How to create a Windows 10 in S Mode image (Windows 10 Enterprise Security Features)
Microsoft publicly maintains a Cybersecurity Reference Architecture. If you haven’t checked it out before, head on over to https://aka.ms/MCRA.
Over the next few months, we’re going to explore all these options and talk about how they effect our devices. Most of the time I’ll be showing you how to configure the technology, sometimes I’ll just be explaining how it’s related, but it’s going to be fun so stay tuned.
Now, if you’ll notice the bottom left of the chart…
Let’s talk about Windows 10 Enterprise Security features!
Windows 10 in S Mode is a “feature” that only allows applications from the Microsoft Store. That means no executing random .exe’s or running .msix installers. That can be a good thing – UWP apps or other apps available from the Microsoft Store can be auto updated (using the Store), and are built using more modern APIs (enabling better functionality such as tombstoning in the background to save battery life). More details for S Mode here: https://www.microsoft.com/en-us/windows/s-mode
Generally you should be ‘deploying’ Windows 10 in S Mode by buying S Mode devices from a manufacturer. But… you can also edit an image.
Here’s our walkthrough of enabling S Mode in a 1909 business editions .iso:
Enabling S Mode requires editing the unattend.xml file of an image. To that end, we’ll be using MDT for basically our entire walkthrough. MDT will let us: create an edited Unattend.xml, customize the deployment of a Windows 10 .wim, and create “external” media (an .iso) that we can then automate to use with Autopilot.
You’ll need a Windows 10 .wim to start, which you can create and capture from a VM and MDT. Microsoft maintains a great step-by-step guide here: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image
Once you have a default Windows 10 .wim, we need to edit the WIM using DISM to enable S Mode and Manufacturing Mode.
Enabling S Mode requires you to apply an Unattend.xml file with the S Mode setting. I used MDT (which launches WSIM) to edit the default Unattend.xml for a standard client Windows 10 Pro deployment task sequence (like you would have used in the Capture Windows 10 task sequence for your .wim).
In MDT, select the task sequence you used to capture the .wim, select Properties, and then OS Info (you could actually select any task sequence, but we want to use one that has the same OS we’re deploying so that the Unattend.xml is created appropriately). Then click Edit Unattend.xml
Once Windows System Image Manager loads up, highlight 2 OfflineServicing.
On the Windows Image pane, select amd64_Microsoft-Windows-Code Integrity_neutral. Right click and Add Setting to 2 offlineServicing.
Back in the Answer File, highlight the new component. On the right hand side, type 1 under SkuPolicyRequired.
And…that’s it! That one change enabled Windows 10 in S Mode. Now we need to save the Unattend.xml in another location so we can apply it to our image.
Now we need to use DISM to apply the unattend file. Open a command prompt as admin, and type in the following commands:
md c:\mount\windows\ dism /mount-wim /wimfile:c:\YOURWINFILE.wim /index:1 /mountdir:c:\mount\windows\
(Be sure to specify the wim you’ve captured for the /wimfile switch)
Once the .wim is mounted, copy the Unattend.xml you saved with the S-Mode change in the c:\mount\windows\windows\panther folder (I had to create this folder).
Then run the following command:
dism /image:c:\mount\windows /apply-unattend:"C:\mount\windows\Windows\Panther\Unattend.xml"
Great! This image now has S-Mode enabled. But since we’re deploying it via MDT, we also need to enable Manufacturing mode (or when it runs scripts like sysprep, it will fail). In the Command window, run the following commands:
reg load HKLM\Windows10S c:\Mount\Windows\Windows\System32\Config\System reg add HKLM\Windows10S\ControlSet001\Control\CI\Policy /b ManufacturingMode /t REG_DWORD /d 1 reg unload HKLM\Windows10S
Once those commands complete, you can commit the changes to the image by running:
DISM /Unmount-Image /MountDir:"C:\mount\windows" /Commit
Perfect! Now we have a standard Windows 10 1909 pro .wim with our S Mode changes. We just need to create a deployment in MDT so we can use this .wim. Import the edited .wim into MDT:
We’ll need to create a new Standard Client Task Sequence. I’ll select the image I imported earlier as part of this step, and skip the rest of the settings.
Since we want to use this for Autopilot, we’ll edit the LTISysprep.wsf file used in the task sequence. I created a new LTISysprepAP.wsf file that has a /oobe switch (notice sCmd = … below). That way when the device is Sysprep’d, it will end up in the Out of Box Experience, allowing us to enroll it via Autopilot.
Save this file to the Scripts folder in your deployment share. Then, back in our task sequence, we’ll add a variable to the initialization step to specify Sysprep:
And then reference our LTISysprepAP.wsf file in the actual Sysprep step:
But we’re not done with that task sequence yet! At the end of State Restore, we need to add a command to remove Manufacturing mode (or else they can run anything they want, defeating the purpose of S-Mode).
To do this, create a new command line and type in the following:
reg delete HKLM\system\ControlSet001\Control\CI\Policy /v ManufacturingMode /f
We also need to add a Restart computer command before that, else Sysprep will fail:
We’re almost there! Now that we have our Windows 10 1909 in S Mode .wim, and deployment task sequence, all we need to do is actually deploy it.
If we want to deploy this like any regular .iso, we can create a new Media under Advanced Configuration. There’s not much to specify for it’s creation, but make sure the location is not in the deployment share! This will cause errors.
Once we have the media, we can edit the Media Rules to automate the deployment. Right click on the Media we just created and select Properties. Paste in the following properties to automate all of the MDT Deployment settings:
[Settings] Priority=Default Properties=MyCustomProperty [Default] TaskSequenceID=YourTaskSequenceName OSInstall=Y SkipCapture=YES SkipAdminPassword=YES SkipAdminAccounts=YES SkipProductKey=YES SkipComputerBackup=YES SkipBitLocker=YES SkipApplications=YES SkipAdminAccounts=YES SkipTaskSequence=YES SkipProductKey=YES SkipUserData=YES SkipComputerName=YES SkipBitLocker=YES SkipDomainMembership=YES SkipPackageDisplay=YES SkipLocaleSelection=YES SkipTimeZone=YES TimeZone=035 TimeZoneName=Eastern Standard Time SkipSummary=YES SkipFinalSummary=YES FinishAction=REBOOT
Now that we have all the pieces, go ahead and update the media content so that the litetouch.iso is recreated with all the latest contents.
Then all we need to do is use the .iso like any other Windows 10 iso. I’ll create a new Hyper-V VM and deploy run it boot from the .iso (I went ahead and changed the name to reference S Mode):
Heads up: if you get an error about the unattend file not being able to be applied (Windows could not parse or process the unattend answer file for pass [specialize]), this may be because you’re trying to rerun the installation on a previously S Mode’d virtual disk.
Once the process completes, we’ll see the device at OOBE!
Once we set up the device (yes, it will enroll into Intune!) we can see that it is in S Mode!
Looking to save some time? Here’s a link to my Unattend.xml and LTISysprepAP files. Happy deploying! 🎉