A couple of weeks ago I bought a Surface Laptop because I wanted to spend some time using Windows 10 S. It has been an interesting experience. I’ve learned a great deal about Microsoft’s latest operating system—and its prospects as a tool for the enterprise.

Windows 10 S is a variant of the familiar Windows 10 Pro, but locked down to work only with Windows Store applications and to prevent local scripting tools and system-level commands from running. There is no access to cmd.exe, no PowerShell, no RegEdit, and certainly no Bash prompt, all aimed at reducing the risk of a user changing device configuration or getting around the operating system’s restrictions. Power users may bristle at this approach, but Windows 10 S isn’t intended for them. The locked-down nature of the OS and the initial focus on the education market is an intriguing combination, and a pointer to a possible enterprise future.

The education market is an interesting proxy for a modern enterprise. It is a rapidly moving mix of cloud and local application services, supporting what can best be described as a massive BYOD deployment. It is also the nearest thing out there to an IT wild west, one where a substantial number of users are running a perpetual penetration test on the network and the devices connected to it. If an OS can survive in a modern school or college, it can survive anywhere.

Managing Windows 10 S

As it stands, Windows 10 S can’t connect to an Active Directory domain as a fully managed device. Out of the box it supports lightly managed Workplace Join scenarios, as well as Azure Active Directory. You still get a lot of control, if you’re using mobile device management tooling, including support for MDM profiles. Microsoft has replicated most of the core AD management features in its Windows 10 MDM support, using tools like Intune to deliver management profiles to both on-premises and cloud-managed devices. You can push profiles via MDM services, and users can install profiles from the Windows Settings tools.