Yoichiro Okada WDG The Windows you know Streamlined for security and superior performance Verified apps from the Store Verified drivers from Windows Update Supports Azure Active Directory When paired with MSA or Intune for Education default to files in OneDrive ID: 739284
Download Presentation The PPT/PDF document "Windows 10 S introduction" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Windows 10 S introduction
Yoichiro Okada
WDGSlide3
The Windows you know
Streamlined for security and superior performanceSlide4
Verified apps from the Store
Verified drivers from Windows Update
Supports Azure Active Directory
When paired with MSA or Intune for Education, default to files in OneDrive
Ability to switch configuration to Windows 10 Pro on device
The Windows you know Slide5
Configuration & Features
Windows 10 S
Home
Pro
Non-Store applications
●
●
Domain Join on premise
●Azure AD domain join●●Windows Store Apps (incl. Win32 Centennial Apps)●●●OneDrive setup and sync automatically (req MSA)●ConfigurableConfigurableMicrosoft default apps set for default files●ConfigurableConfigurableWindows Update for Business●●Windows Store for Business●●Mobile Device Management (MDM)●Limited●Bitlocker●●Enterprise state roaming with Azure AD●●Shared PC Configuration●●OtherWindows 10 SHomeProEdge/IE search default: Bing and designated regional search providers)●ConfigurableConfigurableSwitch to Win 10 Pro (through Windows Store)●●
*not exhaustive, illustrative to outline configuration differences
The Windows you know
The best of the cloudand full featured apps Designed for Modern devicesUsers can switch to Windows 10 Pro
Windows 10 S ConfigurationSlide6
Code Integrity (CI) Policies
Overview of CI policies
All Executable code must be signed with a
Windows, WHCP (formerly WHQL), or Store
certificateAll Windows 10 kernel mode drivers must be submitted to the Windows Hardware Developer Center to be digitally signed by Microsoft.
Windows 10 will not load any kernel mode drivers which are not signed by using one of the methods above. In addition, any companion software must be signed using one of these methods. What will happen if a user tries to run an incompatible app?Windows 10 S only runs trusted apps from the Windows Store
The policy is enforced in the CreateProcess API, via code integrity checks, that check if the code that is about to execute is signed with a valid certificateAny unsigned code results in a user notification, informing them and helping them find what they needSlide7
Windows 10 S Default App Configuration
Inbox App Defaults
Email:
Mail
Maps:
MapsMusic player: Groove Music
Photo viewer: PhotosVideo player: Movies & TVWeb browser: Microsoft EdgeBing set as the search defaultOneDrive automatically configured for MSA accountsDocuments, Photos, Desktop automatically synced5GB of standard storageIncreased storage available with Office 365 subscriptionWindows Defender is always-on, always up to dateSlide8
Blocked Inbox Components
Bash.exe
cdb.exe
csi.exe
dnx.exe
kd.exe
LxssManager.dllMSBuild.exentsd.exercsi.execmd.execscript.exepowershell.exepowershell_ise.exereg.exeregedt32.exewindbg.exewmic.exewscript.exeSlide9
App Redirect
No suggested apps
App matchSlide10
Signed drivers and Windows 10 S
How driver signing works
Generate a Security Catalog for the driver package
The catalog is WHCP (formerly WHQL)
signed
The WHCP (formerly WHQL) signature is appended to the PE binaries found in the driver packageSigned drivers could fail CI checks:If any binaries in the driver package loads blocked inbox components, they will fail CI checkIf an .exe, .zip, .msi or .cab in the driver package extracts any binaries that are not WHCP (formerly WHQL) signed, they will fail CI check
If an .exe or .msi in the driver package uses binaries from other sources that are not WHCP (formerly WHQL) signed, they will fail CI checkSlide11
Windows 10 S Driver RequirementsSlide12
To install on Windows 10 S, driver packages must meet the following requirements:
Driver packages must be digitally signed with a
Windows, WHCP (formerly WHQL), or Store
certificate from the
Windows Hardware Developer Center Dashboard.Companion software must be signed with a Windows Store Certificate.Does not include an *.exe, *.zip, *.
msi or *.cab in the driver package that extracts unsigned binaries.Driver installs using only INF directives.Co-installers are used only to install or register signed binaries, and do not contain user interface components. (*Only allow until Fall Creators Update)Driver does not call blocked inbox components.Drivers does not include any user interface components, apps, or settings. Instead, use Universal applications from the Windows Store, for example:Hardware Support Apps
Windows Store Device AppsCentennial AppsDriver and firmware servicing uses Windows Update and not an updater app.Finally, we recommend using a Universal Windows driver where possible. For more info, see: Getting Started with Universal DriversValidating Universal DriversWindows 10 S Driver RequirementsSlide13
Why Universal Drivers by 2018?
Universal Driver Workshop Session
‘Deep dive on Universal Driver Development’ starts tomorrow, June 15
Transition to Universal Drivers
D
eclarative
Drivers installed using Universal INF directives only provide higher quality updates and resiliency ComponentizedCustomizations are separate from the core driver package reducing maintenance costH
ardware Support Apps (HSAs)
Differentiation through Hardware Support Apps (HSAs) Updates to be delivered through the StoreUniversal API compliantRuns everywhere – future of WindowsSlide14
Windows 10 S Driver PublishingSlide15
Signing and Publishing
Code Integrity Policy will block installation of any binaries NOT signed by Microsoft
Microsoft Legacy UX (CPL, 3rd Party Shell extension) NOT allowed
In the Dev Center, there is no change to driver submission for either driver signing or Windows Hardware Compatibility Program
There is no Windows 10 S specific signing category and not required to resubmit the driver or re-run HLKWindows 10 signed driver can be distributed to Windows 10 S when confirming the compliance status of 2 check boxes in publishing Shipping Label
Windows 10 S Driver Publishing
Windows Update = Seamless Servicing MechanismSlide16
Driver Signing Path for Windows 10 S
Package Installer
(e.g. Setup.exe)
App & Utility
Driver Dependent App
(e.g. CP Applet)
Co-InstallerPure Driver Files(e.g. INF, Sys, DLL)Package Installers are not supported for Windows 10 S
Includes
App or Utility?UnpackageIncludesCo-Installer?No*Only allow until Fall Creators UpdateHardwareDev CenterPure Driver Files(e.g. INF, Sys, DLL)NoAll driver packages and binaries must be WHCP (formerly WHQL) signedAll binaries must be delivered in the top-level driver package, do not use nested binariesDrivers should be installed using only INF directivesCo-installers may be used only for the purpose of installing or registering signed binaries, and may not contain any 3rd party UI components* Driver binaries may not make calls to unsupported components blocked by CI policyYesCo-InstallerPolicy CompliantCo-Installer*Pure Driver Files(e.g. INF, Sys, DLL)Yes,DependentWindows Storeas HSA or WSDADriver Dependent App (e.g. CP Applet)Yes,IndependentWindows StoreApp & UtilitySlide17
Firmware Update on WU
Win32 based firmware update utilities are not supported
Only Firmware Update Capsule is the supported system firmware delivery mechanism
Driver based firmware update is also supportedSlide18
Deployment Overview
Manufacturing Scenario
Specialize
Pass
Audit
Mode
SysprepOOBE
WinPE
RecoveryDesktopEnabledDisabledEnabled*ScriptsEnabledDisabledDisabledUnsigned CodeRecommended OffEnabledEnabledSecure BootEnabledDisabledDisabledMFG Reg KeyCode Integrity Policy EnabledServicingScenarioWinPEEnabledDisabledScriptsEnabledDisabledUnsigned CodeEnabledSecure BootN/AMFG Reg KeyCustomer Existing Windows 10 SFactors for Deployment:Secure Boot Recommended OffMFG Reg Key enabledOOBE NOT completed*WinRE Extensibility Script only Slide19
Deployment, Recovery, OOBE
WinPE
Behaves the same way as today where Win32/unsigned binaries are allowed to run with secure boot disable or enabled
Recovery and WinRE
Third party recovery solutions are not supportedCMD Prompt in WinRE will be supported to run inbox tools only
Push-button Reset (PBR) extensibility scripts is supported only for the purpose of restoringOEM customizations applied via a CMD script and not call any of the blocked inbox components except reg.exe and wmic.exeOOBEFirst Logon CommandFirstLogonCommands is not supported
Batch FilesOnly supported if MFG Reg Key enabledMFG Reg Key must be disabled prior to customer OOBEIf using Shift+F10 to validate OOBE (show screen):Delete MFG Reg KeyShutdown the system (i.e. Shutdown.exe –t 0)Slide20
Compatibility Program for Windows 10 S
At this time, the Windows 10 Hardware Compatibility Program does not have a program for Windows 10 S
Use the latest Windows 10 HLK to validate compatibility
The plan is to have a test in a future release of the HLK that would help partners validate compliance with Windows 10 S
Driver submission process will have checks on driver complianceSlide21
Test your Windows app for Windows 10 SSlide22
https://news.microsoft.com/microsoft-event-may-2017/Slide23
Call to Actions
Develop your plan to deliver Drivers, Firmware, and Apps for Windows 10 S
Begin testing now on Windows 10 Pro with CI policy implemented or on a Windows 10 S device
Incorporate Windows 10 S into your device and hardware portfolio planningSlide24
References
Introducing Windows 10 S
https://www.microsoft.com/en-us/windows/windows-10-s
Windows 10 S FAQ
https://support.microsoft.com/en-us/help/4020089/windows-10-s-faq
Windows 10 S Driver Requirementshttps://docs.microsoft.com/en-us/windows-hardware/drivers/install/Windows10SDriverRequirements Test your Windows app for Windows 10 Shttps://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-test-windows-s
UEFI Firmwarehttps://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/uefi-firmware Getting Started with Universal Windows drivershttps://docs.microsoft.com/en-us/windows-hardware/drivers/develop/getting-started-with-universal-driversUniversal Driver Scenarioshttps://docs.microsoft.com/en-us/windows-hardware/drivers/develop/universal-driver-scenarios Slide25