

Customize using the Windows Provisioning framework.
Supported Windows customizations.
Note: If the system image format is a .ffu file, the customization assets (for example, the custom drivers and the custom software applications, except for the Microsoft Universal Windows Platform App) cannot be included in a provisioning package. Instead, include the assets into a board support package (BSP) before generating the .ffu file. Microsoft Universal Windows Platform App can be configured as a customization/runtime settings by Window ICD, instead of as an asset.

Use Windows Imaging and Configuration Designer (Windows ICD) to create a provisioning package:

Build and apply a provisioning package. The provisioning package can be applied at deployment time or at runtime. To apply at deployment time, specify the provisioning package file when using Windows ICD to create the image as mentioned in Image Creation Process Using Windows Imaging and Configuration Designer (ICD).
Configure customizations using Windows ICD.
Note: If a provisioning package includes any asset, it can only be applied at deployment time, not at runtime.
Build a provisioning package with classic Windows applications.

Summary:

For Windows desktop imaging:
- If the customization assets need to be added to a provisioning package, create a provisioning package and use that during image creation (that is, at deployment time).
- If the customization settings are the only items in a provisioning package, the provisioning package can be applied either at deployment time or at runtime.
For Windows mobile imaging (including Windows IoT Core):
- The customization assets cannot be added to a provisioning package. The assets need to be included in the board support package (BSP) and to be included during image creation (that is, at deployment time).
- If the customization settings are the only items in a provisioning package, the provisioning package can be applied either at deployment time or at runtime.

Security SKUs

Windows Security Features

Security is important for gateways and Windows provides many security features to manage security. This document provides simple guidelines to set up different levels of security and a PowerShell module (Intel^® IoT Gateway Module for Microsoft Windows PowerShell, part of the Windows Configuration Software for the Intel^® IoT Gateway) to help set up these security features.

Key Windows security features:

Title	Description	Purpose
UEFI	Unified Extensible Firmware Interface. A replacement for the older BIOS firmware interface and the Extensible Firmware Interface (EFI) 1.10 specifications.	Provides faster boot and resume times, ability to use security features, and support for UEFI firmware drivers, applications, and option ROMs.
Secure Boot	A security standard developed by members of the PC industry to help make sure that your PC boots using only the bootloader that is trusted by the PC manufacturer.	Ensures that your PC boots using only the bootloader that is trusted by the PC manufacturer.
Trusted Platform Module (TPM)	An international standard for a secure cryptographic processor.	Provides hardware-based, security-related functions, such as cryptographic operations. TPM chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM.
Trusted Boot	A process that protects the rest of the boot process (after Secure Boot) by verifying that all Windows* boot components have integrity and can be trusted.	Makes sure that your PC boots using only the software that is trusted by Windows.
Early Launch Anti-Malware (ELAM)	A driver that starts before other boot-start drivers and enables the evaluation of those drivers and helps the Windows kernel decide whether they should be initialized.	Detects malware that starts early in the boot cycle.
User Account Control	A process that enables users to perform common tasks as nonadministrators, called standard users, and as administrators without having to switch users, log off, or use Run As.	Helps prevent unwanted system-wide changes in a way that is predictable and requires minimal effort.
Windows Firewall	A set of network in-bound and out-bound rules to allow or disallow certain types of network traffic.	Helps to protect computers from unsolicited network traffic.
Windows Update	A process to get latest bug fixes, security patches, and feature improvement from Microsoft.	Helps your Windows system be up to date.
Windows Address Space Layout Randomization (ASLR)	An operating system feature that loads system code into different, unpredictable locations in memory.	Defends against buffer overrun exploits.
Windows Defender	Anti-malware software.	Helps protect computers against pop-ups, slow performance, and security threats caused by spyware and other unwanted software.
BitLocker	A data protection feature that provides drive encryption and integrates with the operating system.	Addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
Measured Boot and Remote Attestation	Measured Boot takes measurements of each aspect of the boot process and then signs and securely stores the measurements in a TPM. Upon request, these measurements can be sent to a trusted third-party known as a Remote Attestation service that can compare the measurements with known good values.	Allows a trusted server on the network to verify the integrity of the Windows startup process and to take corresponding actions.
Code Integrity	A feature that validates the integrity of a driver or system file or software executable, each time it is loaded into memory or is executed.	Prevents untrusted software from running.
Virtualization Based Security (VBS)	A Hyper-V protected container that isolates the sensitive Windows 10 Enterprise processes.	Helps protect system memory and kernel mode apps and drivers from possible tampering.
AppLocker	An application control that helps prevent the execution of unwanted and unknown applications/scripts.	Prevents untrusted software from running.
USB Filter	A USB port and device base filter.	Allows trusted USB devices to connect to a system.
Keyboard Filter	A key press filter.	Suppresses undesirable key presses or key combinations.

Information about Windows security (overview):

Windows 10 security overview
Windows 8 Security Overview. Although this document is for Windows 8, the information also applies to Windows 10.

Information about UEFI, Secure Boot, and TPM:

UEFI, Secure Boot, and TPM are described in Intel^® IoT Gateway Specification, downloadable by searching for document number 544820 on Intel Business Link. The hardware/system/platform should have these set up already.
Trusted Platform Module Technology Overview.
Best practices for TPM Management.
TPM Management.
TPM Cmdlets in Windows PowerShell.

Information about ELAM:

Windows 8.1 boot security FAQ. Although this document is for Windows 8.1, the information also applies to Windows 10.
Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware.

Information about User Account Control:

Information about Windows Firewall:

Information about Windows Update:

Find registry entries for the corresponding Update Group Policy based on Group Policy Settings Reference for Windows and Windows Server.

Information about ASLR:

Microsoft Security Intelligence Report

Information about Windows Defender:

Information about BitLocker:

Information about Measured Boot and Remote Attestation:

Windows 8.1 boot security FAQ. Although this document is for Windows 8.1, the information also applies to Windows 10.
Secure the Windows 8.1 boot process. Although this document is for Windows 8.1, the information also applies to Windows 10.

Information about Code Integrity and Virtualization Based Security (VBS), components in Device Guard:

Requirements for Device Guard:
- UEFI 2.3.1 or higher with Secure Boot.
- Intel^® Virtualization Technology for IA-32, Intel^® 64 and Intel^® Architecture (Intel^® VT-x), Intel^® Virtualization Technology for Directed I/O (VT-d), EPT/SLAT enabled in UEFI.
- Support "System.Fundamentals.Firmware.UEFISecureBoot" in Windows Hardware Compatibility Requirement.
- BIOS lockdown (Ethernet, USB, CD, and other boot methods) or password-protected
- 64-bit Windows
- VBS, Hypervisor based Code Integrity (HVCI), and Code Integrity are all running.
Device Guard deployment guide
Device Guard Overview
Dropping the Hammer Down on Malware Threats with Windows 10’s Device Guard
Driver compatibility with Device Guard in Windows 10
Device Guard certification and compliance

Information about AppLocker:

Information about USB Filter and Keyboard Filter:

Lockdown features
To control USB devices by Device or Class ID using Group Policy, see Step-By-Step Guide to Controlling Device Installation Using Group Policy.
Keyboard Filter will be configurable through Windows ICD in the SMISettings path.

Security SKU Definition

Windows provides many different security features, and sometimes they can be overwhelming and confusing. However, this large assortment of features allows users to implement security features that best meet their customers' real-world needs. Intel's goal is to define "Security for Humans" Best-Known-Configuration (BKC). The different SKUs are defined by Intel, based on human-understandable security features/levels.

Basic SKU Goals:

Recommended minimum security.
Meet security requirements for least effort.
Intended to catch all known attacks, but susceptible to zero-day attacks.

Medium SKU Goals:

Additive to Basic.
Additional protection to handle zero-day attacks.
Assumes customers have network infrastructure (for example, Windows Server and clients) to set up features that requires the infrastructure.

High SKU Goals:

Additive to Medium.
Best protection provided by available security features on Windows.

For each security feature, customers can adjust the detailed settings suited for real-world use. Such settings can be implemented by the tools mentioned in Microsoft Management Tools. Intel’s definitions here provide a generalized guidance for customers to start.

Intel's Security SKU definition does not include security features that heavily depend on specific real-world use (instead of a generalized setup), for example, Active Directory, Direct Access, or IPSec VPN. Customers should contact Microsoft for documents/instructions on using those features.

Security SKU definition table for Basic Security:

Security Features for Basic	Basic SKU for IoT Core	Basic SKU for IoT Enterprise
Anti-Malware
Windows Defender and Early Launch Anti-Malware (ELAM) (Trusted Boot) - Windows default		√
Resiliency
UEFI Secure Boot	√	√
User Account Control (UAC) - Windows default		√
Account privileges	√	√
Windows Firewall - Windows default	√	√
Windows Update - Windows default	√	√
ASLR	√	√
Data Protection
BitLocker (TPM only)	√	√
TPM	√	√

Security SKU definition table for Medium Security:

Security Features for Medium (on top of Basic)	Medium SKU for IoT Core	Medium SKU for IoT Enterprise
Anti-Malware
Code Integrity (PcaCertificate-based with Hash fallback to OS drive, Hash-based to Program Files\WindowsPowerShell and Windows\system32\WindowsPowerShell folders, only Audit mode to generate logs)	No setup tool for Configurable User Mode Code Integrity on IoT Core.	√
AppLocker (allow all signed exe/msi/script/packaged apps and Windows default AppLocker policy)		√
Resiliency
Measured Boot and Remote Attestation	√ (not including measurement from ELAM)	√
Data Protection
BitLocker (TPM + Network Unlock)	√ (TPM only)	√

Security SKU definition table for High Security:

Security Features for High (on top of Medium)	High SKU for IoT Core	High SKU for IoT Enterprise
Anti-Malware
Code Integrity (Enforce the policies from Medium SKU)	No setup tool for Configurable User Mode Code Integrity on IoT Core.	√
AppLocker (allow only already installed exe/msi/script and packaged apps with same publisher as existing packaged apps, also allow signed script)		√
USB Removable Media Lock Down	√	√
USB Filter		√
Keyboard Filter		√
Resiliency
Virtualization Based Security		√

Note: For Virtualization Based Security, we do not enable "Hypervisor based Code Integrity (HVCI)". HVCI requires driver compatibility support.

Intel provides the Intel^® IoT Gateway Module for Microsoft Windows PowerShell, a custom Windows PowerShell module, to help set up most of these features. See Intel IoT Gateway Module for Microsoft Windows PowerShell later in this section for more details.

Intel IoT Gateway Module for Microsoft Windows PowerShell

Module Introduction

Intel provides a custom PowerShell module IntelIoTGatewaySetup, officially named Intel^® IoT Gateway Module for Microsoft Windows PowerShell. It is used to set up Windows features for the Intel^® IoT Gateways, so it sets up the Security SKU defined. This module is part of Windows Configuration Software for the Intel^® IoT Gateway. You can download it at the Intel Download Center by searching for Windows Configuration Software for the Intel^® IoT Gateway. IntelIoTGatewaySetup supports only the English version of Windows 10 IoT Enterprise and Windows 10 IoT Core.

Specifically, IntelIoTGatewaySetup sets up the following security features defined in Security SKU Definition earlier in this section:

Windows Update, Windows Defender, Windows Firewall, Windows User Account Control, USB Removable Media Lockdown, Virtualization Based Security, App Locker, Code Integrity.
Bit Locker with only TPM unlock for Windows 10 IoT Enterprise: Although the SKU definition specifies TPM + Network Unlock for Medium and High SKUs, the PowerShell module only sets up BitLocker with TPM unlock, as Network Unlock requires extra network infrastructure support.

Although IntelIoTGatewaySetup sets up many of the security features defined in Security SKU Definition earlier in this section, it does not set up the features below:

UEFI, Secure Boot, and TPM: These are part of the hardware and firmware requirements for Intel-supported gateways. A gateway should have these enabled already.
Account privileges: An account can be created with an administrative role or with a regular normal account, based on the specific usage.
ASLR: This is already supported and active in the Windows operating system. There is nothing to set up.
Measured Boot: This is implemented by UEFI firmware, TPM, and Windows. There is nothing to set up.
Remote Attestation: This requires setup of support network structure and implementation of extra software. See Windows Security Features earlier in this section for reference documents.
BitLocker + Network Unlock: Network Unlock requires setup of support network structure and DHCP driver capability in UEFI, so the PowerShell module only sets up BitLocker with TPM unlock. See Windows Security Features earlier in this section for reference documents.
USB Filter: Use Group Policy to set this up based on the specific usage to control USB devices by Device or Class ID. See Windows Security Features earlier in this section for reference documents.
Keyboard Filter: Use Windows ICD tool to configure this filter. See Windows Security Features earlier in this section for reference documents.

IntelIoTGatewaySetup folder includes the following major components:

Readme.rtf: This is a simple readme file for users to get started.
ModuleInstallation.ps1: This is the script file that has a command to help install the IntelIoTGatewaySetup module.
IntelIoTGatewaySetup folder: This is the folder for the IntelIoTGatewaySetup module.

Module Installation

If a user is with a gateway and the gateway has a display and a keyboard, PowerShell commands can be run directly at the gateway to install our module. After installing the module, run the PowerShell commands provided by our module directly at the gateway. We call this local installation and local execution.

The gateway may be remotely located and/or the gateway may not have a display. In this case, use another computer, the development computer, to remotely control and set up the gateway. For the remaining of this document, we assume that a user is under this second scenario. We call this remote installation and remote execution.

To install this PowerShell module on the gateway from the development computer (which involves temporarily having the development computer mapping a network drive to the gateway), these systems need to be in the same subnet.

To install the module, do the following steps.

The steps on the gateway to enable remote PowerShell:

For Windows IoT Core, currently, there is nothing to be done.

For Windows IoT Enterprise, enable and use remote commands in Windows PowerShell, based on information at Enable and Use Remote Commands in Windows PowerShell and Enable-PSRemoting.

For example, run the following PowerShell commands to enable remote PowerShell:

#Get NIC index of the active NIC
Get-NetAdapter
#$index is the index found.
#Set the target active connection to private.
#Line break is space+backtick.

Set-NetConnectionProfile -InterfaceIndex $index `
     -NetworkCategory Private
#Enable remoting
Enable-PSRemoting -Force

On the development computer, follow these steps on PowerShell environment.

Make sure that the following two accounts have an administrative role at their corresponding computers:
1. Account for the development computer that the user is currently logged in with, and
2. Account for the gateway that will be used later
Run PowerShell environment as administrator.
To run the ModuleInstallation.ps1 script, PowerShell execution policy needs to be AllSigned or RemoteSigned. Check Get-ExecutionPolicy and Set-ExecutionPolicy Cmdlet for more details.
For example, run the following to set the execution policy to RemoteSigned:
```
Set-ExecutionPolicy RemoteSigned
```
Dot-source the ModuleInstallation.ps1 script.
To dot source a script, type a dot (.) and a space before the script path. For example,
```
. .\ModuleInstallation.ps1
```
See about_Scripts for more details.
Then do the following to check help and examples of using Install-IntelIoTGatewaySetup command:
```
Get-Help Install-IntelIoTGatewaySetup –Full
```

Then run Install-IntelIoTGatewaySetup command (based on help and example information) to install the module from the development computer to the gateway. For example, run the following:

#$path is the path to module folder you downloaded, 
#       e.g., ‘C:\IntelIoTGatewaySetup’
#$remoteip is the ip address of the remote gateway, 
#       e.g., ‘192.168.2.5’
#$remoteaccount is the account of the remote gateway, 
#       e.g., ‘Tester’ or ‘Domain\Tester’
# Linebreak is space+backtick.

Install-IntelIoTGatewaySetup –ModuleLocalPath $path `
     -RemoteGateway $remoteip `
     -RemoteAccount $remoteaccount -Verbose

(For a local installation, a user can also run Install-IntelIoTGatewaySetup directly at gateway.)

(For uninstallation, a user can use Uninstall-IntelToTGatewaySetup command. Check its help information for details and examples.)

After the installation, use remote PowerShell to run the commands in our module on the gateway. Check Remoting Week: Remoting Sessions for details about how to use remote PowerShell. For example, run the following PowerShell commands in order:

Start WinRM service if it is not started yet.

if ((Get-Service WinRM).Status.ToString() -ne 'Running') {
    # Start WinRM service
    Write-Verbose "Start WinRM service."
    net start WinRM
}

Add the remote gateway to TrustedHosts list.

#This will remove the original TrustedHosts and use $remoteip. 
#Can also concatenate a value to TrustedHosts list. 
#       Try Get-Help Set-Item.
#$remoteip is the ip address of the remote gateway.
# Linebreak is space+backtick.
Set-Item WSMan:\localhost\Client\TrustedHosts `
  -Value $remoteip -Force

Create a remote PowerShell session for the remote gateway.

#$remoteip is the ip address of the remote gateway
#$remoteaccount is the account with Admin privilege 
#       of the remote gateway.
#Linebreak is space+backtick.
$s = New-PSSession -ComputerName $remoteip `
     -Credential "localhost\$remoteaccount"

Run the commands on the remote gateway.

# Run remote script for testing
Invoke-Command -Session $s -ScriptBlock {
    #Run the PowerShell commands you want in this block.
    #These commands will be run at the remote gateway.

    # check our module information
    Get-Command -Module IntelIoTGatewaySetup
    Get-Module IntelIoTGatewaySetup
}

Remove the remote PowerShell session, after finishing the commands that need to be run.
```
Remove-PSSession -Session $s
```

Module Usage

Similar to module installation, we assume that a development computer is used to remotely control the gateway. To use the module, complete the following steps.

On the gateway, follow the same procedures as used in Module Installation to enable the remote PowerShell if it is not done yet.

On the development computer, do the following steps:

Follow similar steps as Step 7 of Module Installation. For the remaining description of module usage, the command should be put inside Invoke-Command’s ScriptBlock to run on the remote gateway.
Once the module is installed, use Get-Help with the -Full parameter to receive more information about each command in the module. Use the following command to get all the commands available in the module:
```
Get-Command -Module IntelIoTGatewaySetup
```
For setting up the Intel Security SKU, the main commands are Enable-IoTWinSecurities and Disable-IoTWinSecurities. They call other commands in this module. Check their help information for more details (Get-Help Enable-IoTWinSecurities -Full). For example,
- To enable the "Basic" SKU with this sample BitLocker recovery password, run the following:
```
#$RecoveryPW is the recovery password for BitLocker
#        that you want to use.
#For example, $RecoveryPW = 
#       '099825-222222-607607-626285-132319-115621-083204-229482'
#Linebreak is space+backtick.
Enable-IoTWinSecurities -SKU "Basic" `
     -BitLockerRecoveryPW $RecoveryPW `
     -AddPowerShellRemotingFirewallRule -ErrorLog -Verbose
```
  Read the output to see if there is any warning or error for each to-be-enabled feature.
  
  For example, a warning may instruct the user to restart the system to finish installing required Windows features first, and then re-run this function again.
- To disable/remove the Security SKU settings, run the following command:
```
Disable-IoTWinSecurities -ErrorLog -Verbose
```
Individual command (used by Enable-IoTWinSecurities or Disable-IoTWinSecurities) can also be used to set up specific security features.

If TPM is not "ready for use", it needs to be set up first; otherwise, BitLocker cannot be enabled. Follow TPM Management to set it up.

If AppLocker is set up for "High" SKU, users will not be able to use PowerShell to add new Windows features, since by design DISMHOST.EXE at the user’s account’s temp folder (created and used by PowerShell) is blocked. As a result, users will not be able to use our command to enable VBS, as this command will try to install the required Windows features. In the Enable-IoTWinSecurities command, we do VBS setup first. If Windows features need to be installed, do a system restart to finish the feature installation and to re-run the command again.

For User Mode Code Integrity, we need to set registry entry to allow our module location to enter the Full Language Mode for Code Integrity Policy. Our custom module is designed to be installed in %Program Files%\WindowsPowerShell\Module. If this is not the case, we need to manually set the following registry entry:
- Put the path where the custom module is (for example, %Program Files%\WindowsPowerShell\Module) in a REG_MULTI_SZ entry called "TestPath" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\TRSData.

Software Access Point

Wireless Hosted Network

Starting with Windows* 7, Microsoft provides a wireless Hosted Network feature to provide the capability of software AP. See the following documents for more details:

An important note from the document above is the limitation for system sleep (standby) or hibernate. If the wireless Hosted Network is running when the computer goes to sleep (standby), hibernate, or before the computer restarts, the wireless Hosted Network is stopped.

Intel provides the Intel^® IoT Gateway Module for Microsoft Windows PowerShell to help set up this feature. See Intel IoT Gateway Module for Microsoft Windows PowerShell below for more details.

Currently Known Issues

For Windows 10 IoT Core, although the Hosted Network can be enabled, Internet Connection Sharing is not supported. Therefore, Software AP on IoT Core does not provide Internet access for other connected devices. Also, the default IoT Core startup App (released by Microsoft) is interfering with the Hosted Network capability. For a stable Software AP, use a different IoT Core startup App or uninstall the default startup App.

Also, for Windows 10 IoT Core, the following limitation makes our PowerShell module store un-encrypted SSID, SSID key, and other Software AP parameters in config files:

Unless CredSSP authentication is used for the remote PowerShell session, SecureString commands ConverFrom-SecureString and ConverTo-SecureString do not work. This limitation is also reported at the end of Using PowerShell to connect and configure a device running Windows 10 IoT Core.

Intel IoT Gateway Module for Microsoft Windows PowerShell

Check Intel IoT Gateway Module for Microsoft Windows PowerShell in the previous chapter for general module introduction, installation, and usage. That section describes how to run the following commands on the gateway from a development computer.

For Software AP setup, the main commands are Install-IoTGatewayAP, Uninstall-IoTGatewayAP, and Update-IoTGatewayAP. They call other commands in this module. Check their help information for more details (Get-Help Install-IoTGatewayAP -Full).

For example, to install the Software AP, run the following command:

#$ssid is the ssid you want to use for AP.
#$pw_ssid is the password of the AP.
Install-IoTGatewayAP -SSID $ssid -KeySSID $pw_ssid -ErrorLog

For example, to uninstall the Software AP (using information saved during installation), run the following command:

Uninstall-IoTGatewayAP -ErrorLog

Individual commands (used by those three main commands above) can also be called to set up individual features. For example, Enable-IoTGatewayAP lets the user enable Software AP and Internet Connection Sharing. However, it is auto-disabled once the computer restarts if Install-IoTGatewayAP has not been run yet.

Microsoft Management Tools

Manageability is important for IoT gateways. Microsoft employs a number of management tools, including PowerShell, Microsoft Intune, System Center Configuration Manager, and Group Policy. Read the following documents for an overview of Windows 10 Device Management:

Windows PowerShell

Remote Windows PowerShell is a popular tool to manage devices. There are many PowerShell modules that provide various functionalities to control Windows settings. (Among them, Intel provides the Intel^® IoT Gateway Module for Microsoft Windows PowerShell to help implement settings for IoT gateways.) Lots of books and tutorials are available. The following resources provide a good introduction to PowerShell:

Scripting with Windows PowerShell
Windows PowerShell 5.0
Enable and Use Remote Commands in Windows PowerShell
Enable-PSRemoting
Using PowerShell to connect and configure a device running Windows 10 IoT Core
This document specifically describes how to use PowerShell to configure a Windows 10 IoT Core device.
Remoting Week: Remoting Sessions

To use the PowerShell, follow these general overview steps:

Enable remote PowerShell on gateways. Currently, for Windows IoT Core, there is nothing to be set up.
Enable remote PowerShell on the development computer.
On the development computer do the following:
1. Create a new session for the gateway. The account for the gateway needs to have Administrator privilege if the PowerShell commands to be used require that.
2. Run PowerShell script block for this session.
3. Remove this session.

Microsoft Intune

Microsoft Intune provides mobile device management from the Internet cloud. Read the following document for more details:

Microsoft Intune uses the Configuration Service Provider (CSP) to manage Windows 10 mobile devices. Read the following documents for more details.

To use custom polices via OMA-URI, the Windows 10 devices need to be enrolled as mobile devices. Read the following document for more details:

Set up Windows device management with Microsoft Intune

Combining Microsoft Intune with Azure Active Directory makes device enrollment easy. Read the following document for more details:

System Center Configuration Manager

The System Center Configuration Manager provides mobile device management inside a corporate network in Active Directory. Furthermore, through integration with Microsoft Intune, "System Center Configuration Manager + Intune" can be used to manage devices from the Internet cloud. Read the following document for more details:

Group Policy

Group Policy is a popular tool for Enterprise to manage multiple computers inside a corporate network in Active Directory. Read the following for more details:

Managing Windows 10 Telemetry/Privacy Settings

Windows 10 relies on telemetry information (reported to cloud services) to enable many services. To change the telemetry settings, read Configure telemetry and other settings in your organization.

Application Development

Software applications provide unique features that the default operating system does not deliver. This document points the user to some starting points of Windows application development.

For general Windows application development, read the following documents for more details:

For Windows 10 IoT Core, read the following documents for more details:

Note: When developing applications on an IoT device, do not set the device to "Medium", or "High" Security SKU. The application under test/development may get blocked otherwise.

Deployment Using Legacy Manufacturing Process

Microsoft posted a series of demo videos at Deploying Windows 8: Video demos for system builders. Although the videos are intended for Windows 8, the information still applies to Windows 10. Watch those videos to obtain general understanding of the process. This document briefly describes each step and points the reader to Microsoft documents for more detailed instructions.

Install Windows 10 IoT Enterprise

The following steps should be performed in order.

Install Windows Preinstallation Environment (WinPE) onto a bootable USB drive:
The WinPE is a minimum Windows operating system with minimal resources, and is used to copy disk images, to prepare a computer for Windows installation, and to initiate Windows setup. Follow these Microsoft's document for instructions:
- WinPE: Create USB Bootable drive
- System Builder Demo 2: Installing Windows PE on a USB Drive
If the WinPE environment needs to be customized for more advanced setup, follow WinPE: Mount and Customize.
Capture Windows image from a reference gateway:
This step is only required if a custom Windows image (.wim) file needs to be captured from a reference gateway. If a .wim file is already available, save it to a USB storage drive or a network drive, so that the WinPE environment can access it later.

To capture Windows image, follow these Microsoft documents for instructions:
- Capture Images of Hard Disk Partitions Using DISM
- System Builder Demo 4: Preparing and Capturing Images
Deploy Windows image onto the gateway:
This step creates disk partitions and installs a Windows image onto the gateway and sets up the system partition. Follow these Microsoft documents for instructions:
- System Builder Demo 5: Applying Images. The sample scripts is at Sample Scripts.
For more advanced setup for Windows recovery partition, refer to these documents:
- Capture and Apply Windows, System, and Recovery Partitions
- System Builder Demo 6: Adding Recovery Tools

Install Windows 10 IoT Core

First, obtain Windows 10 IoT Core’s flash image .ffu file for the gateway. There are several options to obtain the .ffu file:

One can download the file released by Microsoft (for example, for MinnowBoard Max, see Set-up MBM).
Use the imggen tool. The steps are:
1. Assume that you have the tools installed already, as mentioned in Deployment Tools.
2. Open elevated (as Admin) Deployment and Imaging tools command prompt.
3. Set the following environment variables (in order):
```
SET PATH=%KITSROOT%tools\bin\i386;%PATH%
SET AKROOT=%KITSROOT%
```
4. Build the image with the following command:
```
imggen.cmd IoTCore.ffu "%KITSROOT%OEMInputSamples\MBM\ProductionOEMInput.xml" "%KITSROOT%MSPackages" x86
```
  The first parameter is the output .ffu file name. The second parameter is the OEM Input file with full path. This should be part of your BSP. Please check Image Creation Process Using Windows Imaging and Configuration Designer (ICD) for more information about the BSP. The third parameter is the path to the root directory that contains the Microsoft packages. By default, this directory is %ProgramFiles(x86)%\Windows Kits\10\MSPackages. If the BSP is not available, this command will fail.
Use Windows Imaging and Configuration Designer (Windows ICD) to generate .ffu file. More details about Windows ICD are described in Image Creation Process Using Windows Imaging and Configuration Designer (ICD) under "Installing Windows 10 IoT Core".

Then, apply the .ffu image on the storage device.

Steps if the gateway uses removable media (SD card or USB drive) as the storage device:

Refer to Using DISM to flash micro SD card for Windows IoT Core device for instructions.

Steps if the gateway has internal storage device (for example, hard drive):

First, prepare a custom WinPE on a bootable USB drive, by following the steps below:
1. Currently, Windows 10 IoT Core requires 32-bit WinPE. Follow WinPE: Mount and Customize to create WinPE files and Mount the WinPE boot image. Only complete the "Create WinPE files" and "Mount WinPE boot image" sections.
2. Then copy the .ffu file to the mount folder. For example, if the WinPE folder in the procedure above is C:\WinPE_x86, then we copy the .ffu file to C:\WinPE_x86\mount folder.
3. Next insert the USB drive (at least 4 GB), and format the USB drive into NTFS format, following the example in WinPE: Create USB Bootable drive. Only check "Troubleshooting" section and only complete the "diskpart" part, not the "MakeWinPEMedia" part. We will run "MakeWinPEMedia" command in the next step, after we un-mount and commit the changes.
4. Then un-mount WinPE and create media on the USB drive, following WinPE: Mount and Customize. Only check "Un-mount….." section. After un-mounting, run dism /cleanup-wim to ensure that the image is un-mounted. Remember to use the correct 32 bit WinPE folder name and the correct USB drive letter in those commands.
Then deploy the flash image onto gateway, by following the steps below:
1. Insert the bootable USB drive into the gateway, and boot from the USB drive.
2. This should boot into the WinPE environment.
3. Then use a command similar to one as Using DISM to flash micro SD card for Windows IoT Core device to apply the image into the gateway’s internal storage. The disk number used should be the number of the gateway’s internal storage. Remember to assign the correct path for the .ffu file. The .ffu file should be already copied to this bootable WinPE USB drive in the previous step, so use that path.
4. Then shut down the device by running wpeutil shutdown.
5. Remove the bootable WinPE USB drive, and choose the internal storage as the #1 boot priority.

Reference to Solution Briefs

In addition to this document and to Microsoft documents, Intel has made other documents available to help with gateways. These documents can be found on the Intel Developer Zone for IoT Gateways section by searching for "solution brief" or "recipe" for Windows operating system. A selection of documents includes (but is not limited to):

IoT Recipe - Connecting Windows* 10 IoT Device to MeshCentral
IoT Recipe - Using Cloud9 Desktop as on-device Development Tool for Windows* 10 Enterprise Gateway
Solution Brief - IoT Device Telemetry using Azure Event Hubs with .NET
Solution Brief - Using Node.js and Node-RED for IoT applications with Windows* 10 Enterprise
Solution Brief - IoT Device Telemetry using Azure Event Hubs with Node.js
Solution Brief – Connecting Windows* 10 Enterprise IoT Gateway to Wind River* Helix Device Cloud