Windows 10 S introduction - PowerPoint Presentation

Slide1
Slide2

Windows 10 S introduction

Yoichiro Okada

WDGSlide3

The Windows you know

Streamlined for security and superior performanceSlide4

Verified apps from the Store

Verified drivers from Windows Update

Supports Azure Active Directory

When paired with MSA or Intune for Education, default to files in OneDrive

Ability to switch configuration to Windows 10 Pro on device

The Windows you know Slide5

Configuration & Features

Windows 10 S

Home

Pro

Non-Store applications

●

●

Domain Join on premise

●Azure AD domain join●●Windows Store Apps (incl. Win32 Centennial Apps)●●●OneDrive setup and sync automatically (req MSA)●ConfigurableConfigurableMicrosoft default apps set for default files●ConfigurableConfigurableWindows Update for Business●●Windows Store for Business●●Mobile Device Management (MDM)●Limited●Bitlocker●●Enterprise state roaming with Azure AD●●Shared PC Configuration●●OtherWindows 10 SHomeProEdge/IE search default: Bing and designated regional search providers)●ConfigurableConfigurableSwitch to Win 10 Pro (through Windows Store)●●

*not exhaustive, illustrative to outline configuration differences

The Windows you know

The best of the cloudand full featured apps Designed for Modern devicesUsers can switch to Windows 10 Pro

Windows 10 S ConfigurationSlide6

Code Integrity (CI) Policies

Overview of CI policies

All Executable code must be signed with a

Windows, WHCP (formerly WHQL), or Store

certificateAll Windows 10 kernel mode drivers must be submitted to the Windows Hardware Developer Center to be digitally signed by Microsoft. 

Windows 10 will not load any kernel mode drivers which are not signed by using one of the methods above. In addition, any companion software must be signed using one of these methods.  What will happen if a user tries to run an incompatible app?Windows 10 S only runs trusted apps from the Windows Store

The policy is enforced in the CreateProcess API, via code integrity checks, that check if the code that is about to execute is signed with a valid certificateAny unsigned code results in a user notification, informing them and helping them find what they needSlide7

Windows 10 S Default App Configuration

Inbox App Defaults

Email:

Mail

Maps:

MapsMusic player: Groove Music

Photo viewer: PhotosVideo player: Movies & TVWeb browser: Microsoft EdgeBing set as the search defaultOneDrive automatically configured for MSA accountsDocuments, Photos, Desktop automatically synced5GB of standard storageIncreased storage available with Office 365 subscriptionWindows Defender is always-on, always up to dateSlide8

Blocked Inbox Components

Bash.exe

cdb.exe

csi.exe

dnx.exe

kd.exe

LxssManager.dllMSBuild.exentsd.exercsi.execmd.execscript.exepowershell.exepowershell_ise.exereg.exeregedt32.exewindbg.exewmic.exewscript.exeSlide9

App Redirect

No suggested apps

App matchSlide10

Signed drivers and Windows 10 S

How driver signing works

Generate a Security Catalog for the driver package

The catalog is WHCP (formerly WHQL)

signed

The WHCP (formerly WHQL) signature is appended to the PE binaries found in the driver packageSigned drivers could fail CI checks:If any binaries in the driver package loads blocked inbox components, they will fail CI checkIf an .exe, .zip, .msi or .cab in the driver package extracts any binaries that are not WHCP (formerly WHQL) signed, they will fail CI check

If an .exe or .msi in the driver package uses binaries from other sources that are not WHCP (formerly WHQL) signed, they will fail CI checkSlide11

Windows 10 S Driver RequirementsSlide12

To install on Windows 10 S, driver packages must meet the following requirements:

Driver packages must be digitally signed with a

Windows, WHCP (formerly WHQL), or Store

certificate from the

Windows Hardware Developer Center Dashboard.Companion software must be signed with a Windows Store Certificate.Does not include an *.exe, *.zip, *.

msi or *.cab in the driver package that extracts unsigned binaries.Driver installs using only INF directives.Co-installers are used only to install or register signed binaries, and do not contain user interface components. (*Only allow until Fall Creators Update)Driver does not call blocked inbox components.Drivers does not include any user interface components, apps, or settings. Instead, use Universal applications from the Windows Store, for example:Hardware Support Apps

Windows Store Device AppsCentennial AppsDriver and firmware servicing uses Windows Update and not an updater app.Finally, we recommend using a Universal Windows driver where possible. For more info, see: Getting Started with Universal DriversValidating Universal DriversWindows 10 S Driver RequirementsSlide13

Why Universal Drivers by 2018?

Universal Driver Workshop Session

‘Deep dive on Universal Driver Development’ starts tomorrow, June 15

Transition to Universal Drivers

D

eclarative

Drivers installed using Universal INF directives only provide higher quality updates and resiliency ComponentizedCustomizations are separate from the core driver package reducing maintenance costH

ardware Support Apps (HSAs)

Differentiation through Hardware Support Apps (HSAs) Updates to be delivered through the StoreUniversal API compliantRuns everywhere – future of WindowsSlide14

Windows 10 S Driver PublishingSlide15

Signing and Publishing

Code Integrity Policy will block installation of any binaries NOT signed by Microsoft

Microsoft Legacy UX (CPL, 3rd Party Shell extension) NOT allowed

In the Dev Center, there is no change to driver submission for either driver signing or Windows Hardware Compatibility Program

There is no Windows 10 S specific signing category and not required to resubmit the driver or re-run HLKWindows 10 signed driver can be distributed to Windows 10 S when confirming the compliance status of 2 check boxes in publishing Shipping Label

Windows 10 S Driver Publishing

Windows Update = Seamless Servicing MechanismSlide16

Driver Signing Path for Windows 10 S

Package Installer

(e.g. Setup.exe)

App & Utility

Driver Dependent App

(e.g. CP Applet)

Co-InstallerPure Driver Files(e.g. INF, Sys, DLL)Package Installers are not supported for Windows 10 S

Includes

App or Utility?UnpackageIncludesCo-Installer?No*Only allow until Fall Creators UpdateHardwareDev CenterPure Driver Files(e.g. INF, Sys, DLL)NoAll driver packages and binaries must be WHCP (formerly WHQL) signedAll binaries must be delivered in the top-level driver package, do not use nested binariesDrivers should be installed using only INF directivesCo-installers may be used only for the purpose of installing or registering signed binaries, and may not contain any 3rd party UI components* Driver binaries may not make calls to unsupported components blocked by CI policyYesCo-InstallerPolicy CompliantCo-Installer*Pure Driver Files(e.g. INF, Sys, DLL)Yes,DependentWindows Storeas HSA or WSDADriver Dependent App (e.g. CP Applet)Yes,IndependentWindows StoreApp & UtilitySlide17

Firmware Update on WU

Win32 based firmware update utilities are not supported

Only Firmware Update Capsule is the supported system firmware delivery mechanism

Driver based firmware update is also supportedSlide18

Deployment Overview

Manufacturing Scenario

Specialize

Pass

Audit

Mode

SysprepOOBE

WinPE

RecoveryDesktopEnabledDisabledEnabled*ScriptsEnabledDisabledDisabledUnsigned CodeRecommended OffEnabledEnabledSecure BootEnabledDisabledDisabledMFG Reg KeyCode Integrity Policy EnabledServicingScenarioWinPEEnabledDisabledScriptsEnabledDisabledUnsigned CodeEnabledSecure BootN/AMFG Reg KeyCustomer Existing Windows 10 SFactors for Deployment:Secure Boot Recommended OffMFG Reg Key enabledOOBE NOT completed*WinRE Extensibility Script only Slide19

Deployment, Recovery, OOBE

WinPE

Behaves the same way as today where Win32/unsigned binaries are allowed to run with secure boot disable or enabled

Recovery and WinRE

Third party recovery solutions are not supportedCMD Prompt in WinRE will be supported to run inbox tools only

Push-button Reset (PBR) extensibility scripts is supported only for the purpose of restoringOEM customizations applied via a CMD script and not call any of the blocked inbox components except reg.exe and wmic.exeOOBEFirst Logon CommandFirstLogonCommands is not supported

Batch FilesOnly supported if MFG Reg Key enabledMFG Reg Key must be disabled prior to customer OOBEIf using Shift+F10 to validate OOBE (show screen):Delete MFG Reg KeyShutdown the system (i.e. Shutdown.exe –t 0)Slide20

Compatibility Program for Windows 10 S

At this time, the Windows 10 Hardware Compatibility Program does not have a program for Windows 10 S

Use the latest Windows 10 HLK to validate compatibility

The plan is to have a test in a future release of the HLK that would help partners validate compliance with Windows 10 S

Driver submission process will have checks on driver complianceSlide21

Test your Windows app for Windows 10 SSlide22

https://news.microsoft.com/microsoft-event-may-2017/Slide23

Call to Actions

Develop your plan to deliver Drivers, Firmware, and Apps for Windows 10 S

Begin testing now on Windows 10 Pro with CI policy implemented or on a Windows 10 S device

Incorporate Windows 10 S into your device and hardware portfolio planningSlide24

References

Introducing Windows 10 S

https://www.microsoft.com/en-us/windows/windows-10-s

Windows 10 S FAQ

https://support.microsoft.com/en-us/help/4020089/windows-10-s-faq

Windows 10 S Driver Requirementshttps://docs.microsoft.com/en-us/windows-hardware/drivers/install/Windows10SDriverRequirements Test your Windows app for Windows 10 Shttps://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-test-windows-s

UEFI Firmwarehttps://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/uefi-firmware Getting Started with Universal Windows drivershttps://docs.microsoft.com/en-us/windows-hardware/drivers/develop/getting-started-with-universal-driversUniversal Driver Scenarioshttps://docs.microsoft.com/en-us/windows-hardware/drivers/develop/universal-driver-scenarios Slide25