S mode manufacturing environment

  • Article

Overview

This topic covers the differences in the S mode manufacturing environments from other Windows manufacturing environments.

Code integrity policy

The code integrity policy (CI) blocks the execution of unsigned or improperly signed binaries. Using unsupported binaries is only recommended when performing lab or factory image customization, or during deployment where the execution environment is either WinPE or Audit Mode.

Once the CI policy is enabled on a system, it is enabled in two places:

  1. Windows 10 in S mode, enforced at boot.
  2. EFI firmware policy, enforced during firmware load and OS boot.
  1. Windows 11 in S mode, enforced at boot.
  2. EFI firmware policy, enforced during firmware load and OS boot.

WinPE

The Windows Preinstallation Environment (WinPE) behaves the same for Windows 11 in S mode as it does for Windows Home or Windows Professional.

Note

If you're unable to boot an S mode PC from WinPE or recovery media, adding the S mode policy to the media should allow it to boot.

Copy the winsipolicy.p7b file from the Windows\Boot\EFI\ folder in install.wim to the EFI\Boot folder of your bootable media.

The Windows Preinstallation Environment (WinPE) behaves the same for Windows 10 in S mode and Windows 10 S as it does for Windows Home or Windows Professional.

For more information about WinPE, see Windows PE.

DISM

Adding an S mode image to a WIM

If you want a single WIM that includes multiple Windows editions including Windows 10 S, you can add/append your Windows 10 S image to an existing WIM, which allows you to specify the Windows 10 S image index during DISM /apply.

To see more about adding/appending images to an existing WIM, see Append, apply, and export volume images with a Windows Image (.wim) file.

Detect Windows 10 S with DISM

You can use DISM to detect Windows 10 S (offline in WinPE or in Audit mode). In Audit mode, use DISM /online /get-currentedition. If an image is Windows 10 S, the command should return S. In WinPE, use DISM /image:c:\ /get-currentedition.

See DISM Windows edition-servicing command-line options to see additional commands for working with Windows editions.

Audit mode

Audit mode is availabe when manufacturing an S mode PC. By default, the blocked inbox components are blocked in audit mode. If you need to use blocked inbox components during the manufacturing process, you can enable manufacturing mode. If you enable manufacturing mode, you'll have to make sure to disable manufacturing mode prior to shipping your PC.

To learn more about Audit Mode, see Audit Mode overview.

Factory device diagnostics

During factory testing, Win32-based diagnostic tools can be run by using one of the following options:

  1. A Windows S mode PC running in Audit Mode with Secure Boot turned off and the manufacturing registry key in place.

    or

  2. In a separate non-S mode test operating system.