How does MS lock a computer to S Mode?

Page 1 of 2 12 LastLast

  1. Posts : 18,470
    Windows 11 Pro
       #1

    How does MS lock a computer to S Mode?


    This thread started on Elevenforum but I want to start it here for the Windows 10 gurus not on Elevenforum.
    Install Window 11 in S mode (or Windows 10) | Windows 11 Forum

    Here is the status of the experiment so far. Starting with @cereberus finding that once you install Windows 10/11 in S Mode, that computer gets locked to S Mode, and any previous installations of Windows 10/11 (dual booting) will revert to S Mode. Of course, you can use the MS Store to unlock S Mode, but it's weird the entire computer and all the Windows 10/11 installations on it get put into S Mode.

    I continued the experiment with a VM. I created a Generation 2 Hyper-V virtual machine and did a completely stock installation of Windows 11 Home to a virtual HDD. I did it not connected to the internet and used oobe/bypassnro to set up a local account. I then connected it to the internet and activated it. I then attached a second virtual HDD to the VM and ran Windows 11 setup from an install drive modified to install S Mode. I did leave the first VHDX connected during setup. During this setup, I disconnected the network. When I got to the screen to create the first user account, I could not enter command prompt to bypassnro, so I just restarted the VM. The VM restarted, I had a dual boot menu, and I booted into the first install of Windows 11 and, sure enough, it was in S Mode!

    This had nothing to do with a MS account because neither Windows was ever attached to a MS Account. It could not have happened with the digital license stored at MS because the S Mode installation was never allowed to connect to the internet. I restarted the VM back into a Windows 11 installation drive and looked at the BCD on the VHDX and saw nothing in there different than normal. Hmmmm.........

    I removed the VHDX with the S Mode installation from the VM. I rebooted the VM with the stock, unmodified Windows 11 ISO file downloaded directly from MS. On the very first Windows setup screen, I entered command prompt and ran the diskpart clean command on the VHDX. I removed the internet connection. I proceeded to install Windows 11 Home onto the blank, unallocated VHDX. I got to the screen where you create a user account and Shift+F10 command line DID NOT WORK! I turned on the network connection and finished the install and Windows 11 Home was in S MODE! WTF?!?!

    My next step is to create a brand new VHDX never before attached to an VM, connect it as the only VHDX attached to this VM, and do a new install again using the completely unmodified, 100% ISO file downloaded directly from Microsoft.

    So, the question is, How is MS locking a computer to S Mode even when doing a brand new clean install from a stock ISO file onto a blank, unallocated drive, not connected to the internet?

    UPDATE: Removed all virtual drives from the VM. Created a brand new VHDX file never before connected to any VM. Ran Windows setup from a stock ISO file downloaded directly from MS - not connected to the internet. Result was S Mode again!!!

    So far this has only been in UEFI mode. Time to try it with Windows 10 in legacy BIOS mode on a Generation 1 VM.
      My Computer


  2. Posts : 882
    Windows 7
       #2

    https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-10-s-manufacturing-considerations?view=windows-11
    Code integrity policy

    The code integrity policy (CI) blocks the execution of unsigned or improperly signed binaries. Using unsupported binaries is only recommended when performing lab or factory image customization, or during deployment where the execution environment is either WinPE or Audit Mode.

    Once the CI policy is enabled on a system, it is enabled in two places:

    1. Windows 11 in S mode, enforced at boot.
    2. EFI firmware policy, enforced during firmware load and OS boot.


      My Computer


  3. Posts : 18,470
    Windows 11 Pro
    Thread Starter
       #3

    So if I try this experiment on a Legacy BIOS VM, then S Mode should not carryover to new clean installs....
      My Computer


  4. Posts : 4,789
    several
       #4

    Secure boot

    https://learn.microsoft.com/en-us/ed...ws-10-editions



    For security and performance, this mode of Windows only runs verified apps from the Store.

    If you see this message, follow these steps to stop receiving the message:

    If you've BitLocker enabled, disable it first in the Control Panel. Go to Manage BitLocker and select Turn off BitLocker.

    Open Windows Settings and go to Update & security > Recovery.

    In the Recovery page, find Advanced startup and select Restart now to start your PC.

    After restarting, in the Choose an option page, select Troubleshoot.

    In the Troubleshoot page, select Advanced options, and in the Advanced options page select UEFI Firmware Settings.

    In the UEFI Firmware Settings page, select Restart to get to the device-specific UEFI/BIOS menu.

    Once you've accessed UEFI, look for the menu item labeled Security or Security Settings, and navigate to it.

    Look for an option called Secure boot configuration, Secure boot, or UEFI Boot. If you can't find one of these options, check the Boot menu.

    Disable the secure boot/UEFI boot option.

    Save your settings and then exit UEFI. This exit action will restart your PC.

    After Windows is done booting up, confirm that you no longer see the message.

    Note

    We recommend following these steps again to re-enable the Secure boot configuration, Secure boot, or UEFI Boot option, which you disabled in step 9, and then subsequently re-enable BitLocker (if you previously had this enabled).
      My Computer


  5. Posts : 15,688
    Windows10
       #5

    That link is quite out of date - it dates back to original implementation when S Mode was on Pro only. Later the way it worked changed and you could do Home and Pro.

    Incidentally S mode is only for Home now allegedly with Windows 11 but you can still set it up for Pro (no idea why anybody would want to do this though LOL).
      My Computer


  6. Posts : 18,470
    Windows 11 Pro
    Thread Starter
       #6

    Secure boot is the key, though. I have a VM set up with two VHDX drives. One drive has Windows 10 Home normal mode installed. The other drive has Windows 10 Home S Mode installed. The EFI partition the VM boots from is located on the Windows 10 Home normal mode drive with a dual boot menu. Dual booting works as follows:

    Secure boot on: Both Windows 10 Home installations will load in S Mode.
    Secure boot off: One Windows 10 Home loads in normal mode, the other loads in S Mode.

    TPM on or off makes no difference.

    I don't very seriously that dual booting 2 different VHDX drives would be any different than dual booting two partitions on the same drive since my current setup only boots from 1 EFI partition.
      My Computer


  7. Posts : 6,924
    Windows 11 Pro - Windows 7 HP - Lubuntu
       #7

    NavyLCDR said:
    Secure boot is the key, though. I have a VM set up with two VHDX drives. One drive has Windows 10 Home normal mode installed. The other drive has Windows 10 Home S Mode installed. The EFI partition the VM boots from is located on the Windows 10 Home normal mode drive with a dual boot menu. Dual booting works as follows:

    Secure boot on: Both Windows 10 Home installations will load in S Mode.
    Secure boot off: One Windows 10 Home loads in normal mode, the other loads in S Mode.

    TPM on or off makes no difference.

    I don't very seriously that dual booting 2 different VHDX drives would be any different than dual booting two partitions on the same drive since my current setup only boots from 1 EFI partition.
    I don't believe that the S information is stored on BIOS. So where is it stored? On the EFI partition? Modifying a partition or drive ID? On the MS reserved partition?
    Maybe @Kari knows the answers.
      My Computers


  8. Posts : 18,470
    Windows 11 Pro
    Thread Starter
       #8

    Megahertz said:
    I don't believe that the S information is stored on BIOS. So where is it stored? On the EFI partition? Modifying a partition or drive ID? On the MS reserved partition?
    Maybe @Kari knows the answers.
    It is stored as Secure Boot UEFI firmware policy as part of the computer's firmware. S Mode is only persistent for new clean installs when Secure Boot is enabled.
      My Computer


  9. Posts : 15,688
    Windows10
       #9

    NavyLCDR said:
    It is stored as Secure Boot UEFI firmware policy as part of the computer's firmware.
    Yeah - UEFI pcs do not have actually have a BIOS but use UEFI Firmware to do the job that the (legacy) BIOS did on older pcs (plus more).

    This old reference explains it better.
    Goodbye BIOS, hello UEFI | Computerworld.

    However, saying something like "set the boot order in legacy BIOS or UEFI firmware is rather a mouthful, so we all tend to just say "set the boot order in the BIOS" as it is easier - lazy speak really.

    It is a bit like how we often use well known brand names as a generic term e.g. can I borrow your "hoover" or "biro" as it is just easier than saying "vacuum cleaner" or "ball point pen" (in UK at least).

    I am sure there are parts of the UEFI Firmware that are only accessible by MS or OEM vendors, not by average users.
      My Computer


  10. Posts : 6,924
    Windows 11 Pro - Windows 7 HP - Lubuntu
       #10

    NavyLCDR said:
    It is stored as Secure Boot UEFI firmware policy as part of the computer's firmware. S Mode is only persistent for new clean installs when Secure Boot is enabled.
    If you have Secure Boot enabled and two drives, one has Win 11 installed as normal and the other installed as S mode. Both will boot as S mode, correct?
    If you disconnect the Win 11 drive installed as S mode does the other Win 11 installed as normal still boot as S mode?
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 23:18.
Find Us




Windows 10 Forums