Windows IoT Enterprise includes many embedded features to customize your system. But the configuration of the new systems is very hard because the Embedded Lockdown Manager (this tool was included in Windows Embedded 8.1 Industry Pro for example) was not carried over to Windows 10 IoT Enterprise.
That’s why we created the Embedded Configuration Manager. The Embedded Configuration Manager has even more functionality than the original Microsoft Embedded Lockdown Manager. The new tool can be used as a central management place for all Embedded related settings. It allows to activate or deactivate features and also to manage and configure them with ease.

The tool is designed to work with the following operating systems:

  • Windows Embedded 8 Standard
  • Windows Embedded 8.1 Industry Pro
  • Windows 10 IoT Enterprise 2015 LTSB
  • Windows 10 IoT Enterprise 2016 LTSB
  • Windows 10 IoT Enterprise 2019 LTSC
  • Windows 10 IoT Enterprise SAC

  • Windows 10 IoT Enterprise 2021 LTSC

First Steps

How to start

To start the Embedded Configuration Manger please insert your received USB device, open your file explorer, go to the USB device directory and start “Embedded Configuration Manager.exe”.

How to use

Please read our manual carefully before using the ECM, do not ignore our warning messages and follow the given instructions.

Evaluation Version

We now also offer an evaluation version of the Elbacom Embedded Configuration Manager. If you are interested in testing the latest version, please click here:

Preinstall Embedded Configuration Manager

Add additional value to your devices and ship them together with Embedded Configuration Manager preinstalled.
It is now possible to preinstall Embedded Configuration Manager, so your customers can then easily configure the Lockdown Features and make use of them without needing to be an embedded expert!

Here is why ECM2Go is interesting for customers:

  • OEMs develop devices that are being further customized by their customers. ECM2Go will add additional value to their devices since their customer can easily configure Windows to their needs. Without ECM2Go most customers don’t use the Embedded Lockdown features at all as they are not easily accessible.
  • Devices are in the field and should be services easily with ECM2Go. The ECM2Go is installed on the devices and ready to be used.
  • Devices should be services via Team Viewer or similar solutions. The ECM2Go is installed and licensed for this device so it can be used via the remote session.

Main scenarios are:

  • Enabling / Disabling Windows Update
  • Changing the Unified Write Filter configuration
  • Modifying Shell Launcher
  • And many more

If you are interested in preinstalling, please contact us for more details!


To find out which embedded lockdown features are available for your Windows installation, just launch the Embedded Configuration Manager. On the first configuration page you will get a complete list of all available features. To enable them, just toggle the switch in front of their name and click on “Apply”. After a reboot the features are available for configuration.
The tool will list all available features that can be configured on the left side. Every setting is described in detail and can be configured with just a few mouse clicks.

Automatic program updates

At first start-up you will be asked if you would like to enable the auto-update function to automatically receive future updates for the ECM. This can be hanged anytime with the “Check for updates automatically” setting. It is also possible to check for updates manually by pressing the “Check for updates” button.

Assigned Access

With the Assigned Access configuration you can easily select a modern Universal Windows Platform App that should be the default shell for a specific user.
With the “Enable KioskMode” functionality, that is only available through the Embedded Configuration Manager on Windows 10 IoT Enterprise 2016 versions, you can also completely suppress the Windows Desktop to ensure the user cannot exit the app!

Custom Logon

These settings allow to easily setup an automatic logon for a specific user and allows you to configure the branding settings. With the branding settings, you can easily suppress the complete Logon UI and hide certain elements, such as the power button or ease of access button from the logon screen!

Embedded Boot

The Embedded Boot settings allow to easily brand the boot experience. You can disable the boot logo, text and status ring, or block access to the F8 and F10 boot menu. These settings are important if you want to build a completely branded device. The Embedded Boot settings allow to easily brand the boot experience. You can disable the boot logo, text and status ring, or block access to the F8 and F10 boot menu. These settings are important if you want to build a completely branded device.

Keyboard Filter

The Keyboard Filter settings allow you to simply block keys or key combinations, such as Ctrl+Alt+Del. These combinations can be selected from a wide range of pre-defined keys, or you can easily add a custom combination that should be blocked. The keyboard filter allows to block keys based on the key ID, such as Z, the keys will be blocked regardless of the keyboard layout. If the keyboard layout changes and the key wanders to a different location it will be blocked there as well. Alternatively the keys can be blocked based on the keys scan code. In this case the physical key on the keyboard will be blocked, ignoring what key is currently mapped from the keyboard layout.

The keyboard filter also allows to change the breakout key or to completely disable it.
The breakout key allows a user to break out of an account that is locked down, e.g. with a custom shell. Pressing the breakout key 5 times in a row will get the user to the Welcome screen so he can login with another user account.
Per default the breakout key is the Windows key.
It is recommended to change the key or to completely disable the functionality and handle this scenario solely through the custom shell application.

OEM Information

The new feature allows you to easily modify the OEM Information of your devices.
This information is shown in the System properties and allows the end user to see who the manufacturer of the device is –  and where to get support.

Shell Launcher

The Shell Launcher allows to setup different shells for different users or groups. With the Embedded Configuration Manager the programs that should be used as shell for a specific user can be configured very easily.
With the shell launcher you can configure a default shell for the standard users, so they can use the shell application only but cannot access anything else in the system.
Administrators however, can be configured to boot into the regular Windows Explorer shell so they can use the full desktop experience to configure and service the devices.

Unified Write Filter

Windows 10 IoT Enterprise contains the Unified Write Filter (referred as UWF in the following) feature to protect the system from unwanted changes. Unfortunately, Windows itself will fill up the overlay within a few minutes.

Because of this, the feature is unusable in production as Windows might crash the system.

The Embedded Configuration Manger now contains a feature that will optimize your system for the Unified Write Filter usage with just one click. Use the optimization before enabling the UWF.

This will reduce the writes of Windows itself to the overlay and allows the usage of UWF again!

The tool allows to configure the overlay settings, such as size and type.

You can easily add volumes to the protection and create exclusions based on files or folders and registry keys under HKEY_LOCAL_MACHINE.

NOTE: Enabling or changing settings of the Unified Write Filter requires a reboot!

USB Device Policy

The USB Device Policy allows you to create blacklists of devices that are not allowed to be connected to the system. Simply select a currently connected device and add it to the blacklist. The next time the device is being connected to the system it will no longer be allowed to be installed.
The filtering can be done based on the device ID or device classes. With the device classes you can block devices within a class in general, such as Bluetooth devices.
The tool also allows you to disable the filtering for Administrators or block removable devices in general.


Windows Updates

Disabling the updates in Windows 10 IoT Enterprise is not an easy task as Windows will try to ensure that it can talk to the update service and download new files if needed.
The Embedded Configuration Manger now includes a single click solution to disable Windows Updates and Windows Defender updates completely.

It is also possible to only disable the automatic update search of Windows. Nevertheless, Windows will still perform other updates in the background.
With this feature you have full control to manage the updates on your system again.


With a simple click, the tool can disable toast notifications within Windows, Application Error Dialogs and “Application is not responding” dialogs. This is important to remove any unwanted notifications from other applications or Windows itself.

Power Settings

In the power settings, you can change the power profile to “high performance” to get the most power out of your hardware. The tool also allows you to configure the system, not to turn off the display after a given time and prevent it to go to sleep mode.


In most scenarios OneDrive is not needed on embedded devices. Therefore, the tool allows you to easily turn off OneDrive, so it does no longer run in the background and ask for a configuration.
In case OneDrive should not be disabled completely, the tool also supports to just remove OneDrive from the File Explorer and file open and save dialogs.

Touch Gestures

The tool allows you to disable touch gesture, such as swiping from the right side to open the Action Center. This is very helpful to ensure users stay within the application on touch-based devices.
It also allows to completely disable the whole touch functionality on a device. This can be useful on tablets where the touchscreen should not be used for interaction with the device.

Import / Export Feature & License Manager

You can export all settings now into an XML file. This allows you to create several configuration templates that can easily be imported to other machines.