PowerShell Module for Intel IoT Gateway
Intel Internet Gateway for Things can run different operating systems. One of them is Windows 10 IoT. Today we will talk about the module for PowerShell IntelIoTGatewaySetup , which was created specifically to support IoT gateways in the Microsoft Windows environment.
Officially, this module is called " Intel IoT Gateway Module for Microsoft Windows PowerShell ." It helps to configure the gateway's operating system to a given security level ( Security SKU ).
The module is part of the Windows Configuration Software for Intel IoT Gateway . The package can be found by the above name and can be downloaded from the Intel Download Center . Windows 10 IoT Enterprise and Windows 10 IoT Core operating systems are currently supported.
')
IntelIoTGatewaySetup allows you to configure the following Windows security features listed in the description of security levels. There are three levels of security. In particular, this is, in ascending order, the provided level of protection, Basic SKU, Medium SKU, and High SKU. Each next level extends the capabilities of the previous one. So, here is a list of custom functions.
Although the IntelIoTGatewaySetup module configures many parameters in accordance with a given security level, it does not concern the following features:
The IntelIoTGatewaySetup folder contains the following main components:
If you have a gateway equipped with a display and a keyboard, the PowerShell commands required to install the module can be executed directly on the gateway. After installing the PowerShell commands that the module provides, you can also execute directly on the gateway. We call this local installation and local command execution.
The gateway may be located out of physical reach, and it may also lack a monitor and input devices. In this case, you need to use another computer, let's call it the developer's computer, which will allow you to organize remote control and configuration of the gateway. Below we will consider just such a scenario. We call it remote installation and remote execution of commands.
In order to install the PowerShell module on the gateway from the development computer, these two systems must be on the same subnet. In addition, this process involves the temporary mapping of a network drive on a computer and a gateway.
So, for the remote installation of the module, you need to perform the following steps.
First of all, here is a list of operations that need to be performed on the gateway in order to provide remote access to PowerShell.
Now that the gateway is ready to go, let's do a computer by following these steps using the PowerShell environment.
1. Make sure that the two following accounts created on the respective devices have administrative authority. Namely:
2. Run the PowerShell command-line interpreter as an administrator.
3. In order to run the ModuleInstallation.ps1 script, you need to use the
4. Use the dot notation when calling the ModuleInstallation.ps1 script. In order to do this, enter the dot character "." And a space before the path to the script being run. This approach allows you to run the script in the current scope .
5. Then take a look at the help for the module we are talking about here, see examples of its use. To do this, use the following command
6. Run the
Note that during a local installation, you can execute the
7. After installation, use PowerShell to execute the commands of our module on the gateway. You can read about features of using PowerShell on remote systems here . For example, execute, in order, the following commands.
Here we, just as in the previous section, proceed from the assumption that a computer is used to work with the gateway. Tell you how to use the module. First, if you have not done so already, enable the use of remote PowerShell on the gateway. Now, on the developer's computer, follow these steps.
Take a look at the messages about the results of the commands in order to find out if there are any warnings or error messages related to the security features to be enabled.
For example, a warning may contain a recommendation that you first need to reboot the system in order to complete the installation of the necessary Windows tools, and then run the installation command again.
To disable / remove security level settings, run the following command:
The individual commands used in
If the TPM is “not ready for use,” you must first install it . Otherwise, you cannot turn on BitLocker.
If AppLocker is configured with a high level of security (“High” SKU), users will not be able to use PowerShell to add new Windows features. In accordance with the system architecture, the file DISMHOST.EXE, which is used by PowerShell, is located in the temporary folder in the directory corresponding to the user account, and this file will be blocked. As a result, users will not be able to use our commands to enable VBS, since this command will try to install the necessary Windows function. When you run the
For the operation of the User Mode Code Integrity system, we need to set a registry key in order to allow the placement of our module to enter the Full Language Mode for the Code Integrity Policy. In particular, the module considered here, by default, is installed at
Today we told you about a new tool for configuring Intel IoT gateways that run under Microsoft Windows. The module for PowerShell considered here, IntelIoTGatewaySetup , allows you to interact with the gateways both locally and remotely, and the commands gathered in it help to simplify and speed up the gateway configuration procedures.
Officially, this module is called " Intel IoT Gateway Module for Microsoft Windows PowerShell ." It helps to configure the gateway's operating system to a given security level ( Security SKU ).
Basic information
The module is part of the Windows Configuration Software for Intel IoT Gateway . The package can be found by the above name and can be downloaded from the Intel Download Center . Windows 10 IoT Enterprise and Windows 10 IoT Core operating systems are currently supported.
')
IntelIoTGatewaySetup allows you to configure the following Windows security features listed in the description of security levels. There are three levels of security. In particular, this is, in ascending order, the provided level of protection, Basic SKU, Medium SKU, and High SKU. Each next level extends the capabilities of the previous one. So, here is a list of custom functions.
- Windows Update, Windows Defender, Windows Firewall, Windows User Account Control, USB Removable Media Lockdown, Virtualization Based Security, App Locker, Code Integrity.
- BitLocker with TPM module support for Windows 10 IoT Enterprise. Although the definition of security levels mentions the use of TPM and network unlock (Network Unlock) for medium and high levels, PowerShell only configures BitLocker with TPM, since Network Unlock requires additional network infrastructure.
Although the IntelIoTGatewaySetup module configures many parameters in accordance with a given security level, it does not concern the following features:
- UEFI, Secure Boot and TPM. All of this is part of the hardware and firmware requirements for Intel Gateways. Thus, these functions on the gateway will already be included.
- Account Privilege Levels Depending on how the system is used, you can create an account with the role of an administrator or a regular account with a standard set of rights.
- ASLR. This feature is supported by default and is included in Windows OS, thus, it does not need additional configuration.
- Measured Boot. This feature is implemented through UEFI, TPM and Windows firmware. She also does not need additional configuration.
- Remote Attestation . This feature needs additional network infrastructure configuration and additional software.
- BitLocker + Network Unlock . Network Unlock technology requires setting up an additional network infrastructure and DHCP driver capabilities in UEFI. As a result, the PowerShell module can only configure BitLocker with TPM support.
- USB Filter . To configure this feature in accordance with the use of the gateway, use group policies to manage USB devices based on Device ID or Class ID.
- Keyboard Filter . To configure this filter, use the Windows ICD tool.
The IntelIoTGatewaySetup folder contains the following main components:
- Readme.rtf . Normal accompanying file with getting started instructions.
- ModuleInstallation.ps1 . An auxiliary script for installing the IntelIoTGatewaySetup module.
- Folder IntelIoTGatewaySetup . This contains the module itself.
Module installation
If you have a gateway equipped with a display and a keyboard, the PowerShell commands required to install the module can be executed directly on the gateway. After installing the PowerShell commands that the module provides, you can also execute directly on the gateway. We call this local installation and local command execution.
The gateway may be located out of physical reach, and it may also lack a monitor and input devices. In this case, you need to use another computer, let's call it the developer's computer, which will allow you to organize remote control and configuration of the gateway. Below we will consider just such a scenario. We call it remote installation and remote execution of commands.
In order to install the PowerShell module on the gateway from the development computer, these two systems must be on the same subnet. In addition, this process involves the temporary mapping of a network drive on a computer and a gateway.
So, for the remote installation of the module, you need to perform the following steps.
First of all, here is a list of operations that need to be performed on the gateway in order to provide remote access to PowerShell.
- If Windows IoT Core is installed on the gateway, then everything is ready to work, nothing more needs to be done.
- If the gateway is equipped with Windows IoT Enterprise, you need to allow remote interaction with PowerShell using this and this instruction. For example, in order to enable remote access to PowerShell, use the commands below.
# NIC NIC Get-NetAdapter #$index – . # . # + . Set-NetConnectionProfile -InterfaceIndex $index ` -NetworkCategory Private # Enable-PSRemoting -Force
Now that the gateway is ready to go, let's do a computer by following these steps using the PowerShell environment.
1. Make sure that the two following accounts created on the respective devices have administrative authority. Namely:
- Account for the developer’s computer with which the user logged on.
- Account on the gateway, which we will use later.
2. Run the PowerShell command-line interpreter as an administrator.
3. In order to run the ModuleInstallation.ps1 script, you need to use the
AllSigned or RemoteSigned scripts execution policy in PowerShell. Take a look at the following cmdlets: Get-ExecutionPolicy and Set-ExecutionPolicy . They allow, respectively, to recognize and set the execution policy. For example, using this command, you can specify the use of the RemoteSigned policy. Set-ExecutionPolicy RemoteSigned 4. Use the dot notation when calling the ModuleInstallation.ps1 script. In order to do this, enter the dot character "." And a space before the path to the script being run. This approach allows you to run the script in the current scope .
. .\ModuleInstallation.ps1 5. Then take a look at the help for the module we are talking about here, see examples of its use. To do this, use the following command
Get-Help Install-IntelIoTGatewaySetup –Full6. Run the
Install-IntelIoTGatewaySetup to install the module from the developer’s computer to the gateway. Rules for using this command can be found in the references from the previous step. For example, you can use the following sequence of actions: #$path , , # : 'C:\IntelIoTGatewaySetup' #$remoteip IP- , #: '192.168.2.5' #$remoteaccount , #, 'Tester' 'Domain\Tester' # + . Install-IntelIoTGatewaySetup –ModuleLocalPath $path ` -RemoteGateway $remoteip ` -RemoteAccount $remoteaccount –Verbose Note that during a local installation, you can execute the
Install-IntelIoTGatewaySetup directly on the gateway. To uninstall the module, use the Uninstall-IntelToTGatewaySetup . Details on this can be found in the reference materials for the module.7. After installation, use PowerShell to execute the commands of our module on the gateway. You can read about features of using PowerShell on remote systems here . For example, execute, in order, the following commands.
- Start the WInRM service if it is not already running.
if ((Get-Service WinRM).Status.ToString() -ne 'Running') { # WinRM Write-Verbose "Start WinRM service." net start WinRM } - Add a remote gateway to the TrustedHosts list.
# TrustedHosts $remoteip. # , TrustedHosts. # Get-Help Set-Item. #$remoteip IP- . # + . Set-Item WSMan:\localhost\Client\TrustedHosts ` -Value $remoteip –Force - Create a remote PowerShell session on the remote gateway.
#$remoteip IP- . #$remoteaccount # . # + . $s = New-PSSession -ComputerName $remoteip ` -Credential "localhost\$remoteaccount" - Run these commands on the remote gateway.
# Invoke-Command -Session $s -ScriptBlock { # PowerShell. # . # Get-Command -Module IntelIoTGatewaySetup Get-Module IntelIoTGatewaySetup } - Close the remote PowerShell session after running all the necessary commands.
Remove-PSSession -Session $s
Use of the module
Here we, just as in the previous section, proceed from the assumption that a computer is used to work with the gateway. Tell you how to use the module. First, if you have not done so already, enable the use of remote PowerShell on the gateway. Now, on the developer's computer, follow these steps.
- Use the same procedure described in paragraph 7 of the previous section. All the following examples are designed to ensure that commands executed at the remote gateway will be placed inside the
Invoke-Commandconstruction block. - After installing the module, use the
Get-Helpcommand with the–Fullparameter to learn more about the commands of the module. For example, run the following command to get a list of all the commands available in the module:Get-Command -Module IntelIoTGatewaySetup - To set the security level, use the
Enable-IoTWinSecuritiesandDisable-IoTWinSecurities. They, in turn, call other commands for the modules. It will be useful to take a look at the help on them (Get-Help Enable-IoTWinSecurities –Full). Here are examples of working with them. - In order to enable the basic security level (“Basic” SKU) and use the BitLocker recovery password given in the example, run the following commands.
#$RecoveryPW BitLocker, # . #: $RecoveryPW = # '099825-222222-607607-626285-132319-115621-083204-229482' # + . Enable-IoTWinSecurities -SKU "Basic" ` -BitLockerRecoveryPW $RecoveryPW ` -AddPowerShellRemotingFirewallRule -ErrorLog –Verbose
Take a look at the messages about the results of the commands in order to find out if there are any warnings or error messages related to the security features to be enabled.
For example, a warning may contain a recommendation that you first need to reboot the system in order to complete the installation of the necessary Windows tools, and then run the installation command again.
To disable / remove security level settings, run the following command:
Disable-IoTWinSecurities -ErrorLog -Verbose The individual commands used in
Enable-IoTWinSecurities and Disable-IoTWinSecurities can also be used independently to configure individual security features.If the TPM is “not ready for use,” you must first install it . Otherwise, you cannot turn on BitLocker.
If AppLocker is configured with a high level of security (“High” SKU), users will not be able to use PowerShell to add new Windows features. In accordance with the system architecture, the file DISMHOST.EXE, which is used by PowerShell, is located in the temporary folder in the directory corresponding to the user account, and this file will be blocked. As a result, users will not be able to use our commands to enable VBS, since this command will try to install the necessary Windows function. When you run the
Enable-IoTWinSecurities we first install the VBS. If you need to install Windows features, reboot the system to complete their installation, and then run the command again.For the operation of the User Mode Code Integrity system, we need to set a registry key in order to allow the placement of our module to enter the Full Language Mode for the Code Integrity Policy. In particular, the module considered here, by default, is installed at
%Program Files%\WindowsPowerShell\Module . If this is not the case, you need to configure the corresponding registry key yourself. To do this, put the path where the module is installed (for example,% Program Files%\WindowsPowerShell\Module ) into an entry of type REG_MULTI_SZ , which is called "TestPath" and located in the registry section HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\TRSData .Results
Today we told you about a new tool for configuring Intel IoT gateways that run under Microsoft Windows. The module for PowerShell considered here, IntelIoTGatewaySetup , allows you to interact with the gateways both locally and remotely, and the commands gathered in it help to simplify and speed up the gateway configuration procedures.
Source: https://habr.com/ru/post/304046/
All Articles