Linux Distros Won't Run On Microsoft's Education-Focused Windows 10 S OS

Reader BrianFagioli writes: I was sort of hopeful for Windows 10 S when Microsoft made a shocking announcement at Build 2017 that it is bringing Linux distributions to the Windows Store. This gave the impression that students using the S variant of the OS would be able to tinker with Linux. Unfortunately, this is not the case as Microsoft will be blocking Linux on the new OS. In other words, not all apps in the store will be available for Windows 10 S. "Windows 10 S does not run command-line applications, nor the Windows Console, Cmd / PowerShell, or Linux/Bash/WSL instances since command-line apps run outside the safe environment that protects Windows 10 S from malicious / misbehaving software," says Rich Turner, Senior Product Manager, Microsoft. Tuner further explains, "Linux distro store packages are an exotic type of app package that are published to the Windows Store by known partners. Users find and install distros , safely, quickly, and reliably via the Windows Store app. Once installed, however, distros should be treated as command-line tools that run outside the UWP sandbox and secure runtime infrastructure. They run with the capabilities granted to the local user -- in the same way as Cmd and PowerShell do. This is why Linux distros don't run on Windows 10 S: Even though they're delivered via the Windows Store, and installed as standard UWP APPX's, they run as non-UWP command-line tools and this can access more of a system than a UWP can."

Re:as a workaround

[maestroX]

when managing multiple machines in education, just pxe boot (https://help.ubuntu.com/community/DisklessUbuntuHowto)

Re:as a workaround

[KiloByte]

There's one small detail here, though: there are two keys: one, the "Microsoft Windows Production PCA" is used to sign Windows only, while the other, "Microsoft Corporation UEFI CA" is the one they for antitrust reasons "kindly" allow certain biggest distributions to be signed with. Inclusion of the former is mandatory, while the other OEMs merely "should consider including".

Doesn't sound that ominous yet? Then recall what the way Windows is sold: there's a ridiculously high official price no one pays, and "volume discounts" every single mainstream PC maker gets, negotiated under strict non-disclosure. You can bet that when the time is ripe, all the makers will suddenly fail to include the UEFI CA key (as losing the volume discounts would effectively put them out of business).

And even while the UEFI CA key lasts, you lose the main reason to use Linux rather than some proprietary kernel: there's no way you can edit the kernel, install a non-distro version, build your own modules, etc. You no longer can insert unsigned modules, kexec an unsigned kernel, use a number of facilities that could be used to gain control over your own machine.

And what's the gain for you? Precisely nothing! A thief can still install Windows on a stolen machine, someone who wants your data can boot Windows (or, for now, one of the "blessed" distros). The UEFI CA doesn't sign particular kernel builds but distro signing keys, so you can be assured every three letter agency of US, Russia, China and any other country Microsoft wants to sell their software in do have such a signing key. Thus, the malware the thugs use against your machine on the border will also boot fine.

Ie, "Secure" Boot is strictly negative for you unless you can remove all keys not under your control.