Introducing Windows XP Embedded with Service Pack 2
*by Katherine Enos
*Microsoft Corporation
December 2004
Applies to Microsoft® Windows® XP Embedded
Summary
This document summarizes feature changes and additions for Microsoft® Windows® XP Embedded with Service Pack 2.
Contents
Introduction
Designing a Run-Time Image
Changes to Windows Features
Changes to Embedded Enabling Features
Building Security into a Run-Time Image
Managing and Servicing a Run-Time Image
For More Information
Introduction
Microsoft® Windows® XP Embedded with Service Pack 2 (SP2) combines the benefits of Windows XP Professional Service Pack 2 with enhancements that are targeted to embedded device development.
Windows XP Professional SP2 includes new security technologies that affect network protection, memory protection, Web browsing, and e-mail handling. Windows XP Embedded with SP2 includes these important security changes. Windows XP Embedded with SP2 also provides updates to Windows features such as Microsoft® DirectX®, and to embedded enabling features such as the Minlogon single-user environment.
This white paper describes the new and changed features of Windows XP Embedded with SP2 in terms of their place in the device development process.
The following table provides a summary of key feature changes in Windows XP Professional that are included in Windows XP Embedded with SP2. This table also describes Window XP Professional features that are new for Windows XP Embedded.
| Feature or area | Description |
|---|---|
| Security | Provides the same broad range of security changes to Windows XP Embedded that Windows XP Professional SP2 includes. |
| Microsoft DirectX 9.0c | Provides the resources you need to run applications that are compatible with DirectX 9.0c on your embedded devices. |
| Microsoft® .NET Framework 1.1 | Provides the resources you need to run applications that are compliant with .NET Framework 1.1 on your embedded devices. |
| Microsoft® Windows Media® Player 9 Series | Provides the resources you need to run applications for Windows Media Player 9 Series on your embedded devices. |
| Microsoft® Software Update Services (SUS) | Provides a complete solution for servicing embedded devices. You can now use SUS to manage the distribution of Windows updates to Windows XP Embedded-based clients. |
| Microsoft® Systems Management Server (SMS) | Provides security patch management capabilities. Embedded developers can now use SMS to manage the deployment of security patches to Windows XP Embedded-based devices. |
| Terminal Server Remote Desktop | Updates the remote desktop capabilities of your embedded devices. |
| Windows Firewall | Increases the security of your embedded devices. |
The following table provides a summary of changes to the embedded enabling features in Windows XP Embedded with SP2.
| Feature or area | Description |
|---|---|
| Windows application compatibility macro components | Increase application compatibility between your run-time image and applications in areas of multimedia, networking, shell, Windows core, and Windows Management Instrumentation (WMI). |
| Generic Device Driver Support component | Quickly add support for one or more device classes to your run-time image. |
| Enhanced Write Filter (EWF) | Reduce boot time for your EWF-protected run-time image by using a hibernation file. |
| Minlogon | Implement a single-user logon environment that supports standby and hibernation. |
| Windows XP Embedded documentation | Read the latest Help documentation for expanded information about security and servicing, as well as more how-to topics. Component Help is now available for every component in the Windows Embedded Studio component database and includes detailed information about dependencies, resources, and interfaces. |
Designing a Run-Time Image
Windows XP Embedded with SP2 makes it easier to design and configure your run-time image for security, device support, and for application compatibility. This section provides a summary of feature changes in Windows XP Embedded with SP2.
For more information about using Windows XP Embedded to design a run-time image, see Design a Run-Time Image in the Windows XP Embedded documentation.
Changes to Windows Features
Windows XP Embedded with SP2 includes updated components for the following Microsoft Windows features and applications.
Microsoft DirectX 9.0c
Windows XP Embedded with SP2 provides support for Microsoft DirectX 9.0c. You can use the Microsoft DirectX 9.0c component in the Windows Embedded Studio component database to run C, C++ and C# applications that are compliant with DirectX 9.0c.
For information about dependencies and included files for the DirectX 9.0c component, see the Component Help in Windows XP Embedded with SP2. For information about writing DirectX 9.0c applications, see the DirectX 9.0 SDK Update on the MSDN Web site.
Microsoft .NET Framework 1.1
Windows XP Embedded with SP2 provides support for the Microsoft .NET Framework 1.1. The .NET Framework 1.1 component that is included in the Windows Embedded Studio component database supplies the common language runtime (CLR) and the .NET Framework class library. This version of the .NET Framework delivers increased scalability and performance, and also includes:
- Native support for mobile Web applications
- Support for the execution of Windows Forms assemblies from the Internet
- Code access security for ASP.NET applications
- A unified programming model for smart client application development
- Support for IPv6
For information about dependencies and included files for the .NET Framework 1.1 component, see the Component Help documentation in Windows XP Embedded with SP2. For more information about .NET Framework 1.1, see the Microsoft .NET Framework Developer Center.
Microsoft Windows Media Player 9 Series
Windows XP Embedded with SP2 offers support for Microsoft Windows Media Player 9 Series. Windows Media Player 9 Series introduces new features including fast streaming, auto playlists, crossfading, and volume leveling.
For information about dependencies and included files for the Player, see the Component Help documentation that is included in Windows XP Embedded with SP2. For more information about Windows Media Player, see Windows Media Player 9 Series on the Microsoft Web site.
Terminal Server Remote Desktop
Windows XP Embedded with SP2 includes remote desktop support for embedded devices in the Terminal Server Remote Desktop component. For information about dependencies and included files, see Terminal Server Remote Desktop in the Component Help documentation that is provided in Windows XP Embedded with SP2.
Windows Firewall
Windows Firewall is enabled by default. This On-by-Default setting provides increased network protection for Windows XP Embedded-based run-time images that use the Windows Firewall components. On-by-Default affects both IPv4 and IPv6 traffic, and protects network connections as they are opened on your devices. The Windows Firewall feature is divided into two components that are located in the Windows Embedded Studio component database. The following table describes these components.
| Component | Description |
|---|---|
| Windows Firewall/Internet Connection Sharing | Provides the Windows Firewall. |
| Windows Firewall Control Panel | Provides the Control Panel user interface that allows users to view and change Windows Firewall settings. |
For more information about these components, see the Component Help documentation in Windows XP Embedded with SP2.
For more information about using Windows Firewall in your run-time image, see Windows Firewall in the Windows XP Embedded documentation.
For detailed information about the changes to Windows Firewall for Windows XP Professional SP2, see the white paper entitled Changes to Functionality in Microsoft Windows XP Professional Service Pack 2 on the Microsoft Web site.
Changes to Embedded Enabling Features
Windows XP Embedded with SP2 introduces new features that make it easier to build device driver support and application compatibility into your run-time images. This release also includes changes to embedded enabling features such as Minlogon and Enhanced Write Filter (EWF). These feature changes and additions are supported by comprehensive changes to the Windows XP Embedded documentation.
Application Compatibility
Windows XP Embedded with SP2 supplies application compatibility macro components for multimedia, networking, shell, Windows Management Instrumentation (WMI), and Windows core functionality.
Your run-time image must include certain components to be compatible with the applications that your device will run. A typical strategy for achieving application compatibility begins with specifying the applications that your device will run and determining their requirements. The next step is to locate the components that satisfy those requirements and include them in your run-time image. This can be a laborious process.
An easier way to achieve application compatibility between your run-time image and applications is to use application compatibility macro components, as shown in the following table.
| Macro component | Description |
|---|---|
| Multimedia Application Compatibility | Bundles most of the components that are used to provide Windows-based multimedia services. Includes components that support features such as GDI, kernel streaming, DirectX, OpenGL, and Windows Media. |
| Networking Application Compatibility | Supports a broad range of Windows-based networking applications. |
| Shell Application Compatibility | Bundles most of the user interface elements that are contained in the Windows Explorer shell. Includes components for all Control Panel items and for all shell Explorer components. |
| Windows Management Instrumentation Technologies | Bundles the features that combine to create the Windows Management Instrumentation (WMI) technologies. |
| Windows Application Compatibility | Bundles the components of the Windows API, including the Advanced, GDI, and kernel-mode and user-mode components. |
You can use these macro components during testing to find missing dependencies in your configuration that are related to application compatibility.
Each of these components includes a broad range of applications and has a sizeable footprint. In Target Designer, you can optionally exclude unnecessary components from each of these macro components to reduce the size of your run-time image.
For more information about using the application compatibility macro components, see Using Macro Components to Ensure Application Compatibility in the Windows XP Embedded documentation. For detailed information about the dependencies of each application compatibility macro component, see the Component Help documentation that is included in Windows XP Embedded with SP2.
For more information about Windows XP Embedded and application compatibility, see Application Compatibility in the Windows XP Embedded documentation.
For more information about application development in Windows XP Embedded, see Application Development on the MSDN Web site.
Device Driver Support
Windows XP Embedded with SP2 introduces the Generic Device Driver Support component. You can use this component during the design phase to quickly add support to your run-time image for one or more device classes, including the keyboard, printer, and modem device classes.
You can configure the Generic Device Driver Support component in Target Designer to include support for selected device classes. The device drivers that belong to the device classes that you select are automatically added to your run-time image during the build process. The appropriate class installers for the device classes that you select are also automatically added to your run-time image.
Using the Generic Device Driver Support component can help to reduce development time. However, adding support for entire device classes does impact footprint and build time. This component includes other settings to manage these effects. For example, you can choose whether to include or exclude component resources, such as registry information, from your run-time image. You can also choose whether to process the device driver dependencies of the device classes that your run-time image supports.
There are some limitations to the support that this component can provide. For example, third-party device driver files must be manually added to a configuration that uses the Generic Device Driver Support component. Additionally, some IEEE 1394 devices may have additional driver-related dependencies that are not satisfied by this component. For more information, see the Component Help documentation for Windows XP Embedded with SP2.
The following table shows the settings for the Generic Device Driver Support component.
| Setting | Default setting | Description |
|---|---|---|
| Device driver class | Cleared | Select one or more of the listed device classes. |
| Include registry entries and other resources for this component | Cleared | Causes registry data and other resources to be copied into the run-time image. This increases the size of the run-time image that is built and the time that it takes to build it.
If this option is not selected, registry data and other driver resources are not added to the run-time image and Plug and Play fills in the registry data later. |
| Process device driver dependencies | Cleared | Causes device driver dependencies to be processed. Selecting this option increases the time that it takes to check for dependencies.
When class installers are added to the run-time image, a list of tasks is generated. These tasks do not require any action and will be completed during the build process. |
Enhanced Write Filter
Enhanced Write Filter (EWF) is an embedded enabling feature that provides disk write-protection capabilities. In Windows XP Embedded with SP2, EWF supports hibernation in RAM and RAM Reg modes. Hibernation makes it possible to save to and boot from a file (a hibernation file) that defines the state of a system. Booting from a hibernation file reduces boot time and allows you to preserve system state through multiple reboots.
For more information about using EWF with hibernation, see Hibernation and EWF in the Windows XP Embedded documentation.
Minlogon
Minlogon is an embedded enabling feature that provides Windows logon support for a single-user environment. In Windows XP Embedded with SP2, the Minlogon environment supports the hibernation and standby power management features. Windows XP Embedded with SP2 supports these power management features by including the power management application. This application contains a DLL called Xpepm.dll that makes it possible to use standard power management features in configurations that do not include the Windows user interface for the Start menu.
For information about how to support hibernation and standby in your run-time image, see Power Management Application in the Windows XP Embedded documentation.
Documentation
Windows XP Embedded with SP2 provides documentation that integrates the latest information with tutorials and how-to topics to make it easier to get the most out of Windows XP Embedded. The documentation includes new information about embedded enabling features such as Device Update Agent (DUA), First Boot Agent (FBA), and Enhanced Write Filter (EWF). It also includes new information about security and servicing, as well as detailed information about using Windows Firewall.
The Component Help documentation now includes dependency lists for all components, as well as included interfaces, files, and registry information. The table of contents for the Component Help documentation has been reworked to mirror the organization of components in the Windows Embedded Studio component database.
For more information about changes to the documentation for Windows XP Embedded with SP2, see What's New in the Windows XP Embedded documentation. The Component Help documentation is provided in Windows XP Embedded with SP2.
Building Security into a Run-Time Image
Windows XP Professional SP2 provides new security technologies and default settings that provide increased security. Windows XP Embedded with SP2 incorporates Windows XP Professional security changes and adds new support for run-time management and servicing. The result is increased security for device development with Windows XP Embedded. This section summarizes the security changes for Windows XP Embedded with SP2 and describes how they affect the device development process.
Windows Security Changes
Windows XP Professional SP2 provides broad security changes that affect the functional areas shown in the following table.
| Area | Description of change |
|---|---|
| Network protection | Provides increased protection against network-based attacks. Includes enhancements to Windows Firewall and changes to Remote Procedure Call (RPC) that reduce the Windows surface area that is exposed for attack. |
| Memory protection | Increases protection against buffer overruns. Where possible, supplies operating system support for hardware-enforced data execution prevention (DEP). |
| E-mail handling | Includes default settings that increase security and offers improved control of e-mail attachments. |
| Browsing security | Improves the security of the Local Machine zone to prevent malicious scripts from running.
Provides increased protection against harmful Web downloads. Provides improved user controls and user interfaces to help users be informed about the execution of malicious ActiveX controls and spyware on their devices. |
| Computer maintenance | Provides support for Security Center, a central location for users to get information about the security of their devices.
Provides Windows Installer to increase the security of the software installation process. |
For detailed information about security changes in Windows XP Professional SP2, see the white paper entitled Changes to Functionality in Microsoft Windows XP Service Pack 2 on the Microsoft Web site.
Security Considerations
The process of building security into an embedded run-time image begins in the design phase and continues into the servicing phase. Some fundamental considerations for building security into a run-time image include:
- Reduce surface area to reduce exposure to attack.
- Use default settings that reduce exposure to attack.
- Add support for run-time management and servicing to make it easier to update devices and address security vulnerabilities.
The Windows security changes include some surface area reductions. You can further increase the security of your run-time image by including only the components that your device requires. This will reduce the surface area of your run-time image and its vulnerability to attack.
Reducing your exposure to attack also means eliminating unnecessary services from your run-time images or setting services to be disabled. For information about the Windows Embedded Studio components that supply Windows services, see Componentized Windows Services in the Windows XP Embedded documentation.
The Windows security changes affect a wide range of Windows features and their default settings. If your devices use applications that require certain default settings, you may have to resolve incompatibilities by rewriting the code of those applications, or by changing the default settings of the affected features on your run-time image.
One of the most important security changes in Windows XP Embedded is that Windows Firewall is enabled by default. You can configure the firewall to open specific ports and to allow only certain applications to communicate through ports. Windows Firewall is described in more depth earlier in this white paper. For information about configuring Windows Firewall in your run-time image, see How to Configure Windows Firewall on a Run-Time Image in the Windows XP Embedded documentation.
Windows XP Embedded with SP2 also includes a new registry key to improve Remote Procedure Call (RPC) security. The RestrictRemoteClients registry key prevents remote access to RPC interfaces that exist on a computer. For more information about Windows XP Embedded and RPC, see RPC Interface Restriction in the Windows XP Embedded documentation.
Designing a servicing strategy into your run-time image increases the security of your device over its lifetime. The following section provides information about new servicing support in Windows XP Embedded with SP2.
For general information about how to increase device security, see Network Security Considerations in the Windows XP Embedded documentation.
For information about network security components that you can add to your run-time image, see Network Security Components in the Windows XP Embedded documentation. This page maps components to the security binaries that they include.
For more information about building security into your run-time image, see Add Security Features to a Run-Time Image in the Windows XP Embedded documentation.
Managing and Servicing a Run-Time Image
Windows XP Embedded with SP2 offers new support for embedded run-time management and servicing. This section briefly describes these new management and servicing options. For more information about servicing with Windows XP Embedded, see Servicing in the Windows XP Embedded documentation.
Servicing Run-Time Images with Microsoft Software Update Services
Windows XP Embedded with SP2 provides support for Microsoft Software Update Services (SUS). SUS provides a complete servicing solution for managing the distribution of Windows updates to Windows clients, including Windows XP Embedded. SUS makes it possible for updates to be automatically installed on deployed devices, and for you to manage the update process remotely.
To use SUS as your servicing solution, you must set up and configure a SUS server on your intranet. The configured SUS server component provides you with a Windows Update Server that polls the Microsoft Windows Update Web site and downloads the available updates. SUS uses Internet Information Services (IIS) and Background Intelligent Transfer Service (BITS) to download updates to clients.
After the SUS server is created, an administrator manages the update process. Administrative tasks include configuring the Group Policy settings on deployed devices, and testing and approving Windows updates for distribution to deployed devices.
The following table shows the client components that are provided by Windows XP Embedded with SP2 in the Windows Embedded Studio component database.
| Component | Description |
|---|---|
| Windows Update Agent | Obtains updates for clients from the Microsoft Windows Update Web site. Provides the Windows Update Agent service called Automatic Updates. |
| Windows Update Agent for SUS 1.0 Servers | Provides the files that are required to use the Microsoft Windows Update Web site. |
| Windows Update for Device Drivers | Obtains drivers from Windows Update for Device Manager wizards. |
In addition to installing and configuring a SUS server, you must build support for SUS into your run-time image. This support is provided by adding the Windows Update Agent component, and the Windows Update Agent for SUS 1.0 Servers component, to your configuration.
None of the client components include settings that are configurable in Target Designer. Instead, the client components are configured by updating Group Policy after the run-time image is deployed. You can use Microsoft Active Directory or Microsoft Management Console (MMC) to update Group Policy on a deployed run-time image. You can also use Registry Editor to edit the registry directly.
For more information about the Windows Update Agent components, including component dependencies, see the Component Help documentation in Windows XP Embedded with SP 2.
For detailed information about using SUS to service embedded run-time images, see the white paper entitled Using SUS with Windows XP Embedded with Service Pack 2, on the MSDN Web site.
Servicing Run-Time Images with Microsoft Systems Management Server
Microsoft® Systems Management Server (SMS) is an enterprise-level management solution that provides security patch management capabilities, client monitoring, and reporting for all Windows clients in a domain. Embedded developers can now use SMS to manage the deployment of security patches to Windows XP Embedded-based devices. Client and server components for SMS are not included in the Windows Embedded Studio component database and must be separately obtained.
For more information about SMS, see the Microsoft Systems Management Server Web site.
For More Information
For more information about Windows XP Embedded, see the Windows XP Embedded documentation on the MSDN Web site.
For detailed information about the changes that are included in Windows XP Professional SP2, see the white paper entitled Changes to Functionality in Microsoft Windows XP Professional Service Pack 2 on the Microsoft Web site.