User Mode Code Integrity (UMCI) restricts what executables can be run based on the signer. UMCI was introduced with the ARM based Windows RT in 2012, however ways of bypassing the signing restrictions were quickly discovered. In 2017 Microsoft introduced a new SKU of Windows 10, the Cloud Edition, better known as Windows 10S. This was the first x86 version of Windows which enabled UMCI by default, in this case to restrict the OS to only running MIcrosoft and Store signed executables for the purposes of security. It turns out that many of the same problems Microsoft had in Windows RT were applicable to Windows 10S and so it was possible to bypass UMCI to execute arbitrary code.
This presentation will describe how Windows 10S is configured, introduce some of the bypasses I??ve discovered including ones which haven??t been fixed and describe how you might go about finding new bypasses.