FabGuard Auto Start and Windows Update Support for Windows 10

Jennifer Taylor – Software Test Manager, FabGuard Product Group, Newton MA

For FabGuard to work properly in a Windows 10 environment, a couple of modifications need to be made to support the FabGuard AutoStart capability and restrict Windows Update operation.

Background

The Windows 7 operating system reduces security risks by isolating services in a Session 0 secure desktop and making the Session 0 desktop non-interactive with the regular desktop. In general, only system processes and services run in the Session 0 secure desktop. For example, any application that FabGuard AutoStart Service launches, such as FabGuard.exe, will be launched into a secure desktop that the regular user login cannot see. If “Interactive Detection Service” is started, users are notified that there is an application launched in the secure desktop. A “View the message” dialog appears in the taskbar to notify users there is an application in the Session 0 secure desktop. Users can click the link to bring up the user interface of the application in the secure desktop. This allows the user to access the application in a secure desktop with a 2-minute timeout.

In Windows 10, Session 0 works the same way with one very important exception. In Windows 10, the Session 0 secure desktop has no mouse or keyboard functionality for the user. The only way to get out of the secure desktop is to wait for the 2-minute timer to expire. This is not ideal and can affect data collection and analysis.

Solution 1

Continue to use FabGuard AutoStart Services with the intention that a user will never need to see or use the FabGuard IPM, FabGuard Multiplexer, or FabGuard Executive user interface. Users will have to use FabGuard Web or FabGuard Client to make changes to I/O, Recipes, Recipe Plans, and Reports and Models. If a user needs to add or change I/O Connections for SECS, Sensors, OPC connections, NIDAQmx, etc., they will have to use FabGuard Web to exit the FabGuard IPM program. The user will then have to restart FabGuard.exe manually with an administrative user, make the changes in the application, and exit the application. FabGuard AutoStart Service will then re-launch FabGuard IPM, FabGuard Multiplexer, or FabGuard Executive. This will start the application back in the Session 0 secure desktop.

Solution 2

Use FabGuard AutoStart Program instead of FabGuard AutoStart Service. This uses a program, rather than a service, to start the relevant application (FabGuard IPM, FabGuard Multiplexer, or FabGuard Executive). The AutoStart programs have no user interface but require a Windows user to be logged in. The AutoStart programs are added to the Windows Run registry entry so that they start automatically when a Windows user logs in.

An application started by a Windows program requires a Windows user to be logged in for the application to execute. This prevents those Windows users from logging off from Windows without first exiting FabGuard IPM, FabGuard Multiplexer, or FabGuard Executive. These applications will not run if no Windows user is logged in. Therefore, the Windows user should never log off from Windows because it will disrupt both FDC and all communication between the tool and Automation. When using the AutoStart Program, checks are performed at every 60 second interval to make sure the FabGuard applications are still running.

Windows Update Concerns When Using Windows 10

Figure 1: Windows Update Properties showing the disabled Windows Update.

With Windows 10, Windows Update automatic restart is very hard to disable. It can defer the update to a scheduled time; however, this is rarely ideal for factory operations. To disable the Windows Update automatic restart, the Windows Update Service will have to be disabled. There are other registry hacks and some Local Policy settings that could be modified, but the simplest way to make sure that the Windows Update Service doesn’t download updates and reboot the PC is to disable the service. If users want to do an update, they can enable it again and run an update.

To disable the Windows Update Service:

  1. Go to Control Panel->Administrator Tools->Services. Find “Windows Update.”
  2. Right click “Windows Update” and go to Properties.
  3. Click the Stop button.
  4. Use the dropdown to select “Disabled” and click OK (Figure 1).

Summary

It is necessary to make modifications to the FabGuard AutoStart capability and restrict Windows Update operation for FabGuard to work properly in a Windows 10 environment.