Windows 10 IoT Enterprise

[Eric-ITaaS]

Most of the documentation is for IoT core. I'm not finding a lot of resources for IoT Enterprise. There is a reference that Win10 Enterprise requires embedded mode, but there isn't a mention of why. Is it that the azuredevicemanagementclient.exe needs to be run as an embedded application? Is there more specific documentation and examples for IoT Enterprise connecting to IoT hub?

[gmileka]

Hi gatornation11,

Sure, we can add more documentation on IoT Enterprise. Here are some answers in the meantime...

AzureDeviceManagementClient.exe itself doesn't needed embedded mode enabled.

However, some of the provided plug-ins (like device info, reboot, etc) rely on Windows CSPs to apply/retrieve configurations.

Enabling embedded mode is what gives access to the CSPs.

So, if the functionality is not implemented using CSPs, it does not require embedded mode. An example of such functionality is the time zone settings. This configuration is simply using Win32 APIs underneath.

Also, if you are providing your own plug-in, and you are not using CSPs, then you do not need embedded mode.

For the currently published code, this is pretty much the only difference between IoT Enterprise and IoT Core. The rest should work in the same way.

We will be introducing new functionality that might have some differences. We will document those, however, when they are out.

Let us know if you have any questions...

thanks, george

[gmileka]

I've just pushed: https://github.com/ms-iot/azure-client-tools/blob/master/docs/device-agent/supported-skus.md

[Eric-ITaaS]

Make sense, thank you.

From: George Mileka notifications@github.com Sent: Tuesday, March 5, 2019 12:45 PM To: ms-iot/azure-client-tools azure-client-tools@noreply.github.com Cc: Eric Logeson eric.logeson@Scinovia.onmicrosoft.com; Author author@noreply.github.com Subject: Re: [ms-iot/azure-client-tools] Windows 10 IoT Enterprise (#13)

Hi gatornation11,

Sure, we can add more documentation on IoT Enterprise. Here are some answers in the meantime...

AzureDeviceManagementClient.exe itself doesn't needed embedded mode enabled.

However, some of the provided plug-ins (like device info, reboot, etc) rely on Windows CSPshttps://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference to apply/retrieve configurations.

Enabling embedded mode is what gives access to the CSPs.

So, if the functionality is not implemented using CSPs, it does not require embedded mode. An example of such functionality is the time zone settings. This configuration is simply using Win32 APIs underneath.

Also, if you are providing your own plug-in, and you are not using CSPs, then you do not need embedded mode.

For the currently published code, this is pretty much the only difference between IoT Enterprise and IoT Core. The rest should work in the same way.

We will be introducing new functionality that might have some differences. We will document those, however, when they are out.

Let us know if you have any questions...

thanks, george

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ms-iot/azure-client-tools/issues/13#issuecomment-469780570, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Ac61pjgHeitSwk6y8h49c4N3iwAE_No8ks5vTq04gaJpZM4be2vG.

[Eric-ITaaS]

Btw, I already use WICD to create a locked down kiosk mode computer. I added this to that package. Have you heard of any issues with the agent and Kiosk mode computers?

Thanks Eric

From: George Mileka notifications@github.com Sent: Tuesday, March 5, 2019 12:45 PM To: ms-iot/azure-client-tools azure-client-tools@noreply.github.com Cc: Eric Logeson eric.logeson@Scinovia.onmicrosoft.com; Author author@noreply.github.com Subject: Re: [ms-iot/azure-client-tools] Windows 10 IoT Enterprise (#13)

Hi gatornation11,

Sure, we can add more documentation on IoT Enterprise. Here are some answers in the meantime...

AzureDeviceManagementClient.exe itself doesn't needed embedded mode enabled.

However, some of the provided plug-ins (like device info, reboot, etc) rely on Windows CSPshttps://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference to apply/retrieve configurations.

Enabling embedded mode is what gives access to the CSPs.

So, if the functionality is not implemented using CSPs, it does not require embedded mode. An example of such functionality is the time zone settings. This configuration is simply using Win32 APIs underneath.

Also, if you are providing your own plug-in, and you are not using CSPs, then you do not need embedded mode.

For the currently published code, this is pretty much the only difference between IoT Enterprise and IoT Core. The rest should work in the same way.

We will be introducing new functionality that might have some differences. We will document those, however, when they are out.

Let us know if you have any questions...

thanks, george

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ms-iot/azure-client-tools/issues/13#issuecomment-469780570, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Ac61pjgHeitSwk6y8h49c4N3iwAE_No8ks5vTq04gaJpZM4be2vG.

[Eric-ITaaS]

Thanks for this that helps. Got embedded mode enabled. Got the agent installed. Not sure where to go from here. Need to edit the .json doc for connection info but there isn’t documentation specific to Enterprise OS. Should I start here? https://github.com/ms-iot/azure-client-tools/blob/master/docs/device-agent/quick-start-iot-core.md#create-the-device-provisioning-service

From: George Mileka notifications@github.com Sent: Tuesday, March 5, 2019 12:45 PM To: ms-iot/azure-client-tools azure-client-tools@noreply.github.com Cc: Eric Logeson eric.logeson@Scinovia.onmicrosoft.com; Author author@noreply.github.com Subject: Re: [ms-iot/azure-client-tools] Windows 10 IoT Enterprise (#13)

Hi gatornation11,

Sure, we can add more documentation on IoT Enterprise. Here are some answers in the meantime...

AzureDeviceManagementClient.exe itself doesn't needed embedded mode enabled.

However, some of the provided plug-ins (like device info, reboot, etc) rely on Windows CSPshttps://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference to apply/retrieve configurations.

Enabling embedded mode is what gives access to the CSPs.

So, if the functionality is not implemented using CSPs, it does not require embedded mode. An example of such functionality is the time zone settings. This configuration is simply using Win32 APIs underneath.

Also, if you are providing your own plug-in, and you are not using CSPs, then you do not need embedded mode.

For the currently published code, this is pretty much the only difference between IoT Enterprise and IoT Core. The rest should work in the same way.

We will be introducing new functionality that might have some differences. We will document those, however, when they are out.

Let us know if you have any questions...

thanks, george

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ms-iot/azure-client-tools/issues/13#issuecomment-469780570, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Ac61pjgHeitSwk6y8h49c4N3iwAE_No8ks5vTq04gaJpZM4be2vG.

[gmileka]

Hi gatornation11,

This may help: https://github.com/ms-iot/azure-client-tools/blob/master/docs/device-agent/quick-start-iot-enterprise.md

Basically, you are on the right track - after having the binaries, the easiest way to test the agent is to modify AzureDeviceManagementClient.json and hardcode the connection string in there. Then start the service using: net start AzureDeviceManagementClient or - if you want console output, you can also start it from an admin cmd windows using: AzureDeviceManagementClient.exe -debug

[Eric-ITaaS]

Thanks for that. I can get that far but I stall at “Add Enrollment” part in portal.azure.com Registration Id:

Endorsement Key: Questions are, how do I get this from OS and will there be an issue if I have Bitlocker using TPM. I looked at limpet.exe, looks like it moved to opensource starting with build 1809. Cloned this repo (https://github.com/ms-iot/security) but not sure which project I need to build. From: George Mileka Sent: Tuesday, March 5, 2019 6:23 PM To: ms-iot/azure-client-tools Cc: Eric Logeson ; Author Subject: Re: [ms-iot/azure-client-tools] Windows 10 IoT Enterprise (#13) Hi gatornation11, This may help: https://github.com/ms-iot/azure-client-tools/blob/master/docs/device-agent/quick-start-iot-enterprise.md Basically, you are on the right track - after having the binaries, the easiest way to test the agent is to modify AzureDeviceManagementClient.json and hardcode the connection string in there. Then start the service using: net start AzureDeviceManagementClient or - if you want console output, you can also start it from an admin cmd windows using: AzureDeviceManagementClient.exe -debug — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[gmileka]

Hi gatornation11,

Limpet.exe is actually available in this repo (azure-client-tools). When you build the solution, limpet.exe is produced along with AzureDeviceManagementClient.exe. This is the most recent version.

The registration id and endorsement key can be retrieved using: limpet.exe -azuredps -enrollmentinfo

It is okay if BitLocker is using TPM. The TPM has different slots - and you can choose to store the connection strings in TPM slots that are not already used.

[Eric-ITaaS]

Okay, got it all working. There is an issue if you try the option to just build the limpet project, complains about a missing .lib file during linking. But if you do the build all batch file that works. I noticed that the json uses TPM slot 0. Is this arbitrary, seems like if bitlocker was enabled first slot 0 would have been taken… Not sure to check what slots are or aren’t available in TPM.

From: George Mileka notifications@github.com Sent: Wednesday, March 6, 2019 4:44 PM To: ms-iot/azure-client-tools azure-client-tools@noreply.github.com Cc: Eric Logeson eric.logeson@Scinovia.onmicrosoft.com; Author author@noreply.github.com Subject: Re: [ms-iot/azure-client-tools] Windows 10 IoT Enterprise (#13)

Hi gatornation11,

Limpet.exe is actually available in this repo (azure-client-tools). When you build the solution, limpet.exe is produced along with AzureDeviceManagementClient.exe. This is the most recent version.

The registration id and endorsement key can be retrieved using: limpet.exe -azuredps -enrollmentinfo

It is okay if BitLocker is using TPM. The TPM has different slots - and you can choose to store the connection strings in TPM slots that are not already used.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ms-iot/azure-client-tools/issues/13#issuecomment-470289344, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Ac61pmflZI2cTpmQ204Gq7i2Id_RPchgks5vUDargaJpZM4be2vG.

[gmileka]

re. issue building limpet only I'll take a look... I assume you tried building it using VS?

re. TPM slot used Yes, this is arbitrary. You can tell the AzureDeviceManagementClient.exe what slots to use using AzureDeviceManagementClient.json. dmModuleSlotNumber and deviceSlotNumber specify which slots to use.

re. how to check which slots are used limpet -lld

[Eric-ITaaS]

Yes, did build with VS but couldn’t find the .exe afterwards… Then built with the batch file that uses cmake I presume.

From: George Mileka notifications@github.com Sent: Thursday, March 7, 2019 1:58 PM To: ms-iot/azure-client-tools azure-client-tools@noreply.github.com Cc: Eric Logeson eric.logeson@Scinovia.onmicrosoft.com; Author author@noreply.github.com Subject: Re: [ms-iot/azure-client-tools] Windows 10 IoT Enterprise (#13)

re. issue building limpet only I'll take a look... I assume you tried building it using VS?

re. TPM slot used Yes, this is arbitrary. You can tell the AzureDeviceManagementClient.exe what slots to use using AzureDeviceManagementClient.jsonhttps://github.com/ms-iot/azure-client-tools/blob/master/docs/device-agent/reference/device-agent-configuration-file.md. dmModuleSlotNumber and deviceSlotNumber specify which slots to use.

re. how to check which slots are used Let me ask and get back to you on this...

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ms-iot/azure-client-tools/issues/13#issuecomment-470650634, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Ac61pldkwhaEFBuK9mnx5Grn38koQuViks5vUWE0gaJpZM4be2vG.

[gmileka]

Build.cmd will build the Azure IoT Hub SDK, the Azure Storage SDK, and then build the this repo's projects.

If after cloning, we build using VS, the build will have failures because the Azure SDKs are not built yet. So, Build.cmd should be the first thing to run after cloning. That, or build.azure-c-sdk.cmd and build.azure-dm.cmd to build those dependencies.

Is it possible that you ran the VS build before building those dependencies and it had failures?

[coreypottebaum]

I am attempting to connect a Windows 10 IoT Enterprise VM with the device agent and am running into issues (or I am just misunderstanding the documentation). Am I correct to create a device in the IoT Hub, copy the connection string, then modify the AzureDeviceManagementClient.json file with the connection string in the "debugConnectionString" variable? The devices we will be using do not have TPM so we cannot use that method.

I have performed these steps but the device has no connectivity in the IoT hub. I have already enabled embedded mode.

Thanks in advance.

[gmileka]

Hi coreypottebaum, I've created https://github.com/ms-iot/azure-client-tools/issues/15 to track this issue separately.

[gmileka]

Hi gatornation11, I'm closing this thread. Feel free to re-open if needed.