App Locker and Layout Control: Enhancing Security and User Experience in Windows IoT

App Locker and Layout Control: Enhancing Security and User Experience in Windows IoT

App Locker and Layout Control on Windows IoT

Windows IoT, or Internet of Things, is an operating system specifically designed for embedded devices and IoT solutions. It provides a secure and scalable platform for building smart and connected devices. Two important features of Windows IoT are App Locker and Layout Control, which play essential roles in device management and user experience.

Design to Order Banner
Design to Order: OEM/ODM Embedded Product Design Services

App Locker

App Locker is a security feature offered by Windows IoT that allows administrators to control and restrict which applications can be run on a device. It helps ensure that only trusted and authorized applications are executed, protecting the system from potential threats or unauthorized access.

With App Locker, administrators can create and manage rules that specify which apps are allowed or blocked based on various criteria. These criteria include the publisher’s identity, the app’s file hash, its location, and other attributes. By using these rules, administrators can dictate precisely which applications are permitted to run on a Windows IoT device. This feature helps enforce security policies and prevents the execution of potentially harmful or unwanted software.

By implementing App Locker on Windows IoT, administrators can create a more controlled and secure environment, mitigating the risks associated with unauthorized application execution. This feature is particularly crucial in scenarios where devices are deployed in public spaces, industrial settings, or environments with stringent security requirements.

To enable App Locker on Windows IoT, you can follow these steps:

  1. Run Local Security Policy (secpol.msc) as an administrator.
  2. Go to Security Settings > Application Control Policies > AppLocker, and select Configure rule enforcement.
  3. Check Configured under Executable rules, and then click OK.
  4. Right-click Executable Rules and then click Automatically generate rules.
  5. Select the folder that contains the apps that you want to permit, or select C:\ to analyze all apps.
  6. Type a name to identify this set of rules, and then click Next.
  7. On the Rule Preferences page, click Next. Be patient, it might take awhile to generate the rules.
  8. On the Review Rules page, click Create. The wizard will now create a set of rules allowing the installed set of apps.
  9. Read the message and click Yes.
  10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select Properties. Then use the dialog to choose a different user or group of users.
  11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting Delete.
  12. Before AppLocker will enforce rules, the Application Identity service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run: sc config appidsvc start=auto
  13. Restart the device.

By following these steps, you will enable App Locker on your Windows IoT device and have the ability to create and enforce rules to control and restrict which applications can be run on the device.

Build to Order Banner
Build to Order: Industrial and Embedded Computer Manufacturing Services

Layout Control

Layout Control is a powerful feature available on Windows IoT that allows the customization and management of device UI layouts. It enables administrators to define and control the arrangement, appearance, and behaviour of applications and graphical user interfaces on IoT devices.

With Layout Control, administrators can design and deploy visually consistent and cohesive user experiences across multiple devices. It provides the ability to create custom layouts, define and manage resizable regions, control window behaviour, and handle screen resolutions and orientations effectively.

This feature is particularly useful when building IoT solutions that require consistent branding, standardized user interfaces, and optimized use of screen real estate. By leveraging Layout Control, developers and administrators can ensure that applications and interfaces on Windows IoT devices are tailored to their specific use cases and provide a seamless user experience.

Furthermore, Layout Control simplifies the management and control of device interfaces, particularly in scenarios where multiple applications or dashboard views need to be displayed simultaneously. It enables administrators to create the desired layout once and apply it across many devices, simplifying deployment and reducing maintenance efforts.

1. Setting Up a Customized Start Layout

A standard Start layout that is tailored to specific needs can prove beneficial for shared devices or those restricted to specialized purposes. The most straightforward approach to creating a customized Start layout for other Windows devices involves configuring the Start screen on a test computer and subsequently exporting the layout.

Once the layout is exported, you have the choice to apply either a full Start layout or a partial Start layout. With a full Start layout, users will be unable to pin, unpin, or uninstall apps from the Start menu. They will have access to view and open all apps in the All Apps view but won’t be able to pin any apps to Start.

On the other hand, a partial Start layout restricts changes to the specified tile groups’ contents, but users retain the ability to move these groups and create custom groups to suit their preferences.

You can deploy the resulting .xml file to devices using one of the following methods:

2. Secondary Tiles

Secondary tiles offer a convenient way for users to pin specific content and deep links from your app directly onto their Start menu. This functionality ensures effortless future access to the desired content within your application.

Incorporating secondary tiles into your app not only facilitates quick and efficient re-engagement for users but also encourages them to return to your app more frequently. The seamless access provided by secondary tiles enhances user experience and boosts app usability.

3. Customizing the Windows 10 Taskbar

The process of configuring the taskbar layout enables organizations to pin essential apps and remove default pinned apps, creating a tailored user experience. When modifying the taskbar layout through the XML file, the layout itself is the only aspect that can be configured. Additionally, it is possible to specify different taskbar configurations based on the device’s locale and region. There is no restriction on the number of apps that can be pinned, and you can identify apps using either the Application User Model ID (AUMID) or the Desktop Application Link Path (the local path to the application).

It’s important to note that if you specify an app to be pinned, and that app is not provisioned for the user on the computer, the pinned icon will not appear on the taskbar. The order in which apps appear in the XML file determines their positioning on the taskbar from left to right, to the right of any existing apps already pinned by the user. This allows for precise customization and organization of the taskbar layout.

The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user.

To configure the taskbar:

  1. Create the XML file.
    • If you are also customizing the Start layout, use Export-StartLayout to create the XML, and then add the <CustomTaskbarLayoutCollection> section from the following sample to the file.
    • If you are only configuring the taskbar, use the following sample to create a layout modification XML file.
  2. Edit and save the XML file. You can use AUMID or Desktop Application Link Path to identify the apps to pin to the taskbar.
    • Add xmlns:taskbar="" to the first line of the file, before the closing >.
    • Use <taskbar:UWA> and AUMID to pin Universal Windows Platform apps.
    • Use <taskbar:DesktopApp> and Desktop Application Link Path to pin desktop applications.
  3. Apply the layout modification XML file to devices using Group Policy or a provisioning package created in Windows Imaging and Configuration Designer (Windows ICD).


In conclusion, App Locker and Layout Control are vital components of Windows IoT that contribute to both security and user experience in IoT environments. The combination of App Locker’s application control and Layout Control’s UI customization capabilities provides administrators with the tools they need to create secure and user-friendly IoT solutions.

Embedded Software Banner 1

Configuration, Integration and Deployment

BVM can configure (and deploy) an entire embedded operating system for you
or provide the help you may need to migrate from your current O/S to Windows 10 IoT or Windows 11

Benefits of Partnering with BVM:

  • Customized Solutions: We understand your unique needs and deliver bespoke solutions that align perfectly with your requirements.
  • Expert Guidance: Our experienced team offers valuable insights and support throughout your Windows IoT journey.
  • Reliability and Trust: Count on BVM’s track record of successful projects and satisfied clients.

Contact our sales team today at 01489 780144 or email to take your
embedded solutions to the next level with BVM’s expertise.

BVM Embedded Software Services include:

  • Windows image capture from customers storage devices
  • Linux image capture from customers storage devices
  • Android image capture from customers storage devices
  • Windows / Linux / Android deployment from customer configured images
  • Custom Windows images:- configuration & deployment
  • Management of revision updates
  • Custom BIOS

We can also:

We provide a ready-to-run O/S environment incorporating your application into the image for mass deployment.

Take Your Windows IoT Project to the Next Level with BVM….

Are you ready to take your Windows IoT projects to the next level? BVM’s embedded software services can help you configure and deploy an entire embedded operating system, or provide the support you need to migrate from your current O/S to Windows IoT.

With BVM’s expertise, you can be confident that your Windows IoT projects will be successful. For more information about BVM’s embedded software services, contact us today at 01489 780144 or email Let’s work together to bring your Windows IoT vision to life!

BVM Design and Manufacturing Services: The manufacturer behind the solutions you know

When a standard embedded design won’t suffice for what you need, you can always turn to BVM for help and use our custom design and manufacturing services.