Note:
For start, if you have more questions about IoT, I think you might like to join TechCommunity, post your questions in “Ask the expert”.
https://techcommunity.microsoft.com/t5/learn-iot/ask-the-iot-expert-windows-10-iot-enterprise/m-p/1578999#M12
Windows 10 IoT Enterprise is a full version of Windows 10. It uses the same familiar development and management tools as normal PCs and laptops, deliver the same enterprise manageability and security support as Windows 10 Pro to IoT solutions, often we use it to create dedicated devices, which locked down to a specific set of applications and peripheral. Example ATM machines, medical devices, digital signage, kiosks, etc.
Windows 10 IoT Enterprise offers two servicing channels: Long-term Servicing Channel (LTSC) and Semi-Annual Channel (SAC). I have been testing these two versions of Windows 10 IoT Enterprise, and we have some very interesting results to share.
Let’s talk about these two channels
For my understanding, Windows 10 IoT Enterprise builds on Windows 10 Pro, added Granular UX Control and Security Feature.
Granular UX Control includes: Unified Write Filter, Embedded Logon, Assigned Access, Shell Launcher, Embedded Boot Experience, Unbranded Screens, AppLocker, MDM & Group Policies
Security Feature includes: Credential Guard, Device Guard
- Windows 10 IoT Enterprise LTSC 2019
OperatingSystemSku is 125. It builds on Windows 10 Pro, version 1809, this release includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. This release doesn’t include any UWP apps, no Microsoft Store, or Cortana or Microsoft Edge. Windows 10 IoT Enterprise LTSC 2019 is the same as Windows 10 Enterprise LTSC 2019, there are no real differences between them, it is just more or less marketing spin. More about LTSC can read from here - Windows 10 IoT Enterprise, version 2004
OperatingSystemSku is 188. The current newest Semi-Annual Channel (SAC) release is built on Windows 10 Pro, version 2004, it gets feature upgrade just like other SAC Windows version. This release includes built-in apps, for example Microsoft Store, Edge etc.
Intune MDM management
Windows 10 IoT EnterpriseĀ is supported by Intune, see this list. How ever, it was a bit more complicated than I thought.
Test one: Windows 10 IoT Enterprise, version 2004
There are lots of settings that cannot be applied, for example Device Restriction, Update policy, Security baseline, Attack Surface Reduction rules, Account Protection, Bitlocker, Administration Template, etc.
Only “Endpoint Security” -> “Antivirus” works a bit better, there are four settings that cannot be applied, the rest of the settings seems ok.
We also found this Microsoft document https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise , which listed what Policy CSP is supported for IoT enterprise. But our test results tell different. Take Update Policy, for example, documentation list only 4 Update policies are supported, our test shows all Update Policy works just fine. Also, the Bitlocker Policy works fine too.
Test two: Windows 10 IoT Enterprise LTSC 2019
Intune UI configured policies works in Windows 10 IoT Enterprise LTSC 2019, so this is good news. There are some settings that cannot apply due to the feature itself isn’t supported. Not all custom OMA-URI works from the Microsoft documentation list. I opened an issue in their GitHub if you like to follow it.
Windows Autopilot
Note: In official Autopilot document, IoT Enterprise is not listed as supported OS
Test one: Windows 10 IoT Enterprise, version 2004
Autopilot works. I used Enrollment status page with tracking the Company Portal online app and Microsoft Edge. User ESP was failed. I use Michael Niehaus’s Get-AutopilotStatus script for troubleshooting, apparently, Company Portal online app was not installed.
Test two: Windows 10 IoT Enterprise LTSC 2019
Autopilot doesn’t work. Not surprise, as it wasn’t listed as supported OS in the first place.
Summary
These are all that I have tested so far, I am sure there are lots of other things we can still test. Let me know if you have anything in your mind, or if you would like to add your test results.
It looks like the policy page (https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise) has been pulled, has more support been officially added?
I think they changed the doc for supporting IoT core instead of Iot enterprise.
Can existing Windows IOT devices be enrolled in Intune or will they need to be rebuilt?
I think it should be able to enroll in Intune. I am not sure about hybrid scenarios, didn’t test that.