I'm trying to create minimum Windows image for an embedded PC included as part of a scientific instrument which runs a single application. Is this NTLite able to do this?
This embedded system currently includes a full LTSC image (Win11 IoT Enterprise) which works well until it ends up at a customers site and their IT teams get their hands on it. Typically, most customers want to join it to their domain mainly for access control and transferring of data. As security requirements are becoming more stringent especially with large corporation, we have more customers installing windows updates, security suites, end point protection, software overlays, loggers, remote desktop tools, web browsers, etc etc (Despite our warnings that we can't support modified instruments). We keep running into compatibility issues with this 3rd party software, and it's a nightmare to support. Our software is written in mainly dotnet 4.8 and has some custom drivers and VC++ runtimes.
I realize we could deploy Windows in Kiosk mode with a UWF and other tweeks but it doesn't really make sense to install unneeded components and services which could be attack vectors or use resources, ultimately making the system less stable. This wouldn't solve our main issue of customers IT/security requirements.
I had tried running the software from a custom Window PE image which almost worked but provided some other challenges. Mainly, we can't sell a system with a Windows PE boot image being a MS Partner or not.
My question is how much can we remove from a Windows 11 Iot Ent 24H2 image, only leaving enough to boot and run our this single application and is NTLite capable of such a drastic removal? Are there a Preset/Templates for this purpose or just trial and error?
Ideally we could do the following:
Strip all drivers except the required ones for the single hardware configuration (and maybe the hyper-V VM drivers for testing)
Allow Windows to Activate with new product key after imaging
Include the .dot framework 4.8 and VC++ redistributable (or allow them to be installed afterwards)
MSI installer to install the software unless it's possible to slipstream
No updates - remove any unneeded updates
Windows time sync
Limit services and scheduled tasks to a minimum
Only English language
No explorer.exe shell needed, launch the app at start or further refine with Kiosk mode?
We would need to provide a method to transfer data and config files. Options:
Include drivers for USB flash storage (not ideal but easy and secure)
Include drivers and software for a USB to USB file sync cable and connect an external workstation for data analysis (no networking would be a plus)
Include components for network file sharing. Not sure which protocols would be acceptable for a corporate network.
Include components for domain sign-on or network file share access on corporate network. (not likely an acceptable solution for many corporate networks)
Hoping someone has done this before and I can stand on their shoulders.... or someone who can provide a good reason to not.
This embedded system currently includes a full LTSC image (Win11 IoT Enterprise) which works well until it ends up at a customers site and their IT teams get their hands on it. Typically, most customers want to join it to their domain mainly for access control and transferring of data. As security requirements are becoming more stringent especially with large corporation, we have more customers installing windows updates, security suites, end point protection, software overlays, loggers, remote desktop tools, web browsers, etc etc (Despite our warnings that we can't support modified instruments). We keep running into compatibility issues with this 3rd party software, and it's a nightmare to support. Our software is written in mainly dotnet 4.8 and has some custom drivers and VC++ runtimes.
I realize we could deploy Windows in Kiosk mode with a UWF and other tweeks but it doesn't really make sense to install unneeded components and services which could be attack vectors or use resources, ultimately making the system less stable. This wouldn't solve our main issue of customers IT/security requirements.
I had tried running the software from a custom Window PE image which almost worked but provided some other challenges. Mainly, we can't sell a system with a Windows PE boot image being a MS Partner or not.
My question is how much can we remove from a Windows 11 Iot Ent 24H2 image, only leaving enough to boot and run our this single application and is NTLite capable of such a drastic removal? Are there a Preset/Templates for this purpose or just trial and error?
Ideally we could do the following:
Strip all drivers except the required ones for the single hardware configuration (and maybe the hyper-V VM drivers for testing)
Allow Windows to Activate with new product key after imaging
Include the .dot framework 4.8 and VC++ redistributable (or allow them to be installed afterwards)
MSI installer to install the software unless it's possible to slipstream
No updates - remove any unneeded updates
Windows time sync
Limit services and scheduled tasks to a minimum
Only English language
No explorer.exe shell needed, launch the app at start or further refine with Kiosk mode?
We would need to provide a method to transfer data and config files. Options:
Include drivers for USB flash storage (not ideal but easy and secure)
Include drivers and software for a USB to USB file sync cable and connect an external workstation for data analysis (no networking would be a plus)
Include components for network file sharing. Not sure which protocols would be acceptable for a corporate network.
Include components for domain sign-on or network file share access on corporate network. (not likely an acceptable solution for many corporate networks)
Hoping someone has done this before and I can stand on their shoulders.... or someone who can provide a good reason to not.
