A closer look at what Windows 10 S can and can’t do
Microsoft is being remarkably coy about its newest Windows edition, so I went digging. Here are a few details you won’t find anywhere else about what you get with the locked-down configuration of Windows 10 S.
As product launches go, Microsoft’s introduction of Windows 10 S is one of the most baffling I have ever seen.
For starters, it appears to be a new edition of Windows, but in the official Windows 10 S FAQ Microsoft bills it as “a specific configuration of Windows 10 Pro,” which isn’t the same thing at all. (I published my own Windows 10 S FAQ based on that information and some additional facts.)
After releasing a few sketchy details at the Surface Laptop launch event in May, Microsoft has not published any detailed technical information, nor has it released evaluation copies of Windows 10 S in places where IT pros would normally expect to find them, such as MSDN.
Which is… strange.
Most of the reviewers who looked at the Surface Laptop dismissed Windows 10 S with a few sentences, mostly focusing on its inability to install the desktop apps they needed. But there’s more to the “specific configuration” than just that restriction.
As a developer document makes clear, any apps you install on a Windows 10 S PC are subject to “code integrity rules [that] block the execution of code that isn’t signed by the Windows Store, including drivers.” [Emphasis added.] That’s a key distinction, one that would prevent large enterprise or education installations from side-loading line-of-business apps as they can do on Windows 10 Pro and Enterprise.
The Windows 10 S Driver Requirements page notes that a number of Windows components are “blocked from executing on Windows 10 S.” The long list includes the following tools that many IT pros and developers would consider essential: bash.exe, cdb.exe, cmd.exe, cscript.exe, csi.exe, dnx.exe, kd.exe, lxssmanager.dll, msbuild.exe, ntsd.exe, powershell.exe, powershell_ise.exe, rcsi.exe, reg.exe, regedt32.exe, windbg.exe, wmic.exe, wscript.exe. A colleague confirmed that even the Windows Command Processor, cmd.exe, can’t run interactively in Windows 10 S.
Other product categories will also be forbidden from the Windows Store, including third-party antivirus software, backup programs, and disk utilities that use file-system filter drivers.
You can’t change the default browser or search engine, nor can you use the ApplicationDefaults/DefaultAssociationsConfiguration policy with mobile device management software, as you can with Windows 10 Pro.
Driver packages can’t contain any “non-Microsoft UI components or applications.” That’s bad news for devices that add their own configuration utilities to unlock advanced features.
A device running Windows 10 S can’t join a Windows domain, which means it can’t be managed by Active Directory, only by the less capable Azure AD join.
Anyone looking for a general purpose laptop will, quite rightly, be scared off by those restrictions. But they’re key to the unique value proposition of Windows 10 S, which offers a Windows configuration that clueless users can’t screw up, even if they try.