- Home
- Healthcare and Life Sciences
- Healthcare and Life Sciences Blog
- Windows 10 in S mode for the Clinical Desktop
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
What is Win10 in S mode?
Win10 S mode is a "locked down" version of Windows 10. As of Win10 1803 S mode comes in several flavors of Home, EDU, Pro, Enterprise. It uses strict Code Integrity policies to ensure the software run on the device is not malicious. It only allows verified and signed code to run. Win10 in S mode “Provides an Always-Connected” experience and optimizes hardware and battery consumption. Devices with battery life that lasts entire shifts. It is recommended to run Win10 1803 or later in S mode. There new feature in this version which make the end user experience more robust and Deployment simpler and easier to manage. Low-price S mode devices offer tailored solutions for kiosks, digital signs, and task/shift work. Win10 in S mode will run on any device able to run Win10. It is referred to as Win10 in S mode, Win10 S mode, or simply Win10 S.
How is Win10 S deployed for use in Healthcare organizations?
Organizations have three options when deploying Win10 S.
Traditional
Image-based wipe-and-reload familiar with enterprises moving from Windows 7 and 8.1 to Windows 10 S. This is familiar to IT staffs, however it can be high effort and cost, but necessary in some scenarios. An option for all scenarios.
Upgrade
Existing Windows 7 and 8.1 devices migrated to Win 10 S. Let Windows do the work, automatically migrating apps, data, and settings. Recommended for existing Windows 7/8/8.1 devices and when upgrading Windows 10 S devices to Fall Creators update.
AutoPilot
Transform new device so they are ready for productive use. No imaging required, Lower effort and lower cost, and it can be user driven (AutoPilot) or IT driven (Windows Configuration Designer). Modern approach to Windows 10 S deployment.
Why is Win10 S mode important in Healthcare?
For those clinical Healthcare workers where shared workstations have been widely used, Win10 S is perfect alternative for several reasons. First, Win10 S is designed to run on low cost devices. Because of the low cost devices we can remove the shared device scenario which adds significant complexity. Second, Win10 S can be configured, with Windows Hello, to allow for easier and faster logons. More secure Biometric logons can be used with Windows Hello.
Using a feature in Win10 called Assigned Access, organizations can control which applications available on the desktop. This "lockdown" feature of Win10 allows an organization to limit what apps are available on that desktop, limiting the user, and ensuring a more secure desktop. Win10 S in S mode is ideal for users who primarily access Office365, Cloud, and virtual apps (Citrix).
What are the Requirements for Win10 in S mode?
Win10 in S mode has strict requirements for the Drivers allowed to run. Driver packages must be digitally signed with a Windows, WHCP (formerly WHQL), or Store certificate from the Windows Hardware Developer Center Dashboard. Microsoft recommends using a Universal Windows driver where possible.
For more info, see:
Win10 S has strict requirements for the Applications allowed to run. Apps can only be installed in two ways, unless manufacturing mode is invoked. Only applications that have been converted to .APPX or are in UWP format are allowed to be installed on Win10 S. There are two ways to install apps on Win10 S. Sideload and Store Signed. Desktop Bridge can be used to convert apps for Win10 S loading. Other App Modernization tools are available as well:
- Visual Studio 2017
- Xamarin
- Bridge aka Desktop App Converter https://developer.microsoft.com/en-us/windows/bridges/desktop
Citrix and RemoteApp, virtualization based options, that allow Win10 S to run non Store and Win32 apps. Win10 S cannot be domain joined. Win10 S can only be managed with an MDM solution. Microsoft Intune is recommended and offers the most integrated solution.
What does Win10 S offer my Healthcare Organization?
According to Gartner, improved security is one of the biggest benefits of adopting Win10. In addition, Win10 S is specifically designed to stop the encroachment of ransomware in your environment. As of the 1803 version of Win10 all built-in Security is now branded Defender. Below are the components that comprise Windows Defender and are always on in Win10 in S mode.
Windows Defender SmartScreen
Phishing and malware filtering technology for Microsoft Edge and Internet Explorer 11 in Windows 10. Defender Smart Screen uses the power of the Intelligent Security Graph to prevent encounters. It is a cloud based service which is continuously updated, nothing for you to deploy.
Windows Defender System Guard
Protects boot integrity to ensure a trusted and tamper free system. System Guard uses virtualization based security and a container to protect sensitive Windows processes and data. Hardware based integrity measurements are used to verify boot and runtime integrity and enables advanced Conditional Access for System Guard.
Windows Defender Application Guard
Protects Windows, apps, information, and the network from threats encounters while using Microsoft Edge. Uses a hardware isolated container to prevent attacks from having impact. Closing the browser wipes attack without a trace.
Windows Defender Application Control
Windows desktop can be locked down to only run trusted apps. Untrusted apps and files based executables, such as malware, are unable to run. Is easy to manage, and incorporates an automatic allow list management in conjunction with the Intelligent Security Graph (ISG).
Windows Defender Antivirus
Next generation Antivirus powered by the Intelligent Security Graph. Defender Anti-Virus scored 100% detection in Real World Testing against top competitors (AVTest Feb 2017). Can detect fast changing malware varietals using behavior monitoring and cloud-based protection that expedites signature delivery. No additional deployment and Infrastructure. Continuously up-to-date, lower costs.
Windows Defender Exploit Guard
Advanced host intrusion prevention with next generation vulnerability mitigations. Exploit Guard makes vulnerabilities less exploitable with surface area reduction (ASR) controls. Protects sensitive folders and processes from unauthorized access.
Windows Defender Components cannot Be Toggled On/Off, they are always on and up-to-date. It uses the Trusted Platform Module (TPM) to ensure the security Features in Windows 10 are tamper-proof.
You Mentioned Low-Cost devices, can you elaborate?
Win10 S is designed to run on "low-cost" devices. There are several devices in the market designed to run Win10 S. These devices are <$500. However, I must caveat this device info and say that device lines are constantly changing.
Links
Windows 10 S mode FAQ
https://support.microsoft.com/en-us/help/4020089/windows-10-s-faq
Windows 10 S mode Driver Requirements
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/Windows10SDriverRequirements
Test your Windows app for Windows 10 S mode
https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-test-windows-s
Win 10 S mode Peripheral Compatibility Site:
https://support.microsoft.com/en-us/help/4025013/windows-10-s-accessory-compatibility
Planning a Windows 10 in S mode deployment
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-10-s-planning
Intune Roadmap
https://docs.microsoft.com/en-us/intune/early-edition-nda
Case Study
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.