Dual screens, fast updates, no registry cruft and security in mind: Microsoft gives devs the lowdown on Windows 10X

Huge changes for how apps run but will it win over users?


Microsoft has made some bold claims about its forthcoming Windows 10X operating system, which will run on the dual-screen Surface Neo device.

Attendees at the Microsoft 365 Developer Day, held yesterday, were told Windows 10X will maintain state separation between the operating system, drivers and applications, which will enable Windows updates in "less than 90 seconds." The operating system is "read-only" for applications, so no more registry cleaners or "OS rot" slowdown. It will take advantage of Intel's Lakefield, a mobile chipset with both power-efficient small cores for long battery life and a high performance large core when needed.

What is OS rot? "A rolling computer gathers 'cruft'," observed our own Verity Stob in her pre-Register days, defining 10 stages from Cruft Force 0 "Virgin" to Cruft Force 10 "Expiry" – when the machine only runs in Safe Mode at 16-color 800x600. Windows has improved since 2002, when that column was written, but problems still occur, particularly in unmanaged environments where unnecessary applications get installed and the notification area (sometimes called the system tray) fills with stuff running in the background. There is no system tray in Windows 10X.

In its publicity, Microsoft is emphasising the dual-screen aspect, but there is more to it. It's also another attempt to remould Windows for security while (mostly) preserving backwards compatibility. Past efforts include Windows RT, where users could install only Store apps or use pre-installed desktop applications, and more recently Windows 10 S mode, where users can only install Store apps. Further, the Universal Windows Platform (UWP), which evolved from the Windows 8 application model, is designed to be better behaved than old-style Win32 applications, with a degree of isolation and automatic suspend and resume.

In Windows 10X, Microsoft is introducing a new simplified shell – the desktop environment from which users launch applications – which does not support the aforementioned system tray, File Explorer add-ons (which typically add right-click options for files), or global mouse, keyboard or window hooks, used by applications like dictation software to work with every application you run.

Applications will run in containers. Containers - for the uninitiated - are like lightweight virtual machines, sharing the resources of the operating system but also isolated from it.

Program manager Peter Torr explained the three types of containers in Windows 10X.

  1. First, the Win32 container is new, though apparently it borrows technology from the Windows Subsystem for Linux. A single Win32 container will run all Win32 applications – meaning x86 or x64 desktop applications. User data like documents and multimedia will live outside the container but the applications will have seamless access, provided they are in standard document locations. Some private data will not be visible from the Win32 container. If you run Win32 system tools and utilities, they will have no special privileges to see outside the container.
  2. Then there's the MSIX container, which already exists in Windows 10. MSIX is a packaging format "based on a combination of .msi, .appx, App-V and ClickOnce installation technologies", according to the docs. It is Microsoft's recommended means of deploying Win32 applications and gives them some isolation and clean install and removal. In Windows 10X, MSIX packages will run inside the Win32 container.
  3. Lastly, there's the UWP or native container, which also already exists in Windows 10. This is used for UWP applications and has the lowest system overhead, according to Torr. Microsoft also refers to these applications as "running on the host", meaning that they rely on existing UWP mechanisms for isolation.
The three types of container in Windows 10X

The three types of container in Windows 10X

Are these really containers?

The word has a broad definition, so there is scope for argument. What matters is the extent of the isolation from the operating system. The Win32 container is something of a brute-force approach, taking everything that is needed to run desktop Windows applications and shoving them into a safe compartment. They all run there together, though, so while the core operating system is protected, there is still potential for your Win32 container to become corrupted. If it does, your documents should still be safe.

The key elements in Windows 10X: Win32 applications in containers, accessed by RDP technology

The key elements in Windows 10X: applications in containers, with Win32 applications accessed by RDP technology

Access to Win32 applications will use Microsoft's Remote Desktop (RDP) technology under the covers. Therefore, when you run something like Microsoft Word, it will run in the Win32 container and you will open a kind of remote session into it. This has implications for how these applications interact with the hardware. RDP has some clever features to support things like local printing but there are limitations. It seems that some of these remain in Windows 10X. According to Torr:

  • All "typical hardware" works with a "fast path" to the host OS
  • There is no support for "non-standard hardware or app-installed drivers"
  • Privacy-sensitive hardware like the camera is under user control. You could choose to bar the Win32 container from your camera. However, this is not per application – you have to give permission to the entire container

What will happen if a Win32 application tries to install a system tray applet or Explorer add-on? The API still exists, said Torr, but it is no-op. The API calls will succeed but do nothing.

The idea is that, in Windows 10X, no startup applications are allowed. That said, it will be possible to install services that run in the background. If you are not running any Win32 applications, Windows will reduce the resources available to the Win32 container. Microsoft is considering an option to keep the Win32 container always running, said Torr, implying that without that option you cannot be sure that a background service in the Win32 container will always be active.

UWP applications will have app-specific permissions as they do today. If developers want to avoid the potential issues with the Win32 container, the solution will be to write UWP applications instead. Hybrid Win32/UWP apps will not be supported at all on Windows 10X.

Microsoft also dropped the veil on a new Windows concept called "Signed and Reputable mode". According to principal program manager lead John Vintzel, if you run only Microsoft, UWP and "apps with good reputation", there is no need to run antivirus software. Users can opt out of this mode, in which case the need for antivirus software returns. Developers will have to think about building reputation for applications, done by migrating to MSIX, using code-signing, submitting applications for analysis, and increasing adoption so that Microsoft has telemetry on application behaviour.

Want to run without anti-virus? Micrsoft says you can, in Signed and Reputable mode in Windows 10X

Want to run without antivirus? Micrsoft says you can, in Signed and Reputable mode in Windows 10X

What is Microsoft up to, and will Windows 10X fare better than Windows RT or Windows 10 S in terms of user adoption? Microsoft likely has some envy towards operating systems like Google's Chrome OS, which has been designed from the get-go for security. Apple has iOS and even Android has things Windows lacks, like application isolation and a permission system. In the education market and elsewhere a more secure and manageable edition of Windows, with the added benefit of longer battery life, has obvious appeal.

The issue, as ever, will be compatibility with the vast range of legacy Windows applications, and the fact that users like the freedom to install and run whatever they want. Microsoft is trying to make Windows 10X seamlessly compatible for users, but the restrictions it imposes and the technology it uses (containers and RDP) will mean that some applications will not work as expected. The lack of system tray applets and File Explorer add-ins will be a problem, and the new "simplified shell" will not be to everyone's taste. There was no detail yesterday on the subject of accessibility. Microsoft will no doubt have some solutions, but it sounds as though accessibility software for Win32 applications will need adapting to work on Windows 10X as it relies on features that won't work.

The dual-screen aspect is important too, and a compelling user experience and application support here would help adoption. The hope must be that if adoption is sufficient, developers will be forced towards UWP and Microsoft can achieve the modernised Windows of its dreams.

Eran Megiddo, corporate veep for Windows and education, said last year: "Windows 10X will be available on dual-screen and foldable devices starting in the fall of 2020, in time for the holiday season. These will include both Microsoft Surface and devices from several Windows ecosystem partners including ASUS, Dell, HP and Lenovo. The first wave of devices will vary in size, design and specs, and be powered by Intel."

You can view the Developer Day on-demand sessions here. ®

Similar topics

Broader topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022