針對 Windows 10 S 模式測試您的 Windows 應用程式Test your Windows app for Windows 10 in S mode

您可以測試您的 Windows 應用程式,以確定此應用程式會在執行 Windows 10 S 模式的裝置上正常運作。You can test your Windows app to ensure that it will operate correctly on devices that run Windows 10 in S mode. 事實上,如果要將應用程式發行至 Microsoft Store,您必須執行此動作,因為它是 Microsoft Store 的要求。In fact, if you plan to publish your app to the Microsoft Store, you must do this because it is a store requirement. 若要測試您的應用程式,您可以在執行 Windows 10 專業版的裝置上套用 Windows Defender 應用程式控制 (WDAC) 原則。To test your app, you can apply a Windows Defender Application Control (WDAC) policy on a device that is running Windows 10 Pro.

WDAC 原則會強制應用程式必須符合該原則,才能在 Windows 10 S 上執行。The WDAC policy enforces the rules that apps must conform to in order to run on Windows 10 S.

重要

雖然我們建議您將這些項原則套用到虛擬機器,但如果您想要套用到您的本機電腦,請務必在您套用原則之前,先查看在〈下一步,安裝原則並重新啟動您的系統〉章節中我們提供的最佳做法指導。We recommend that you apply these policies to a virtual machine, but if you want to apply them to your local machine, make sure to review our best practice guidance in the "Next, install the policy and restart your system" section of this topic before you apply a policy.

首先,下載原則然後挑選一個First, download the policies and then choose one

此處下載 WDAC 原則。Download the WDAC policies here.

然後,選擇其中最適合您的一項。Then, choose the one that makes the most sense to you. 以下是每個原則的摘要。Here's summary of each policy.

原則Policy 強制執行Enforcement 簽署憑證Signing certificate 檔案名稱File name
稽核模式原則Audit mode policy 記錄問題/不要封鎖Logs issues / does not block 市集Store SiPolicy_Audit.p7bSiPolicy_Audit.p7b
運作模式原則Production mode policy Yes 市集Store SiPolicy_Enforced.p7bSiPolicy_Enforced.p7b
帶有自我簽署應用程式的運作模式原則Product mode policy with self-signed apps Yes AppX 測試憑證AppX Test Cert SiPolicy_DevModeEx_Enforced.p7bSiPolicy_DevModeEx_Enforced.p7b

我們建議您從稽核模式原則開始。We recommend that you start with audit mode policy. 您可以檢閱程式碼完整性事件記錄檔,並使用該資訊協助您調整您的應用程式。You can review the Code Integrity Event Logs and use that information to help you make adjustments to your app. 然後,當您準備好進行最後一項測試時,套用運作模式原則。Then, apply the Production mode policy when you're ready for final testing.

以下是每個原則的更多資訊。Here’s a bit more information about each policy.

稽核模式原則Audit mode policy

在此模式下,即使不受 Windows 10 S 支援,您的應用程式還是會執行工作。Windows 會記錄任何原本會被封鎖而未進入程式碼完整性事件記錄的執行檔。With this mode, your app runs even if it performs tasks that aren’t supported on Windows 10 S. Windows logs any executables that would have been blocked into the Code Integrity Event Logs.

您可以開啟 [事件檢視器] 然後瀏覽至此位置來尋找這些記錄:Application and Services Logs->Microsoft->Windows->CodeIntegrity->Operational。You can find those logs by opening the Event Viewer, and then browsing to this location: Application and Services Logs->Microsoft->Windows->CodeIntegrity->Operational.

code-integrity-event-logs

此模式很安全,不會導致系統無法啟動。This mode is safe and it won't prevent your system from starting.

(選用) 在呼叫堆疊中尋找特定失敗點(Optional) Find specific failure points in the call stack

若要在發生封鎖問題的呼叫堆疊中尋找特定失敗點,請新增此登錄機碼,然後設定核心模式偵錯環境To find specific points in the call stack where blocking issues occur, add this registry key, and then set up a kernel-mode debugging environment.

按鍵Key 名稱Name 類型Type Value
HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\CIHKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\CI DebugFlagsDebugFlags REG_DWORDREG_DWORD 11

reg-setting

運作模式原則Production mode policy

這項原則會執行符合 Windows 10 S 的程式碼完整性規則,讓您可以模擬執行 Windows 10 S。由於這是最嚴格的原則,因此相當適合用於最終運作測試。This policy enforces code integrity rules that match Windows 10 S so that you can simulate running on Windows 10 S. This is the strictest policy, and it is great for final production testing. 在此模式下,您的應用程式會受到與使用者裝置上相同的規則限制。In this mode, your app is subject to the same restrictions as it would be subject to on a user's device. 若要使用此模式,您的應用程式必須先經 Microsoft Store 簽署。To use this mode, your app must be signed by the Microsoft Store.

帶有自我簽署應用程式的運作模式原則Production mode policy with self-signed apps

此模式與運作模式原則相似,但它允許經由包含在 zip 檔案中之測試憑證簽署過的應用程式執行。This mode is similar to the Production mode policy, but it also allows things to run that are signed with the test certificate that is included in the zip file. 安裝包含在此 zip 檔案中 AppxTestRootAgency 資料夾下的 PFX 檔案。Install the PFX file that is included in the AppxTestRootAgency folder of this zip file. 然後,使用它登入您的應用程式。Then, sign your app with it. 如此一來,您可以快速的逐一查看,而不需要 Store 的簽署。That way, you can quickly iterate without requiring Store signing.

因為您憑證的發行者名稱必須符合您應用程式的發行者名稱,因此必須將 Identity 元素 Publisher 屬性的值暫時變更為「CN=Appx Test Root Agency Ex」。Because the publisher name of your certificate must match the publisher name of your app, you'll have to temporarily change the value of the Identity element's Publisher attribute to "CN=Appx Test Root Agency Ex". 測試完成之後,可以將該屬性變更回其原始值。You can change that attribute back to it's original value after you've completed your tests.

下一步,安裝原則並重新啟動系統Next, install the policy and restart your system

我們建議您將這些項原則套用至虛擬機器,因為這些原則可能會導致開機失敗。We recommend that you apply these policies to a virtual machine because these policies might lead to boot failures. 因為這些原則會封鎖未經 Microsoft Store 簽署之程式碼的執行,包括驅動程式。That's because these policies block the execution of code that isn't signed by the Microsoft Store, including drivers.

若您想要將這些項原則套用至您的本機電腦,建議您最好先從稽核模式原則開始。If you want to apply these policies to your local machine, it's best to start with the Audit mode policy. 透過使用這項原則,您可以檢閱程式碼完整性事件記錄檔,以確保強制執行原則不會封鎖任何重要的項目。With this policy, you can review the Code Integrity Event Logs to ensure that nothing critical would be blocked in an enforced policy.

當您準備好要套用原則之後,尋找您選擇之原則的 .P7B 檔案,將它重新命名為 SIPolicy.P7B,然後將該檔案儲存到您系統上的這個位置:C:\Windows\System32\CodeIntegrity\When you're ready to apply a policy, find the .P7B file for the policy that you chose, rename it to SIPolicy.P7B, and then save that file to this location on your system: C:\Windows\System32\CodeIntegrity\.

然後,重新啟動您的系統。Then, restart your system.

注意

若要從您的系統移除原則,請刪除 .P7B 檔案,然後重新啟動系統。To remove a policy from your system, delete the .P7B file and then restart your system.

接下來的步驟Next steps

尋找您的問題解答Find answers to your questions

有任何問題嗎?Have questions? 請在 Stack Overflow 上發問。Ask us on Stack Overflow. 我們的團隊會監視這些標籤Our team monitors these tags. 您也可以在這裡發問。You can also ask us here.

檢視應用程式諮詢小組公布的詳細部落格文章Review a detailed blog article that was posted by our App Consult Team

請參閱使用傳統型橋接器在 Windows 10 S 上移植並測試您的傳統桌面應用程式See Porting and testing your classic desktop applications on Windows 10 S with the Desktop Bridge.

深入了解可讓您輕鬆測試 Windows S 模式的工具Learn about tools that make it easier to test for Windows in S Mode

請參閱解除封裝、修改、重新封裝、簽署 APPXSee Unpackage, modify, repackage, sign an APPX.