Window 10 S mode

LDogg · Mar 1, 2019

If a lot of you do not know about Windows 10 S mode, I would definitely look this up. Some computers going forward will be shipped with Windows S mode by default unless the user comes out this format. This means that you ONLY use window products, Firewall is set at maximum, you're also reduced to using Edge only and can only get or buy anything from Window App Store. This is something I have tested myself and work great, however not recommended if you like 3rd party apps, AVs etc etc. The downside of this, once you leave S mode, you cannot simply come back to it after.

Remember: While you can leave S Mode whenever you like, your choice to leave S Mode is a permanent decision. Once you’ve left S Mode, you can never put the PC back into S Mode. It will use a standard Windows 10 Home or Windows 10 Professional operating system. However, you can choose to allow apps only from the Store on any Windows 10 PC.

Ideal for anyone who likes a locked down Windows 10 system and trying to adopt this kind of approach with their personal computer

All of the above is ensure security and speed is paramount, more information can be found here: https://support.microsoft.com/en-us/help/4020089/windows-10-in-s-mode-faq & here What is Windows 10 in S Mode?

Thanks for reading.

~LDogg

ForgottenSeer 72227 · Mar 1, 2019

It will be interesting to see if MS starts pushing developers to migrate their programs to the Windows App store in order to make this a permanent mode? It would take a very long time, but maybe this could be a reality, or not hehe

LDogg · Mar 1, 2019

Raiden said:
It will be interesting to see if MS starts pushing developers to migrate their programs to the Windows App store in order to make this a permanent mode? It would take a very long time, but maybe this could be a reality, or not hehe

Could be the case. However I think most users prefer Windows 10 the way it is w/o S Mode. I've been using S mode a lot, it's good but very restrictive.

Makes a balance between software freedom & security, performance and reliability.

~LDogg

Andy Ful · Mar 2, 2019

Something very close to Windows 10 S mode, can be done with precompiled SIPolicy.p7b file via WD Application Control. This policy file whitelists all Windows components and files digitally signed by M$. You can also delete this file with Administrator rights, reboot, and you get Windows 10 again. This works on any Windows 10 version. See also:

Device Guard on Windows 10 S

This blog is about Device Guard (DG) on Windows 10 S (Win10S). I’ll go through extracting the policy and finding out what you can and ...

tyranidslair.blogspot.com

New Update - Application Control on Windows 10 Home

Is it possible to use WD Application Control (WDAC) on Windows 10 Home, with disabled WD? The answer is somewhat surprising. Why? WDAC is the Windows 10 security feature, which was introduced for Windows Enterprise editions. It can be used only on the computers with UEFI. The working WDAC (WD...

malwaretips.com

LDogg · Mar 2, 2019

Andy Ful said:
Something very close to Windows 10 S mode, can be done with precompiled SIPolicy.p7b file via WD Application Control. This policy file whitelists all Windows components and files digitally signed by M$. You can also delete this file with Administrator rights, reboot, and you get Windows 10 again. This works on any Windows 10 version. See also:

Device Guard on Windows 10 S

This blog is about Device Guard (DG) on Windows 10 S (Win10S). I’ll go through extracting the policy and finding out what you can and ...

tyranidslair.blogspot.com

New Update - Application Control on Windows 10 Home

Is it possible to use WD Application Control (WDAC) on Windows 10 Home, with disabled WD? The answer is somewhat surprising. Why? WDAC is the Windows 10 security feature, which was introduced for Windows Enterprise editions. It can be used only on the computers with UEFI. The working WDAC (WD...

malwaretips.com

Thanks for the info! Will look into this aspect further.

~LDogg

Andy Ful · Mar 2, 2019

LDogg said:
Thanks for the info! Will look into this aspect further.

~LDogg

It will not be useful for most users. But, maybe it can be used temporarily on infected machine to block some non-Microsoft malicious drivers and libraries, and identify the malware.

LDogg · Mar 2, 2019

Andy Ful said:
It will not be useful for most users. But, maybe it can be used temporarily on infected machine to block some non-Microsoft malicious drivers and libraries, and identify the malware.

Definitely not suitable for most users at all unless they only like to use Windows only software. I think using this mode to identify he malware processes would be fundamental if traditional ways cannot spot it.

~LDogg

shmu26 · Mar 2, 2019

S mode will protect you from risky software installs. But there are plenty of other attack vectors that it won't help for.

Moonhorse · Mar 2, 2019

Whenever microsoft releases their chromium browser, i will go with WD probably and just avoid the 3rd party installs , but guess i need either syshardenr or H_C

Current edge is just too crappy, i really hope they make it opensource and someone fork it so we have EdgeHTML browser, gecko is already turned into chromium

Andy Ful · Mar 2, 2019

shmu26 said:
S mode will protect you from risky software installs. But there are plenty of other attack vectors that it won't help for.

That is true for Windows 10 S mode.
WDAC set to S mode (on the normal Windows 10) will block all drivers (including kernel drivers), all executables (including .NET DLLs) not signed by Microsoft. It can be bypassed by fileless malware introduced via Sponsors.
But, you can also block most Sponsors in WDAC. The system will run very restricted (hardly usable), but most malware will fail to run, and the blocked malware processes will be logged.
Furthermore, you can use WDAC in Audit mode - everything non-Microsoft and Sponsors will be run, and logged. In Audit mode, you can set to block all sponsors including those used by system processes, because they will not be blocked, but only logged. The malware can be identified by analyzing the log.

LDogg · Mar 2, 2019

Moonhorse said:
Whenever microsoft releases their chromium browser, i will go with WD probably and just avoid the 3rd party installs , but guess i need either syshardenr or H_C

Current edge is just too crappy, i really hope they make it opensource and someone fork it so we have EdgeHTML browser, gecko is already turned into chromium

Edge is crap I agree. Windows S mode does have it advantages and disadvantages. I won't be avoiding 3rd party software, kinda dislike the idea of being locked down to only Microsoft products xD

~LDogg

Azure · Mar 2, 2019

Users who have the knowledge to leave S mode, should also have basic knowledge on how secure themselves. So, having S mode as default is actually good for those that aren't knowledgeable in terms of computer security.

Ink · Mar 3, 2019

S Mode is not practical, and a joke for many users. Especially those unfortunate few who bought a Surface in S Mode by default, because it's an extra $99 to upgrade for the full Windows experience.

For now, let's look forward to Windows Lite OS, the to-be ChromeOS competitor.

Windows Lite OS Is Microsoft's Second Try At Killing Chrome OS

Windows, to a certain extent, is still the world's most-used operating system and, because of that, it is a sordid mess. Microsoft has repeatedly tried…

www.slashgear.com

On a side note, if you do like the idea of Warning before Install Apps, try this one instead of a deny all mode.

Go to Settings > Apps > Installing apps > Change "Warn me before.."

On Windows 10 Pro or higher, you can restrict changes via Group Policy Editor.

Search