User Mode Code Integrity (UMCI) restricts what executables can be run based on the signer. UMCI was introduced with the ARM-based Windows RT in 2012. However, ways of bypassing the signing restrictions were quickly discovered. In 2017, Microsoft introduced a new SKU of Windows 10 the Cloud Edition, better known as Windows 10S. This was the first x86 version of Windows which enabled UMCI by default, in this case to restrict the OS to only running Microsoft and Store signed executables for the purposes of security. It turns out that many of the same mistakes made in Windows RT were applicable to Windows 10S, and so it was possible to bypass UMCI to execute arbitrary code. This presentation will describe in detail how Windows 10S is configured, introduce some of the bypasses I’ve discovered, including ones that haven’t been fixed, and describe how you might go about finding new bypasses.