What's the point of Windows 10 S?
You could say the S stands for security, with Microsoft bragging that "no known ransomware works against" the locked-down and hardened Windows 10 S.
Or maybe it stands for schools. After all, Microsoft has positioned this edition as being an alternative to Chromebooks for the education market.
I'm going to speculate that the S stands for someday. Because this new Windows edition is probably not one you want to run today, but it is clearly version 1.0 of something we'll see in two or three years.
You probably saw the headlines, including one in ZDNet that called Windows 10 S "ransomware-proof Windows." That was an exaggeration, and one that Microsoft wouldn't have endorsed.
In its blog post about ransomware, Microsoft claimed, modestly, that "No known ransomware works against Windows 10 S - our latest and most hardened operating system."
"What's more," they added, "no Windows 10 customers were known to be compromised by the recent WannaCrypt (also known as WannaCry) global cyberattack."
That's not a proclamation that Windows 10 S is somehow possessed of a Harry Potter-esque cloak of invisibility that renders it invulnerable to malware. Rather it's a reflection of the serious engineering work that went into reducing the attack surface of this Windows 10 release. (For more details, see "What is Windows 10 S?" and "A closer look at what Windows 10 S can and can't do.")
If you plop a Surface Laptop (so far the only device that runs Windows 10 S) onto every desktop in your organization, here's a partial list of things your technically unsophisticated users won't be calling your help desk to complain about:
- They can't download and run a malicious executable file, no matter how tempting it sounds.
- If they accidentally download a program that's bundled with adware, it won't run either.
- Any malware that tries to run PowerShell commands to modify the system configuration will fail.
- You will not have to worry about random plug-ins, add-ins, and extensions causing "Windows rot." They won't install, period.
In short, Windows 10 S solves the biggest problem in personal computing: the clueless PC user who can't resist the siren song of unwanted software.
And that's not the end of the road. That same post talks as much about the future as it does the present:
We are proud of how well Windows 10 has protected our customers from destructive attacks like ransomware. Our strategy of protect, detect, and respond - combined with Windows as a Service - enables us to dramatically increase the cost of attacking Windows 10 with each successive feature update.
It's been a truism for as long as I can remember: Most malware and unwanted software arrives on a Windows PC with the willing cooperation of the victim. By restricting allowed software to what's in the Windows Store, Windows 10 S eliminates that vector decisively.
It's not a magic bullet, of course. Because this is still, at its core, Windows, a determined attacker can still exploit a flaw in the underlying operating system or one of its components. But that's considerably more difficult than using social engineering to convince your accounting manager to open a booby-trapped PDF file.
But you should consider Windows 10 S, in its current state, to be a not particularly sophisticated version 1.0. What's coming in version 2.0 and beyond?
For a sneak preview, see my ZDNet colleague Jason Perlow's examination of how containerization is going to revolutionize Windows on the desktop. That's the logical end game for these tentative first steps.
The Windows Store has a fair number of converted desktop apps already: Slack. Evernote. Just this week, Spotify. Later this year, iTunes. And, of course, Microsoft Office, although the Store version is, annoyingly, available only on PCs running Windows 10 S.
The converted desktop apps in the Windows Store are better behaved than their counterparts that can be downloaded from any random website. They have at least rudimentary sandboxing, which means their registry and file system settings are virtualized.
They're also easier to update and remove, because they're installed as an app package in a predictable location, instead of insinuating their way into the Program Files (x86) folder.
Much of the protection that comes with installing desktop apps from the Store is attributable to the vetting that Microsoft does before it allows an app into the Store in the first place. But these apps still have full access to system resources and can, if they're compromised, do a tremendous amount of damage.
As Jason explains, the answer to that conundrum is pervasive virtualization, with every app running in its own virtualized container, interacting with the rest of the system through brokers that enforce strict security boundaries
And that's where future versions of Windows come in. Today's Chromebook-class devices aren't up to that challenge.
But give Moore's Law a few years to do its magic and pretty soon you will have cheap hardware that can handle that kind of workload.
And if Microsoft does its evangelism right, you will also have a Store filled with converted desktop apps, because why not?
The perfect computer will never be capable of running all the software in the world. A Mac can't run iPad apps, and vice versa. The locked-down version of Windows 10, circa 2020, will support only a fraction of the software available to the full, unrestricted Windows editions.
But that siren song of security, a Windows PC that offers a partial solution to compatibility headaches without opening the floodgates to malware, has to be tempting to harried IT pros.
They just have to be willing to wait.