Security

Windows IoT Enterprise comes with a host of security offerings that you can leverage to best fit your Windows IoT Enterprise solution.

Microsoft Security Response Center

The world is more connected today than it has ever been. Technology is wound deep into our lives and has become part of our routine. With great advances, we have also seen a greater dynamic playing out between threat actors and the defenders. The Microsoft Security Response Center (MSRC) is part of the defender community and on the front line of security response evolution. For over twenty years MSRC has been working to improve security for our customers, learning from both successes and failures. Time has only reasserted MSRC's commitment to better protect customers and the broader ecosystem.

MSRC's mission is to protect customers from being harmed by security vulnerabilities in Microsoft's products and services. By building your solution with Windows IoT Enterprise, you have Microsoft Security Response Center's commitment towards security. Please review their Security Update Guide to ensure your devices are up-to-date and secured.

Comprehensive Security Features

Windows IoT Enterprise, brings Enterprise security to your IoT devices.

Windows IoT Enterprise is built on a five-point comprehensive security platform:

  1. Device protection
  2. Threat Resistance
  3. Data Protection in Motion
  4. Cloud Security
  5. Response

1. Device Protection

Windows Security provides the following built-in security options to help protect your device from malicious software attacks. Like they say, a strong defense, is a strong offense.

Trusted Platform Module (TPM)​

Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:

  • Generate, store, and limit the use of cryptographic keys.
  • Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
  • Help ensure platform integrity by taking and storing security measurements.
Windows Device Health Attestation​

Modern malware is getting more and more sophisticated. Some of them, specifically bootkits, are capable of starting before Windows. Device Health Attestation can be used to detect and remediate in the unlikely event where a device is infected. The device's firmware logs the boot process, and Windows can send it to a trusted Health Attestation Server that can objectively assess the device's health.

Secure Boot​

Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.

The OEM can use instructions from the firmware manufacturer to create Secure boot keys and to store them in the PC firmware. When you add UEFI drivers, you'll also need to make sure these are signed and included in the Secure Boot database.

For information on how the secure boot process works included Trusted Boot and Measured Boot, see Secure the Windows boot process.

BitLocker​

Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies. To learn more, see BitLocker Overview and Requirements FAQ

2. Threat Resistance

We provide a security tools set for Windows to protect a wide range of threats against execution of unauthorized code and scripts, network, and malware attacks. Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.

Windows Defender Firewall

Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.

Windows Defender

Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.

3. Data Protection in Motion

Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms. This includes discover, classify, protect, and monitor sensitive data assets using access control, encryption, and logging.

X.509/TLS-Based Handshake and Encryption

Transport Layer Security (TLS), like Secure Sockets Layer (SSL), is an encryption protocol intended to keep data secure when being transferred over a network. These articles describe steps required to ensure that Configuration Manager secure communication uses the TLS 1.2 protocol.

4. Cloud Security

Microsoft Azure includes tools to safeguard data according to your company's security and compliance needs.

To learn more, visit Azure Security

5. Response

Microsoft has all the tooling to provide immediate support and assistance.

Device Management

Microsoft provides a whole suite of device management solutions to keep your devices safe and monitor activity at all times. Managing a device is now easier than ever on Windows IoT Enterprise. There are multiple options that your organization can choose from in order to best manage your devices, such as Microsoft Intune, Endpoint Manager and third-party OMA-DM based management tools. OEMs can also select Azure Device Agent, which leaves it up to their customers to select the device management solution that fits them best.

Device Recovery

In case something is to go wrong with your device, Windows IoT Enterprise supports two device recovery options:

Option #1: Isolate the device using device management tools or network settings

Option #2: Reimage the device back to factory settings.

Windows IoT Device Health Attestation enables the operator to assess if a device is booted to a trusted and compliant state, and takes appropriate remedial actions if necessary.

Edge Secured-core

Edge Secured-core is a new certification in the Azure Certified Device program for IoT devices running a full operating system such as Windows IoT Enterprise. Edge Secured-core certified devices meet additional security requirements around device identity, secure boot, operating system hardening, device updates, data protection, and vulnerability disclosures. All of this is designed to help prevent attacks, protect your data, and defend against those attempting to infiltrate your infrastructure.

Building on the expertise Microsoft developed around Secured-core for commercial Windows 10 PCs, Edge Secured-core takes a similar approach for IoT devices. This certification can be used to validate that certified devices include specific security hardware technology, have an operating system with built-in security, and use IoT services such as Microsoft Defender for IoT that continually monitor for threats on the device.

For companies building devices, Edge Secured-core provides a low-cost differentiator that enables customers to easily identify your device that has been configured to meet a higher security standard.

Edge Secured-core drives scalable security

Through the use of Edge Secured-core, companies can trust that IoT devices are built with a foundation of security and can be deployed seamlessly and securely.

It also provides enterprises and solution builders with the confidence that the devices they’re purchasing deliver the following security promises:

  • Hardware-based device identity
  • Capable of enforcing system integrity
  • Stays up to date and is remotely manageable
  • Provides data-at-rest protection
  • Provides data-in-transit protection
  • Built-in security agent and hardening

To learn more about how to get started, review Edge Secured-core requirements for Windows IoT Enterprise devices.

Additional resources