Microsoft locks down Windows 10 with the S edition

Windows 10 S mode is Microsoft’s new secure platform. Its goal is to provide the familiar Windows 10 interface with a much more restricted software deployment process. Consider Windows 10 S similar to the Apple iPhone and iPad ecosystem: All applications must be deployed through a vetted deployment process. Windows 10 S can also be used to deploy systems in kiosk mode and in limited-use needs.

You purchase Windows 10 S for new machines, or you can image and use it in deployment on Pro and Enterprise versions. You can change from Windows 10 S to Pro or Enterprise versions with appropriate licensing. Currently, you can’t flip back and forth between Windows 10 S and the more traditional Pro or Enterprise versions. Note I said “currently,” as I think the future of Windows is heading toward a version of the software that can be opened up for purposes of deployment and then locked down into a restricted version that malware and malicious software can’t easily exploit.

Microsoft

Supported Windows 10 S apps

S mode provides support for Windows Hello for authentication, Cortana for search, Windows Ink and Microsoft Edge. In fact, Edge is the only allowed browser and Bing the only allowed search engine. The only applications that can be installed on Windows 10 S are those that can be deployed using the Windows Store. Line-of-business applications will need to be converted to a packaged app with Universal Windows Platform (UWP) manifest.

Unlike Windows 10 Home edition, Windows 10 S allows the use of BitLocker for more protection for devices. Furthermore, the ability to defer and pause updates, which is not offered in Windows 10 Home, is allowed in Windows 10 S mode, thus making it a contender to be the preferred platform for the use in Kiosks and other unique applications where the need to provide user interfaces that are locked down for single purpose is key.

S mode also allows for mobile device management control (Intune) and Azure Active Directory (AD) join. It does not support Group Policy Management or AD domain services, thus traditional management using Microsoft AD is not the goal of this mode. Rather, if there is a need for a controlled but disconnected computer deployment, S may be a consideration.

Default applications for Windows 10 S

S mode provides the following applications as the defaults:

• For email, the Windows 10 mail application is default.
• For maps, the default Windows 10 maps program is used.
• Photos are viewed through the Photo Viewer program.
• The search engine is locked down to the Bing search engine and cannot be changed.
• The default video player is Movies and TV application.
• The web browser default is Edge and cannot be changed.
• OneDrive is automatically configured for MSA accounts so that documents, Photos, and Desktop are automatically synced and the user has 5GB of standard storage.

However, you can install or deploy any application available in the Windows Store to Windows 10 S. Microsoft has a version of Office that you can deploy to Windows S mode devices either using an Office OEM Preinstall Kit (OPK) or using the Office that can be purchased through the Microsoft Store. That means you can deploy the Store version of Office and thus change the defaults through this process.

Microsoft

S mode enables Device Guard by default ensuring that the HyperVisor Code Integrity policy (HVCI) blocks the execution of unsigned or improperly signed binaries. You can use unsupported binaries (unsigned) if you use them as part of the deployment/imaging process.

Windows 10 S driver requirements

Driver signing is also unique in Windows S mode. It has specific requirements that must be met when using drivers with Windows S. Drivers must meet the following requirements:

• Driver packages must be digitally signed with a Windows, WHQL, ELAM, or Store certificate from the Windows Hardware Developer Center Dashboard.
• Companion software must be signed with a Microsoft Store Certificate.
• Does not include a *.exe, *.zip, *.msi or *.cab in the driver package that extracts unsigned binaries.
• Driver installs using only INF directives.
• The driver does not call blocked inbox components.
• Drivers do not include any user interface components, apps, or settings. Instead, use Universal applications from the Microsoft Store, for example:
  • Hardware support apps
  • UWP device apps
  • Centennial apps
  • Driver and firmware servicing uses Windows Update and not an updater app.

These unique requirements ensure that malware and malicious software cannot enter through the driver process.

Blocked executables

Windows 10 S mode also blocks certain executables from running. Applications or scripts can be run if the device is placed in a mode called “manufacturing mode,” but you cannot leave the device in this “open” mode. Manufacturing mode allows an installer to temporality disable the Device Guard process and then later go back and enable it. The following executables or scripts are not allowed to be run:

• bash.exe
• cdb.exe
• cmd.exe
• cscript.exe
• csi.exe
• dnx.exe
• fsi.exe
• hh.exe
• infdefaultinstall.exe
• kd.exe
• lxssmanager.exe
• msbuild.exe
• mshta.exe
• ntsd.exe
• powershell.exe
• powershell_ise.exe
• rcsi.exe
• reg.exe
• regedit.exe
• regedit32.exe
• regini.exe
• syskey.exe
• wbemtest.exe
• windbg.exe
• wmic.exe
• wscript.exe
• wsl.exe

Supported customizations and tasks

Certain customizations or tasks are supported in a unique manner. For example, through Deployment Image Servicing and Management (DISM), language packs or features on demand can use offline, WinPE or Audit mode to be enabled. You can control Start menu layouts using the layoutmodification.xml process and OEM taskbar tiles using taskbarlayoutmodification.xml. You can customize Ink tiles using InkWorkstationLayoutModificaiton.xml. The original boot up process or OOBE customizations can be modified using OOBE.xml or OOBE folder structure though the OOBE System pass. Finally, UWP and Bridge applications can be controlled using DISM using offline, WinPE or Audit mode.

Drivers with no unsigned or win32 scripts/exe or binaries can be enabled using DISM using offline, WinPE or Audit mode. You can customize wallpaper using unattend.xml. Finally, accessing a command prompt from Out of Box Experience (OOBE) mode using shift-F10 by what’s called the “Manufacturing Key Process.” This is a special registry key that allows such processes during the OOBE.

Here’s what you can’t change or customize:

• Driver installation with setup.exe, so traditional Windows applications cannot be installed.
• Drivers with co-installers or dependent on scripts or cmd execution.
• Traditional Win32 applications.
• First logon

Before you consider any of these to be deal breakers, consider this: Traditional software deployment on systems where the operating system is open to any installation process means that malware and malicious software can enter the system. By building a platform that by design demands that code is signed, drivers are signed, scripts are limited and PowerShell is limited means that the platform is less likely to be tampered with.

Changes to Windows 10 S in the 1803 update

The April 2018 update of 1803 brought changes to Windows 10 S mode. No longer is the mode limited to Pro edition. To enable S mode on supported editions, an unattend file needs to be created. Then you use DISM to apply the unattend file to a mounted Windows image. The process is as follows:

1. Mount your Windows image.
2. Use Windows SIM to create or modify an unattend file.
3. Add the amd64_Microsoft_Windows_CodeIntegrity component to Pass 2 offline Servicing.
4. Set amd64_Microsoft_Windows_CodeIntegritySkuPolicyRequired to 1.
5. The offline servicing pass in the unattend.xml file will look like the following:

   
             processorArchitecture="amd64"
           publicKeyToken="31bf3856ad364e35"
           language="neutral"
           versionScope="nonSxS"
           xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       1
     
     

6. Save the answer file in the WindowsPanther folder of your mounted image as unattend.xml.
7. Use DISM to apply the unattend file and enable S mode by entering the following command:

   dism /image:C:mountwindows /apply-unattend:C:mountwindowswindowspantherunattend.xml

8. Reboot the computer. When the computer reboots, the same Code Integrity policy that is enforced in Windows 10 S will be enforced on your Windows installation.

S mode is not bulletproof

I would be remiss if I did not point out that Windows 10 S mode is not bulletproof. Already Google’s Project Zero identified a flaw in .NET that attackers could use to inject arbitrary code execution on a system with User Mode Code Integrity (UMCI) enabled (e.g., Device Guard). As noted in the bug, an attacker with access to a local machine could use this vulnerability to circumvent a UMCI policy on the machine.

In May 2018, this bug was fixed in a security update. Interestingly, it is a basic flaw in how .Net Framework instantiates COM objects and the update fixed the issue not only in Windows 10 S, but also in .NET platforms that impact all the way back to .NET Framework 2.0 Service pack 2. Therefore, Windows 10 S still inherits some of the foundational flaws of the Windows operating system. However, the enforcement of code integrity along with fewer options to install malicious software means that the platform is much more secure and robust from the beginning.

You can see the potential for this S mode. While you cannot flip back and forth at will between normal Windows 10 platforms and Windows 10 S mode – now you can deploy into S mode and then apply a licensing key that doesn’t require a reboot to get out of S mode – it will be interesting if in the future we will be able to go back and forth. It’s a tricky process, however. Anything we do to make something easier for IT professionals means it’s similarly easy for attackers to perform malicious actions. It’s always a balance when choosing Windows 10 versions, as well as security features.

Windows 10 S might not be for you

To deploy Windows 10 S, ask yourself if you are heavily entrenched in traditional Win32 applications. If you are and there’s no opportunity to convert Windows 32 apps to modern store deployed applications, then Windows 10 S is not for you. It’s wise to keep an eye on Windows 10 S for its potential: That a more locked down “phone” style of deployment where malicious software is kept more in a sandbox is less likely to be attacked.

It’s the promise of Windows 10 S that excites me the most. Keep an eye on it because I predict that this may be the platform we use in the future.