Often when we talk with customers who are interested in purchasing a HoloLens 2, one of their main concerns is security. Most questions follow along the lines of “How secure can this device be? – a remote headset with cameras – sitting on my network, attached to other remote devices, sharing documents.” Understandably, our clients are concerned about our 21st-century threat environment. Between utility hacks and massive data breaches, companies have a right to be worried. This blog will seek to answer many of the frequently asked questions regarding security on the HoloLens 2 so that your organization can use this technology with confidence.
This section will go over many of the top security concerns people have when considering if they should integrate the HoloLens 2 into their organization. Included is information on Security Architecture, Microsoft’s HoloLens 2 Security Practices, and other helpful information.
Is the HoloLens 2 a potential weak point in our current Infrastructure?
The HoloLens 2 security architecture was designed to be free from legacy security issues while minimizing vulnerabilities. This architecture offers secure storage locations and advanced security elements, with systems capable of shielding the device from potential threats and vulnerabilities.
What are some examples of architecture security features on the Hololens2?*
- State Separation and Isolation
- Remote Wipe
- Secure login options
- Iris recognition
- Pin
- Password
- Secure USB
- Certificate
- Bit Locker Device Encryption
- Sandboxed applications and data
How does State Separation and Isolation help protect my device?*
State Separation protects critical portions of the HoloLens 2 operating system from change – such as those required for the core operating system to boot into a trusted state. Isolation technology is used to confine untrusted apps in their own sandbox area, ensuring that they cannot impact the system security. These features significantly improve platform integrity, malware resistance, and user data protection.
How can I protect myself from a lost or stolen device?
In the case of a compromised device, whether it was lost, stolen, or broken, users have the capability to initiate a hard drive wipe remotely. This can be set up through Mobile Device Management (MDM) systems which will allow system administrators to initiate a remote wipe of the device, reverting it to factory settings and preventing the use of stolen data.
Further protections can be put in place such that a device is not even usable or accessible without the proper credentials. AutoPilot, for example, allows system administrators to configure HoloLens 2 devices so that they must always check into a specific tenant. If the device cannot reach that tenant or does not provide the proper credentials, the device is unable to be used beyond powering it on or off.
Additionally, with the proper setup, unauthorized users will not be able to access device data, applications, or documents. For more information about MDM please refer to the “Should I use Mobile device management” question.
How does Microsoft protect its users from cyber-attacks?*
The goal of most cyber-attacks is to maintain persistent access to a device or more commonly an entire network. With the goal of the hackers in mind, Microsoft implemented a number of features that seek to prevent persistent access to your device or network. These features include:
- Secure boot
- Windows Anti-Persistence Assurance
- Encryption and Data protection
- Bit locker
- Azure Active Directory
- Trusted Platform Module system (TPM)
- UEFI Secure Boot
What Security Features are Included with a Microsoft Account?
- Biometric Iris Authentication
- Windows Hello PIN
- Password
What Security Features are included in Azure Active Directory?
You can have 64 accounts per device. Features include:
- Azure web credential provider
- Two Factor Authentication
- Biometric Iris Authentication
- Windows Hello PIN
- Password
What Operating System does the HoloLens 2 run on?
Windows 10 Holographic. This Operating System provides organizations with built-in mobile device and app management technologies. Windows 10 Holographic supports end-to-end device lifecycle management to give companies control over their devices, data, and apps. The HoloLens 2 can easily be incorporated into standard lifecycle practices, from device enrollment, configuration, and application management to maintenance.
Should I Use Mobile Device Management (MDM) for the HoloLens 2?
Yes. MDM allows you to control access to your device if it is lost, factory reset, or if you forget the PIN or password. Therefore, without MDM, if you forget your PIN or lose your password you may lose control of your device. Your only option will be to factory reset. Certain forms of MDM, like AutoPilot, can also provide protection from malicious factory resets if a device is stolen, allowing an organization to maintain control over their hardware at all times. Based on our experience, MDM is the smartest and safest way to maintain control of your devices.
What can I manage Using Mobile Device Management on the HoloLens 2?
- Wi-Fi access
- Certificates
- Proxy
- VPN
- Updates
- Kiosk Mode
What are Some Common Device Restrictions you can Implement on the HoloLens 2?
Employees are usually allowed to change certain personal device settings that you may want to lock down on corporate devices. Employees can interactively adjust certain settings of the HoloLens through the settings UI. Using MDM, you can limit what users are allowed to change. The following lists commonly used MDM settings that Windows 10 Holographic supports to configure settings restrictions:
Software settings
- Prevent changing of settings
- VPN configuration
- Wi-Fi Configuration
- Mobile device management
- Prevent changing of settings
Hardware Restrictions
- Allow Wi-Fi
- Allow USB connection
- Allow Bluetooth
- Restrict camera access
- Restrict Microphone access
What is Kiosk Mode?
You can configure a HoloLens device to function as a fixed-purpose device, also called a kiosk, by configuring the device to run in kiosk mode. Kiosk mode limits the applications (or users) that are available on the device. Kiosk mode is a convenient feature that you can use to dedicate a HoloLens device to business apps, or to use the HoloLens device in an app demo.
Single App kiosk
- A single-app kiosk starts the specified app when the user signs into the device. The Start menu is disabled, as is Cortana. A HoloLens 2 device does not respond to the Start gesture. A HoloLens (1st gen) device does not respond to the bloom gesture. Because only one app can run, the user cannot place other apps.
Multi app kiosk
- A multi-app kiosk displays the Start menu when the user signs into the device. The kiosk configuration determines which apps are available on the Start menu. You can use a multi-app kiosk to provide an easy-to-understand experience for users by presenting to them only the things that they have to use and removing the things they do not need to use.
As a Microsoft Gold App Dev and Silver Mixed Reality partner SphereGen is an expert in understanding and supporting Microsoft HoloLens technology. As an international company with customers in industries such as Healthcare, Manufacturing, and Education, SphereGen is uniquely positioned to develop unique solutions to our customers’ business problems. Through fierce collaboration, SphereGen seeks to deliver the highest quality solutions and support. If you are interested in a consultation or information regarding HoloLens 2 or Remote Assist, please contact us!