Frequently asked HoloLens (1st gen) Security Questions

What level of data protection does HoloLens 1 offer?

What type of wireless is used?

  • 802.11ac and Bluetooth 4.1 LE

What type of architecture is incorporated? For example: point to point, mesh, or something else?

  • Wi-Fi can be used in infrastructure mode to communicate with other wireless access points.
  • Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers' application supports it or to other Bluetooth devices.

What is FCC ID?

  • C3K1688

What frequency range and channels does the device operate on and is it configurable?

  • Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US, Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
  • Bluetooth: Bluetooth uses the standard 2.4-2.48 GHz range.

Can the device allow or block specific frequencies?

  • This is not controllable by the user/device.

What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?

  • Our emissions testing standards can be found here. Range of operation is highly dependent on the access point and environment - but is roughly equivalent to other high-quality phones, tablets, or PCs.

What is the duty cycle/lifetime for normal operation?

  • 2-3 hrs of active use and up to two weeks of standby time
  • Battery lifetime is unavailable.

What is transmit and receive behavior when a tool is not in range?

  • HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect.

What is deployment density per square foot?

  • This is dependent on your network infrastructure.

Can device use the infrastructure as a client?

  • Yes

What protocol is used?

  • HoloLens does not use any proprietary protocols

OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.

  • Microsoft does provide OS updates to HoloLens exactly the same way it's done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device.

OS hardening – What options are there to harden the OS? Can we remove or shut down unnecessary apps or services?

  • HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted.

How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?

  • HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application that shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed.

What is the frequency of updates to apps in the store for HoloLens?

  • As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well.

Is there a secure boot capability for the HoloLens?

  • Yes

Is there an ability to disable or disconnect peripheral support from the device?

  • Yes

Is there an ability to control or disable the use of ports on the device?

  • The HoloLens only contains two ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.

Antivirus, endpoint detection, IPS, app control allowlist – Any ability to run antivirus, endpoint detection, IPS, app control allowlist, etc.

  • Windows Holographic for Business (commercial suite) does support Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
  • Allowing apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.

Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (six months) and has not received any updates, patches, etc. When it tries to come on the network, can we flag it and say you must update on another network prior to being complaint to join the network.

  • This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.

Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?

  • No

When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?

  • CSR for SCEP is generated on the device itself. Intune and the on-premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client.
  • Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices.