Windows 11 build 21380

10.0.21380.1001.fs_dev6_flt.210511-1900

Build of Windows 11
OS family	Windows 11 (NT 10.0)
Version number	10.0
Build number	21380
Build revision	1001
Architecture	AMD64
Build lab	fs_dev6_flt
Compiled on	2021-05-11
Expiration date
Timebomb	2021-10-31 (+173 days)
SKUs
Home (N, Single Language) SE (N) Pro (N, Single Language, China) Pro Education (N) Pro for Workstations (N) Education (N) Enterprise (N, Multi-session) IoT Enterprise
Product key
Use a Windows 10/11 retail key
About dialog

Windows 11 build 21380 is a internal build of Windows 11, which was first shown running on an Acer Aspire Vero prototype on multiple occasions. The prototype was first demonstrated during the 2021 Hong Kong Computer and Communications Festival — many photographs from the event detailing various aspects of the user interface as well as version information were posted on BetaArchive by member DiaoSlime in August 2021.^[1] The same model was then also demonstrated in articles published by several technology publications, including UltrabookReview.com^[2] and Polish website dobreprogramy.^[3]

The build was later uploaded to BetaWorld on 8 June 2023,^[4] along with another three internal Firesteel builds 21370, 21376 and 21385. It was shared two days later.^[5]

This build is one out of many known builds to be compiled from a branch with the fs prefix. The prefix stands for Firesteel, the codename for an internal Microsoft self-hosting effort related to Windows 11 development.^[6] A leak source detection implementation is present in the build, and can be controlled through the use of a Velocity staging key. It notably replaces the older logo first introduced in Windows 8 with a new flat design (similar to the 2012 Microsoft logo); however, the old design still persists in certain areas presented within the build.

Unlike newer builds of Windows 11 from build 21996 onwards, it does not enforce the TPM 2.0 or UEFI requirements.

New features and changes[edit | edit source]

This build contains many new and updated features in relation to the user experience, with Windows 11 branding being introduced throughout the operating system. The out-of-box experience from Windows 10X makes a reappearance in this build with slight visual updates, and other user interface elements have been updated bearing a resemblance to the Windows 10X aesthetic. The new boot animation intended for Windows 10X (introduced in Manganese development builds), which replaces the older boot screen design introduced in Windows 8, remains disabled by default.

User interface[edit | edit source]

Windows Aero[edit | edit source]

The Aero visual style has been updated to feature new neumorphic controls and widgets. The new design makes large use of elements such as rounded corners, shadows, as well as blue accents. Just like build 21370, this build forces on rounded corners by default even when Desktop Window Manager is running under software rendering mode or when dedicated GPU drivers are not present in the operating system.

Shell[edit | edit source]

Start menu and Taskbar[edit | edit source]

The TaskbarSi option has been changed to affect the taskbar instead of just the DPI.

Animations in the taskbar and Start menu have been updated.

Windows 10 shell[edit | edit source]

The new Windows 11 user interface can be disabled in the same way as in build 21370. However, when doing so, more functionalities will break than in 21370. These are:

• Quick Link menu (⊞ Win+X shortcut)
• Start menu search functionality

Themes[edit | edit source]

Four new themes from the final release of Windows 11 (Captured Motion, Flow, Glow and Sunrise) make their first appearance in this build, although the default theme still retains the Hero wallpaper from the Windows 10 May 2019 Update as the default wallpaper and would not be replaced with Bloom until the compilation of build 21385.^[a]

SE edition[edit | edit source]

This build renames the Cloud Edition SKU previously introduced in build 21354 to Windows 11 SE. The edition is intended for low-cost computers aimed at educational institutions to compete with ChromeOS. It can only be managed over Microsoft Intune for Education.

In this build, the SE edition removes customer-oriented features such as Your Phone and the Widgets dashboard, and access to the Microsoft Store is disabled by default. A Microsoft account is also required to use the operating system. Unlike Windows 10 S, no low-level code signing limitations (which prevent users from running Win32 applications sourced from outside of the Store) are present.

Leak prevention[edit | edit source]

The watermark on the desktop and in the Windows Preinstallation Environment's wallpaper host application includes a notice that advises Microsoft employees not to take screenshots of the build, as later seen in build 21990. A hexadecimal build hash is also present at the bottom left corner of the screen.

Additionally, leak-source detection code is implemented. Every string in the watermark and within the File Explorer application has whitespace, colon and dash characters predictably replaced by their Unicode full-width counterparts based on the value of WNF_SHEL_INTERNAL_EXPERIMENT and a constant number of bits used in a rotate-left instruction which is always constant for each line; rotation values 0-4 are used and increments for each string. The same effect is also applied against the taskbar clock and the legal copyright/trademark protections string in winver (rotation value 0 is used here), and was additionally attempted against the OS version string in the about box (containing the build number). Due to human error, the pointer to the first string is passed in again (which would either be NULL, leading to a null dereference crash, or a freed buffer). The visibility of the current calendar day and the size of the Show Desktop button are adjusted depending on the value of the above-mentioned variable.

The LogonController.dll dynamic link library initially sets variable WNF_SHEL_INTERNAL_EXPERIMENT from DWORD value Attributes located in HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C57C51B-FD43-4E74-B077-551AE6228AD6}, and then saved to the registry again as binary value 0D83063EA3B87C75 in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data (the last 4 bytes are the DWORD value); some of the bits are responsible for controlling other functionality as well.

Enablement and implementation details[edit | edit source]

Much of the existing functionality is controlled by Velocity staging key 31496852, enabled by default in Firesteel builds 21370 onwards and internally referred to as XPTest. The leak warning string is hardcoded into the dynamic link library shell32.dll; this would remain untranslated in every other language.

The text is concatenated to a buffer where the test code signing watermark is written to; if test code signing is enabled in the current boot entry, two additional period and whitespace characters are concatenated to the buffer first, such that the watermark would read Test Mode. Do not take screen shots of this build.; this is additionally shown in the publicly available footage of build 21990.

Leak prevention methods in action.
Note how the watermark, the hash (and its position), the size of the Show Desktop button, the date/time format and the winver legal notices are dynamically changed as DWORD value 0D83063EA3B87C75 is modified through the Registry Editor and after the system has been rebooted.

The hash ID is implemented in a different manner to older major versions of Windows:

• The current user's SID is obtained, and its sub-authorities are XORed together.
• The DWORD from WNF state value WNF_SHEL_INTERNAL_EXPERIMENT is obtained, and XORed by constant value 0x5475A568;
• Let the previous two values be x and y; the hash is initialized to zero then obtained from 32 rounds of hash += hash + _addcarry_u32(0, x, x, &x); hash += hash + _addcarry_u32(0, y, y, &y).

The height of the hash also depends on the current value of the WNF_SHEL_INTERNAL_EXPERIMENT variable. When it is painted onto the desktop, the Y-position is derived from bits 11-12 of WNF_SHEL_INTERNAL_EXPERIMENT: y = bottom_of_watermark - height_of_single_watermark_line * ((WNF_SHEL_INTERNAL_EXPERIMENT >> 11) & 0b11);.

Due to the additional code mentioned above, a screenshot with hash-ID leaks the WNF_SHEL_INTERNAL_EXPERIMENT value, which could be used to derive the current user's SID from the hash (which would reveal the Active Directory domain user inside Microsoft's corporate network).

Unique device IDs are collected by Microsoft, and fingerprints are generated by authenticating to specific domains owned by Microsoft. Specific shell surfaces in the Windows operating system are explicitly flagged as DRM-sensitive material, which would be displayed as pure black in screenshots, and specialized cumulative updates sourced from internal Firesteel development branches are required in order to enable the rest of the new Windows 11 shell features. Installing specific MSIX/AppX package bundles for Windows Shell Experience Pack updates depend on the presence of a signed per-device FireSteel Token, and fake Velocity staging key toggles are present in the system in order to deceive dataminers.

This functionality was temporarily removed from mainline builds immediately before the compilation of build 21996, and was eventually re-introduced during development of features intended for future Nickel-based releases and during Germanium development.

Miscellaneous[edit | edit source]

The Segoe UI Variable font has been removed.

Bugs and quirks[edit | edit source]

A majority of the issues presented in this build are the direct consequence of constant forward/reverse integration and merging from various branches, including changes sourced from shell branches belonging to the Windows Devices and eXperiences team (WDX). In addition, the original installation media was produced with bad metadata as the primary installation image was captured while undergoing a servicing operation that regenerates the WNF_SHEL_INTERNAL_EXPERIMENT seed, resulting in invalid access control lists and bad reparsing data persisting across thousands of files within the image and causing built-in applications (and by extension part of the Windows shell) to misbehave.

General[edit | edit source]

• The file desktop.ini may generate under %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup automatically, causing it to open when signing in to Windows. Deleting the file resolves this issue. This issue is not present when booting in Safe mode.
• When using dark mode, apps have a white outline.
• Volumes with valid drive letters may not show up properly in the Windows Preinstallation Environment unless they are (re)assigned through the Diskpart utility.

State Repository Service[edit | edit source]

Several built-in applications such as Photos, Microsoft Store, Windows Defender and Windows Terminal may fail to install and launch properly due to the aforementioned seed regeneration issues, in turn causing the State Repository Service to experience a constant memory leak, leading to potential performance issues and resource exhaustion.

The only way to resolve these issues is to revert the OS installation image to a point that predates the WNF_SHEL_INTERNAL_EXPERIMENT seed regeneation operation.

Desktop Window Manager[edit | edit source]

The taskbar may become fully transparent when installing graphics drivers under some configurations.

Shell[edit | edit source]

• Graphical artifacts may appear within File Explorer after modifying folder options.
• Many areas of the operating system still utilize the older Windows 10 branding, such as within setup and in boot configuration data.
• The default background wallpaper is not properly set in the Home edition. Changing the theme resolves the issue.

Setup[edit | edit source]

• When installing N editions, the out-of-box experience will fail to load due to the absence of required MPEG-4 codecs.
• The "Forgot your password?" link when setting up a Microsoft account or unchecking the option to receive promotional emails both lead to a blank screen.
• The fake boot screen presented by the Windows logon application (winlogon.exe) during the second stage of setup utilizes the wrong boot logo bitmap.
• The first logon animation lacks the animated background present in later builds. Like in contemporary Cobalt builds, Times New Roman is also used as the default font instead of Segoe UI Variable after the initial greeting text.
• If the network is disconnected on the Microsoft account logon page and the option to create a new account is selected, the OOBE will crash, presenting the user with a login screen with no users.

Gallery[edit | edit source]

Windows Setup[edit | edit source]

• 

  Autorun

• 

  Hardware detection (second phase of setup)

Out-of-box experience[edit | edit source]

• 

  Regional settings

• 

  First logon animation

Interface[edit | edit source]

• 

  Boot screen

• 

  Lock screen

• 

  Logon screen

• 

  Start menu

• 

  Ditto, all apps section

• 

  Windows Dashboard (Widgets)

• 

  Old Start menu enabled with registry editor

• 

  Search Menu

• 

  Task View

• 

  Action Center

• 

  File Explorer

• 

  Get Started

• 

  Microsoft Edge

• 

  Desktop with left-aligned taskbar and start menu

• 

  Desktop with Windows 11 shell packages disabled, resulting in the traditional Windows 10 shell being used.

• 

  Safe mode

• 

  First boot

Themes[edit | edit source]

• 

  Theme personalization subpage in Settings application

• 

  Dark

• 

  Glow

• 

  Captured Motion

• 

  Sunrise

• 

  Flow

Images prior to public upload[edit | edit source]

HKCCF photographs[edit | edit source]

• 

  Watermark

• 

  Start Menu

• 

  About subpage in Settings

• 

  Network flyout

• 

  winver

Dobreprogramy images[edit | edit source]

• 

  Start Menu

• 

  Settings and GPU-Z

• 

  Acer Purified Voice Console

• 

  3DMark Time Spy benchmark results

• 

  Desktop, alternate view

• 

  Out-of-box experience

• 

  Microsoft Edge

UltrabookReview.com images[edit | edit source]

• 

  Lock screen

• 

  Watermark

• 

  Microsoft Edge

Notes[edit | edit source]

References[edit | edit source]