A couple of weeks ago I bought a Surface Laptop because I wanted to spend some time using Windows 10 S. It has been an interesting experience. I’ve learned a great deal about Microsoft’s latest operating system—and its prospects as a tool for the enterprise.
Windows 10 S is a variant of the familiar Windows 10 Pro, but locked down to work only with Windows Store applications and to prevent local scripting tools and system-level commands from running. There is no access to cmd.exe, no PowerShell, no RegEdit, and certainly no Bash prompt, all aimed at reducing the risk of a user changing device configuration or getting around the operating system’s restrictions. Power users may bristle at this approach, but Windows 10 S isn’t intended for them. The locked-down nature of the OS and the initial focus on the education market is an intriguing combination, and a pointer to a possible enterprise future.
The education market is an interesting proxy for a modern enterprise. It is a rapidly moving mix of cloud and local application services, supporting what can best be described as a massive BYOD deployment. It is also the nearest thing out there to an IT wild west, one where a substantial number of users are running a perpetual penetration test on the network and the devices connected to it. If an OS can survive in a modern school or college, it can survive anywhere.
Managing Windows 10 S
As it stands, Windows 10 S can’t connect to an Active Directory domain as a fully managed device. Out of the box it supports lightly managed Workplace Join scenarios, as well as Azure Active Directory. You still get a lot of control, if you’re using mobile device management tooling, including support for MDM profiles. Microsoft has replicated most of the core AD management features in its Windows 10 MDM support, using tools like Intune to deliver management profiles to both on-premises and cloud-managed devices. You can push profiles via MDM services, and users can install profiles from the Windows Settings tools.
Workplace Join is a reasonable proxy for most Active Directory scenarios, when you want to give controlled access to corporate resources, while leaving users to manage their own devices. It’s an approach that should work well with locked-down Windows 10 S devices, because the OS restrictions make it hard to do more than just run applications or connect to services. While it is still possible to get malware on a Windows 10 S device, as the Windows Store release of Office supports document macros, many of the traditional vectors are restricted by preventing PowerShell scripts and cmdlets from running and by blocking traditional installers (including Xcopy).
Working with Windows Store Office
Along with Windows 10 S, Microsoft has launched a Windows Store version of the familiar Microsoft Office. It’s the familiar set of core applications: Word, Excel, PowerPoint, Access, Publisher, and Outlook. They’re all the familiar Win32 versions (not the now-defunct Mobile Office apps built using WinRT), wrapped for the Store using the Desktop Bridge, so they work exactly the way you’d expect.
Once I had installed Office on my Surface Laptop, I connected it to my existing Office 365 account, linking it to OneDrive and a selection of other services. Since I installed it, there have been a couple of Office updates from the Store, which have been quick and painless, stopping and restarting Outlook as part of the install process. Microsoft has done a good job with these apps, something it needs to do to encourage other vendors to make Desktop Bridge conversions of their apps.
There is no need for a Desktop Bridge release of OneNote; the UWP (Universal Windows Platform) version has come on by leaps and bounds over the last few months, to the extent that I’ve stopped using the desktop version and switched over to it. Other Office 365 tools, like Sway and Delve, are also UWP applications, so should work well on Windows 10 S.
What’s missing in Windows 10 S
There are still some holes in the Windows 10 S business case. There is no Skype for Business client, so you can’t take advantage of Microsoft’s unified communications and collaboration tools. Similarly, there is no Store version of Teams, though you can install and use a Desktop Bridge version of Slack. As Teams is built using the same Electron toolkit as Slack, one would have expected a quick transition to the Store, so it remains a surprising gap – especially with Teams’ increasing focus on education.
I have also found a couple of applications where a Windows Store version works on a full desktop Windows 10 install, but won’t run on Windows 10 S. Microsoft has been prompt to get details of these problems, and is working with developers to fix them, a sign that the company is committed to this new variant of its platform.
It perhaps goes without saying that Windows 10 S is not an OS for developers. Tools like Visual Studio are unlikely to become available in the Windows Store. That’s because they rely on services that currently can’t be wrapped with the Desktop Bridge. And of course, they require development code to compile and run, a scenario that falls well outside Windows 10 S’s limitations. Even so, it’s possible that more limited tools designed to work with Azure or other cloud services could run, and I wouldn’t be surprised to see a version of Visual Studio Code make it to the Windows Store, probably after the Fall Creators Update arrives with an expanded set of Desktop Bridge capabilities.
An enterprise tomorrow
As I’m using my Surface Laptop mainly for writing, the combination of Windows 10 S and Office is more than good enough for my needs. The OS is quick and stable, and I don’t miss access to power user features. Still, I’m not sure I will stick with it for the long term, as there are things I’d like to do with the hardware that require taking advantage of the free upgrade to Windows 10 Pro. Until then, though, Windows 10 S is an effective enterprise endpoint.
What are the chances for a Windows 10 S Enterprise release somewhere down the line? After spending time with the OS, I would say the chances are pretty good. Microsoft has gone a long way to deliver a locked-down OS that works only with digitally signed code, and where management can be left to a minimum because a user can do little beyond install and run certified apps. Plus, with Office already available and Edge shaping up into a capable browser, most users will have all they need—and much of what’s missing just needs wrapping in the Desktop Bridge.