How to create a Windows 10 in S Mode image (Windows 10 Enterprise Security Features)

Microsoft publicly maintains a Cybersecurity Reference Architecture. If you haven’t checked it out before, head on over to https://aka.ms/MCRA.

Microsoft Cybersecurity Reference Architecture

Over the next few months, we’re going to explore all these options and talk about how they effect our devices. Most of the time I’ll be showing you how to configure the technology, sometimes I’ll just be explaining how it’s related, but it’s going to be fun so stay tuned.

Now, if you’ll notice the bottom left of the chart…

Windows 10 Enterprise Security Component

Let’s talk about Windows 10 Enterprise Security features!

Windows 10 in S Mode is a “feature” that only allows applications from the Microsoft Store. That means no executing random .exe’s or running .msix installers. That can be a good thing – UWP apps or other apps available from the Microsoft Store can be auto updated (using the Store), and are built using more modern APIs (enabling better functionality such as tombstoning in the background to save battery life). More details for S Mode here: https://www.microsoft.com/en-us/windows/s-mode

Generally you should be ‘deploying’ Windows 10 in S Mode by buying S Mode devices from a manufacturer. But… you can also edit an image.

Here’s our walkthrough of enabling S Mode in a 1909 business editions .iso:

Enabling S Mode requires editing the unattend.xml file of an image. To that end, we’ll be using MDT for basically our entire walkthrough. MDT will let us: create an edited Unattend.xml, customize the deployment of a Windows 10 .wim, and create “external” media (an .iso) that we can then automate to use with Autopilot.

You’ll need a Windows 10 .wim to start, which you can create and capture from a VM and MDT. Microsoft maintains a great step-by-step guide here: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image

Capturing a Windows 10 WIM

Once you have a default Windows 10 .wim, we need to edit the WIM using DISM to enable S Mode and Manufacturing Mode.

Enabling S Mode requires you to apply an Unattend.xml file with the S Mode setting. I used MDT (which launches WSIM) to edit the default Unattend.xml for a standard client Windows 10 Pro deployment task sequence (like you would have used in the Capture Windows 10 task sequence for your .wim).

In MDT, select the task sequence you used to capture the .wim, select Properties, and then OS Info (you could actually select any task sequence, but we want to use one that has the same OS we’re deploying so that the Unattend.xml is created appropriately). Then click Edit Unattend.xml

Once Windows System Image Manager loads up, highlight 2 OfflineServicing.

On the Windows Image pane, select amd64_Microsoft-Windows-Code Integrity_neutral. Right click and Add Setting to 2 offlineServicing.

Add Code Integrity component

Back in the Answer File, highlight the new component. On the right hand side, type 1 under SkuPolicyRequired.

SkuPolicyRequired

And…that’s it! That one change enabled Windows 10 in S Mode. Now we need to save the Unattend.xml in another location so we can apply it to our image.

Saving Unattend.xml to another location

Now we need to use DISM to apply the unattend file. Open a command prompt as admin, and type in the following commands:

md c:\mount\windows\
dism /mount-wim /wimfile:c:\YOURWINFILE.wim /index:1 /mountdir:c:\mount\windows\

(Be sure to specify the wim you’ve captured for the /wimfile switch)

Mounting .wim

Once the .wim is mounted, copy the Unattend.xml you saved with the S-Mode change in the c:\mount\windows\windows\panther folder (I had to create this folder).

Unattend.xml copied to .wim

Then run the following command:

dism /image:c:\mount\windows /apply-unattend:"C:\mount\windows\Windows\Panther\Unattend.xml"
Applying Unattend.xml via dism

Great! This image now has S-Mode enabled. But since we’re deploying it via MDT, we also need to enable Manufacturing mode (or when it runs scripts like sysprep, it will fail). In the Command window, run the following commands:

reg load HKLM\Windows10S c:\Mount\Windows\Windows\System32\Config\System
reg add HKLM\Windows10S\ControlSet001\Control\CI\Policy /b ManufacturingMode /t REG_DWORD /d 1
reg unload HKLM\Windows10S

Once those commands complete, you can commit the changes to the image by running:

DISM /Unmount-Image /MountDir:"C:\mount\windows" /Commit
DISM enabling Manufacturing Mode
Committing changes

Perfect! Now we have a standard Windows 10 1909 pro .wim with our S Mode changes. We just need to create a deployment in MDT so we can use this .wim. Import the edited .wim into MDT:

Importing S Mode wim
Imported .wim into MDT

We’ll need to create a new Standard Client Task Sequence. I’ll select the image I imported earlier as part of this step, and skip the rest of the settings.

New Standard Client task sequence

Since we want to use this for Autopilot, we’ll edit the LTISysprep.wsf file used in the task sequence. I created a new LTISysprepAP.wsf file that has a /oobe switch (notice sCmd = … below). That way when the device is Sysprep’d, it will end up in the Out of Box Experience, allowing us to enroll it via Autopilot.

LTISysprepAP.wsf

Save this file to the Scripts folder in your deployment share. Then, back in our task sequence, we’ll add a variable to the initialization step to specify Sysprep:

Set DoCapture = Sysprep

And then reference our LTISysprepAP.wsf file in the actual Sysprep step:

LTISysprepAP.wsf reference

But we’re not done with that task sequence yet! At the end of State Restore, we need to add a command to remove Manufacturing mode (or else they can run anything they want, defeating the purpose of S-Mode).

To do this, create a new command line and type in the following:

reg delete HKLM\system\ControlSet001\Control\CI\Policy /v ManufacturingMode /f
New Run Command Line option
Disable Manufacturing Mode command

We also need to add a Restart computer command before that, else Sysprep will fail:

Restart computer before Disable Manufacturing Mode

We’re almost there! Now that we have our Windows 10 1909 in S Mode .wim, and deployment task sequence, all we need to do is actually deploy it.

If we want to deploy this like any regular .iso, we can create a new Media under Advanced Configuration. There’s not much to specify for it’s creation, but make sure the location is not in the deployment share! This will cause errors.

Once we have the media, we can edit the Media Rules to automate the deployment. Right click on the Media we just created and select Properties. Paste in the following properties to automate all of the MDT Deployment settings:

 [Settings]
 Priority=Default
 Properties=MyCustomProperty 

[Default]
 TaskSequenceID=YourTaskSequenceName
 OSInstall=Y
 SkipCapture=YES
 SkipAdminPassword=YES
 SkipAdminAccounts=YES
 SkipProductKey=YES
 SkipComputerBackup=YES
 SkipBitLocker=YES
 SkipApplications=YES
 SkipAdminAccounts=YES
 SkipTaskSequence=YES
 SkipProductKey=YES
 SkipUserData=YES
 SkipComputerName=YES
 SkipBitLocker=YES
 SkipDomainMembership=YES
 SkipPackageDisplay=YES
 SkipLocaleSelection=YES
 SkipTimeZone=YES
 TimeZone=035
 TimeZoneName=Eastern Standard Time
 SkipSummary=YES
 SkipFinalSummary=YES
 FinishAction=REBOOT
Media Properties

Now that we have all the pieces, go ahead and update the media content so that the litetouch.iso is recreated with all the latest contents.

Update Media Content

Then all we need to do is use the .iso like any other Windows 10 iso. I’ll create a new Hyper-V VM and deploy run it boot from the .iso (I went ahead and changed the name to reference S Mode):

New Hyper-V VM
Zero-touch start to Task Sequence
Installing the SMode WIM

Heads up: if you get an error about the unattend file not being able to be applied (Windows could not parse or process the unattend answer file for pass [specialize]), this may be because you’re trying to rerun the installation on a previously S Mode’d virtual disk.

Unattend.xml error
MDT Task Sequence running after OS install
Features applying during Restart before Sysprep
Sysprep reseting the device to OOBE after restart

Once the process completes, we’ll see the device at OOBE!

Once we set up the device (yes, it will enroll into Intune!) we can see that it is in S Mode!

Enrolling Windows 10 in S Mode VM into Intune
Windows 10 Pro in S Mode

Looking to save some time? Here’s a link to my Unattend.xml and LTISysprepAP files. Happy deploying! 🎉

You may also like...

1 Response

  1. May 11, 2020

    […] the Cybersecurity Reference Architecture we referenced in our post on Windows 10 in S Mode? If we head over to the Identity & Access portion, we’ll find Multi-Factor […]

Leave a Reply

Your email address will not be published. Required fields are marked *