Choose 32-Bit or 64-Bit Versions

You can choose between 32-bit and 64-bit versions of all desktop editions of Windows 10. Nowadays, you should choose 64-bit versions unless there is a compelling reason to use 32-bit versions, such as your hardware does not support the 64-bit architecture.

The various edition features described in Table 1-1 are applicable for both 32-bit and 64-bit versions. However, 64-bit versions of Windows 10 do provide a number of advantages, including:

• Memory The 64-bit versions of Windows 10 can address more physical memory than 32-bit versions. Specifically, 32-bit versions are physically limited to just under 4 GB of RAM, whereas 64-bit versions of Windows are limited by the edition of Windows 10 installed.

• Security Features such as Kernel Patch Protection, mandatory kernel-mode driver signing, and Data Execution Prevention (DEP) are available only in 64-bit versions of Windows 10.

• Client Hyper-V This feature is only available on 64-bit versions of Windows 10. Your hardware must also support second-level address translation (SLAT).

• Performance The 64-bit processors can handle more data during each CPU clock cycle. This benefit is only realized when running a 64-bit operating system.

Identify an installation strategy

You can choose from among a number of methods when considering how best to install Windows 10. Generally, the size of your organization and the number of devices that you must install will determine the strategy that you select. The available strategies have different prerequisites, and some might require additional software components and configuration before you can begin installing Windows 10. Table 1-3 describes the strategies available.

Table 1-3 Windows 10 installation strategies

Determine the appropriate installation media

Windows 10 uses an image-based installation and deployment model with the Windows operating system installation files packaged inside an image file that is used as an installation source during the installation process.

A default installation image, Install.wim, is provided on the installation media in the Sources folder. Although you can choose to use this default image, you can also configure it to create custom installation images that better suit the needs of your organization. Customizations might include:

• Selecting a particular edition of Windows 10.

• Choosing which Windows features are enabled.

• Including Wi-Fi profiles and virtual private network (VPN) profiles.

• Adding universal apps or desktop applications.

The Windows Assessment and Deployment Kit (Windows ADK) contains a number of tools that you can use to create and manage Windows 10 images to support your installation needs. These are:

• DISM The Deployment Image Servicing and Management (DISM) command-line tool enables you to capture, deploy, and manage Windows images. You can use the tool to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD, which can be either online or offline.

• Windows Configuration Designer This tool, as shown in Figure 1-1, enables you to provision Windows 10 features and runtime settings by using provisioning packages (.ppkg) to quickly configure a Windows 10 device without having to install a new image.

You can then deploy these custom images and packages to target computers within your organization that require Windows 10. You can perform this deployment in a number of ways and by using a variety of deployment technologies and tools, depending on the installation strategy you previously selected. Options include:

• DVD installation You can create installation DVD media, or you can use a customized image that you created. The device you are installing to requires an optical drive.

• USB installation You can use the default or custom Windows images. This method is quicker than DVD, and although it does not require an optical drive, you might need to reconfigure your computer’s BIOS or UEFI firmware settings to support startup from USB.

• WDS deployment To use this method, Dynamic Host Configuration Protocol (DHCP) must be available to network clients on your network, and your target computers running Windows 10 must support Pre-Boot Execution Environment (PXE). Combined with unattended answer files and custom images, you can use this method to deploy multiple images to multiple computers at the same time by using multicast.

• Image-based installation By starting your computer into Windows Preinstallation Environment (Windows PE), you can use DISM to apply an image locally to the target computer. Alternatively, you can use MDT and System Center Configuration Manager (Current Branch) to deploy the image and desktop apps to the target devices.

• Shared network folder installation You can use Windows PE to start your computer and map a network drive to installation files and images on a network file shared folder. This is a comparatively inefficient method and has been replaced by the other methods previously described.

• Windows SIM The Windows System Image Manager (Windows SIM) shown in Figure 1-2 enables you to create installation answer files for use in automated deployments. These answer files contain the configuration options used to install Windows 10. You can then associate these answer files with a local copy of the installation media, perhaps on a USB memory stick to provision Windows 10 using a semi-automated interactive installation.

  

• Windows PE Windows PE (WinPE) is used to start a computer that is being deployed with Windows 10. It enables access to Windows file systems and is, in essence, a small Windows operating system. You can use the generic Windows PE provided on the product DVD, or you can create your own using tools found in the Windows ADK to address your specific deployment needs. You can then launch Windows PE from a DVD or a USB memory stick or across the network using PXE.

Supported upgrade paths

Performing an in-place upgrade can be the simplest option, especially when you have only a few computers to upgrade. However, you cannot perform an in-place upgrade on computers running a Windows version that does not share the same feature set as the edition of Windows 10 that you want to install.

Table 1-4 lists the supported upgrade paths based on the Windows edition.

Table 1-4 Supported upgrade paths to Windows 10

You will notice from Table 1-4 that direct upgrades between different editions are not supported. That is, you cannot upgrade directly from Windows 7 Home to Windows 10 Enterprise.

After you have determined whether your upgrade path is supported, choose how to perform the process of upgrading to Windows 10.

Perform an in-place upgrade to Windows 10

As you have seen, there are three ways to upgrade to Windows 10. The recommended method by Microsoft is to use an in-place upgrade. This is the method that will be utilized for all future upgrades of Windows 10 using Windows Update. Using an in-place upgrade enables you to retain all the users’ applications, data files, and user and application settings. During the in-place upgrade, the Windows 10 setup program automatically retains these settings.

You perform an in-place upgrade to Windows 10 when your users will continue to use their existing computers. To perform an in-place upgrade, complete the following procedure.

1. Evaluate the user’s computer to determine that it meets minimum hardware requirements for Windows 10 and that Windows 10 supports all hardware.

2. Verify that all applications work on Windows 10.

3. Optionally, back up the user’s data files.

4. Run the Setup.exe program from the root of the Windows 10 installation media.

5. Choose Upgrade when prompted and complete the setup wizard.

The in-place upgrade process works well and is now the recommended deployment method Microsoft suggests for upgrading devices that run Windows 7 or Windows 8.1 to Windows 10.

Upgrade using installation media

An enterprise will normally obtain Windows 10 media through the volume licensing channel and can download it from the Volume Licensing Service Center (VLSC) at https://www.microsoft.com/licensing/servicecenter/default.aspx. VLSC media use either a Multiple Activation Key (MAK) or Key Management Service (KMS) which is used during the installation process and is tied to the enterprise license agreement with Microsoft.

Alternatively, purchased retail media can be used, which is supplied on a USB thumb drive or by a direct download from the online Microsoft Store.

Another option is to use the Media Creation Tool (MCT), which generates a ready-to-use, bootable USB flash drive. You can also download an ISO file that can be used for the installation, which would need to be burned to a writeable DVD. Media created with the MCT cannot be used for upgrading a Windows Enterprise edition client. When you run the MCT, when prompted, on the What Do You Want To Do? page, click Create Installation Media and then click Next.

If you encounter issues while upgrading to Window 10, you should inspect the installation log file found at C:WindowsPantherUnattendGCSetupAct.log. If you are trying to use the wrong media or if you are trying to upgrade from an unsupported operating system, there should be an entry such as the following:

Click here to view code image

Info [windeploy.exe] OEM license detected, will not run SetupComplete.cmd

With all upgrades, you must ensure that you understand the requirements for a successful upgrade, such as having at least 2 GB RAM and enough disk space. In the exam, you might face scenarios in which you are asked to upgrade from one architecture to another architecture which is not supported. You may be presented with the current system drive having insufficient disk space. To resolve disk space issues, you could attempt one of the following resolutions to complete the upgrade:

• Run Disk CleanUp Wizard, remove any unwanted files, and empty the Recycle Bin.

• Uninstall apps, files, and language packs that you do not need.

• If possible, expand the volume by using the Disk Management tool.

• Move personal files off the system drive and onto another drive or external drive.

If the system fails during the upgrade due to a compatibility issue, you can troubleshoot the cause by reviewing the setupact.log found at: C:$Windows.~BTSourcespanthersetupact.log. Some of the most common codes are shown in Table 1-5.

Table 1-5 Setuperr.log errors relating to upgrading

If you want to check the system for compatibility only, you can run Setup.exe with a command-line switch, which will check for compatibility but not perform the actual upgrade.

An example command is:

Click here to view code image

Setup.exe /Auto Upgrade /Quiet /NoReboot /DynamicUpdate Disable /Compat ScanOnly

Windows 8.1 supports mounting an ISO disk image directly in File Explorer. You can download the Windows 10 ISO and upgrade Windows 8.1 without first having to create installation media such as a DVD or bootable USB. For Windows 7, you must use bootable media, extract the files contained in the ISO, or use a third-party tool to mount the ISO.

A major advantage of upgrading rather than performing a clean installation (sometimes referred to as a wipe-and-load scenario) is that all the applications, settings, and data on the PC are retained during an upgrade. This often results in a much quicker process, and the device can be returned to the user in the shortest possible time.

As part of the pre-upgrade checks, Windows 10 will validate the following.

• Whether UEFI is used (UEFI v2.3.1 or later is required for Secure Boot).

• System Host is not configured to boot from VHD.

• The system is not installed as a Portable Workspace (for example, using Windows To Go).

Details of the setup compatibility checks can be reviewed in the log file found at C:$WINDOWS.~BTSourcesPanthersetupact.log. The installation process proceeds in the same way as the in-place upgrade using Windows Update.

Migrate from previous versions of Windows

The amount of user affinity with their devices is often overlooked by support professionals. If allowed, users can invest significant time and effort to customize and personalize their working environment, and this can include the Windows operating system and applications. When upgrading from an older operating system, it is very common for the user to be presented with a new device running the new version of Windows after the old device is removed. This can sometimes cause significant loss of productivity while the user becomes familiar with the updated operating system and reconfigures settings to their preferences.

The level of user personalization of the device can include the following.

• Desktop appearance, sounds, themes, and backgrounds

• Start-menu customization

• Icons and file associations

• Files and folders stored locally

• Device and power settings

• Application settings, such as autotype and template locations

Migration strategies

You perform a migration to Windows 10 when your users have new computers on which to install Windows 10 and you want to preserve settings and data from their old computers. During the process, you perform the following high-level procedures.

1. Verify that all existing required applications work on Windows 10.

2. Ensure that the appropriate edition of Windows 10 is installed on the user’s new computer.

3. On the new computer, install the required applications.

4. Back up the user’s data files and settings from the old computer using USMT (User State Migration Tool).

5. Restore the user’s data files and settings on the new computer using USMT.

You can use either a side-by-side migration or wipe-and-load migration strategy to perform a migration. These migration scenarios are summarized as follows.

• A side-by-side migration In this scenario, the source and destination computers for the upgrade are different machines. You install a new computer with Windows 10 and then migrate the data and most user settings from the earlier operating system to the new computer.

• A wipe-and-load migration In this scenario, the source and destination computer are the same. You back up the user data and settings to an external location and then install Windows 10 on the user’s existing computer. Afterward, you restore user data and settings.

Perform a Side-by-Side Migration

When you opt to use the side-by-side migration strategy, illustrated in Figure 1-3, use the following procedure to complete the task.

1. Either obtain a computer with Windows 10 preinstalled or install Windows 10 on a new computer. When Setup.exe prompts you, choose Custom (Advanced). This is the destination computer.

2. Install the same applications on the destination computer as are presently on the source computer.

3. Create an external intermediate storage location, such as a file server–shared folder or an external hard drive, for the storage of user data and settings. This storage must be accessible from both the source and destination computers.

4. Use the USMT to collect the user’s data and settings from the source computer and store them to the external intermediate store.

5. Use the USMT to collect the user’s data and settings from the external intermediate store and install them in the destination computer.

Perform a Wipe-and-Load Migration

When you opt to use the wipe-and-load migration strategy, illustrated in Figure 1-4, use the following procedure to complete the task.

1. Create an external storage location, such as a file server-shared folder or an external hard drive, for the storage of user data and settings.

2. Use the USMT to collect the user’s data and settings and store them in the external location.

3. Install Windows 10 on the existing computer. When Setup.exe prompts you, choose Custom (Advanced).

4. Reinstall the applications on the computer.

5. Use the USMT to restore the user’s data and settings from the external location.

Perform a user state migration

When computers are being replaced or refreshed on a large scale, the loss of user productivity can be significant. In this scenario, you can use the User State Migration Tool version 10 which is available as part of the Windows ADK.

The Windows ADK is available from the following Microsoft website at: https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit.

User state migration is performed in two phases as follows.

1. Settings and data are captured (collected) from the source computer and stored in a secure migration store using the ScanState tool.

2. Captured settings and data are restored on the destination computer, using the LoadState tool.

USMT is a collection of three command-line tools that can be scripted to capture and migrate data efficiently and securely and is intended for performing large-scale automated deployments.

• ScanState.exe

• LoadState.exe

• UsmtUtils.exe

You choose which data is captured, and these settings are stored in migration XML files as follows.

• MigApp.xml

• MigDocs.xml

• MigUser.xml

• Custom XML files that you can create

The XML files provide the migration rules that USMT needs to process.

You can also create a Config.xml file that is used to specify files or settings, which will be excluded from the migration.

As part of both migration strategies, you must migrate user data and settings to the destination computer. Consequently, it is important to determine where these data and settings reside. The types of data that USMT can capture and migrate are shown in Table 1-6.

Table 1-6 Data types accessible by USMT

The following settings are not migrated when you use USMT.

• Local printers, hardware-related settings

• Device drivers

• Passwords

• Customized icons for shortcuts

• Shared folder permissions

• Files and settings, if the operating systems have different languages installed

After you have installed the USMT included in the Windows ADK, you have the following components as described in Table 1-7.

Table 1-7 USMT components

To initiate the collection of the files and settings from the source computer, use the following steps.

1. Ensure that you have a backup of the source computer.

2. Close all applications.

3. Open an elevated command prompt, and run ScanState, using this command:

   Click here to view code image

   ScanState \remotelocationmigrationmystore /config:config.xml / i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log

4. Run UsmtUtils with the /verify switch to ensure that the migration store is not corrupted, using UsmtUtils /verify C:mystorestorename.img.

5. On the destination computer, install the operating system, install any applications that were on the source computer, and then close any open applications.

6. Run the LoadState command, specifying the same .xml files that you used when you ran ScanState using the command

   Click here to view code image

   LoadState \remotelocationmigrationmystore /config:config.xml / i:migdocs.xml /i:migapp.xml /v:13 /l:load.log

7. Restart the device and verify whether some of the settings have changed.

The ScanState tool can also migrate user settings from an offline Windows system including the Windows.old folder. A Windows.old folder is created when you perform an in-place upgrade of a modern version of Windows to Windows 10. The ability to access user settings contained within the offline Windows.old folder can be advantageous in the following scenarios.

• Improved performance if the Windows.old folder is local

• Simplified end-to-end deployment process by migrating data from Windows.old by enabling the migration process to occur after the new operating system is installed

• Improved success of migration because files will not be locked for editing while offline

• Ability to recover and migrate data from an unbootable computer

• The migration can be performed at any time

Installing Local Experience Packs

You can also modify the default language used by Windows 10 by adding a Local Experience Pack from the Microsoft Store. These packs perform the same configuration changes as the Language options within the Settings app, allowing you to enhance Windows with your chosen language, including navigation, menus, settings, and help topics.

To add a local language using the Microsoft Store, search for the required language and download it or use the link to add a Local Experience Pack on the Language page within the Settings app. If you need to add a Local Experience Pack to an offline image, you can add the Language Interface Packs (LIPs) .appx files and their associated license files, which can be found in the LocalExperiencePack folder on the Language Pack ISO. OEMs and System Builders with Microsoft Software License Terms can download the Language Pack ISO and Feature on Demand ISO from the Microsoft OEM site or the Device Partner Center. IT Professionals can find ISOs containing all available Language resources on the Microsoft Next Generation Volume Licensing Site at https://licensing.microsoft.com.

After the language is installed, you can set it to be the default language for your device or remove the language. Within the Language page in the Settings app, you can also configure the Administrative Language Settings to copy your international settings to the Windows welcome screen, system accounts, and new user accounts as shown in Figure 1-6. System-wide changes require administrative privileges.

To save space, you can remove language components; for example, you could remove English when deploying devices to non-English regions.

Using the Dism Command Line Tool

You can also use the DISM command prompt to perform deployment of language components. As an example, if you want to modify an offline Windows image to add a language pack, first mount the Windows image, mount the Language Pack ISO and the Features on Demand ISO with File Explorer, and then use the following command.

Click here to view code image

Dism /Image:"C:mountwindows" /Add-Package /PackagePath="D:x64langpacksMicrosoft-Windows-Client-Language-Pack_x64_fr-fr.cab"

To add the Luxembourgish language, which requires the fr-FR base language and is delivered as an LXP, use the following command.

Click here to view code image

DISM /Image:"C:mountwindows" /Add-ProvisionedAppxPackage /PackagePath= "D:LocalExperiencePacklb-luLanguageExperiencePack.lb-LU.Neutral.appx" /LicensePath: "D:LocalExperiencePacklb-luLicense.xml"

To remove the same LIP, which was added through LXP, you would use the following command.

Click here to view code image

Dism /remove-provisionedappxpackage /packagename:Microsoft.LanguageExperiencePack.lb-LU._neutral__8wekyb3d8bbwe

Once you have completed the configuration, you need to capture the changes by committing the changes to the Windows image using the following command.

Click here to view code image

Dism /Commit-Image /MountDir:"C:mountwindows"

Using the Lpksetup Command Line Tool

You can also use the Lpksetup tool to perform language pack operations on language pack CAB files.

To launch the Lpksetup wizard, use the following steps:

1. Download and then mount the Language Pack ISO.

2. Press the Windows logo key+R to open the Run dialog box.

3. Type lpksetup.exe, and then select OK.

4. Step through the wizard and browse to the Language Pack location on the mounted ISO.

5. Locate the language pack as shown in Figure 1-7 and click Next.

   

6. On the Review And Accept The Microsoft Software License Terms dialog box, click I Accept The License Terms and click Next.

7. The language pack installation completes.

8. Click Close.

If you want to automate the process or bypass the user interface (UI) and perform unattended or silent-mode language pack installations, you can also use the Lpksetup command-line tool. You need to run Lpksetup using an elevated command prompt. The syntax is:

lpksetup.exe /i * /p <path>

This example installs all language packs that are located on installation media specified in the <path> location. The command-line options available for Lpksetup.exe are shown in Table 1-8.

Table 1-8 Lpksetup.exe command-line options

Implement activation

Activation is a very important part of configuring and managing Microsoft products and remaining within the Microsoft Software License Terms.

In some environments, the activation process will be fully automated, or silent, and it is easy to overlook it. This section explores Windows 10 activation options and procedures that you need to understand.

Like most Microsoft products, Windows 10 requires activation. Activation verifies that your copy of Windows 10 is genuine and that it hasn’t been used on more devices than the license terms allow. Only a valid product key can be used to activate Windows 10. Figure 1-8 shows the current activation status of a computer running Windows 10 Professional.

You can activate Windows 10 in several ways—by using an Internet-accessible service at Microsoft, by telephone, and by using bulk activation methods such as Key Management Service (KMS) and Active Directory–based activation. This section explores activation and the methods you can use to manage your organization’s Windows 10 activation.

Volume Activation Services

For large organizations with many hundreds or even thousands of devices, using manual product key entry and activation is impractical; it is both error prone and time-consuming. For these reasons, Microsoft provides three methods for volume activation. These are:

• Key Management Service (KMS) You can use this Windows Server role service to activate Windows 10 in your organization’s network. Client computers connect to the KMS server to activate, thereby negating the need to connect to Microsoft for activation. It is not necessary to dedicate a server computer to perform activation with the KMS role.

• Active Directory–based activation Any device running any Windows 10 that is connected to your organization’s domain network and is using a generic volume license key (VLK) can use Active Directory–based activation. Periodically, the client must renew the license from the licensing service. Therefore, for the activation to remain valid, the client device must remain part of your organization’s domain. As with KMS, you do not need to dedicate a server to the Active Directory–based activation role.

• Multiple Activation Key Multiple Activation Key (MAK) uses special VLKs that can activate a specific number of devices running Windows 10. You can distribute MAKs as part of your organization’s Windows 10 operating system image. This method is ideal for isolated client computers, which will benefit from a one-time activation using the hosted activation services provided by Microsoft.

To use either KMS or Active Directory–based activation to manage your volume activations, the Volume Activation Services server role must be running on a Windows Server 2016 or Windows Server 2019 computer and be configured to use either KMS or Active Directory–based activation. You need to activate the role with Microsoft so that the service can activate devices. This involves entering and validating a KMS host key with Microsoft, either online or by telephone.

An administrator can manage the organization’s volume activations centrally using the Volume Activation Management Tool (VAMT) from a Windows 10 or Windows Server 2016 R2 computer. You can download the VAMT as part of the Windows Assessment and Deployment Kit (Windows ADK).

Activate Windows 10

If you are using one of the volume activation methods, you do not need to perform any task on your Windows 10–based devices because Windows 10 will automatically remain in an activated state whilst the volume license agreement is in place. However, if you are manually managing activation on Windows 10–based devices following installation, you must complete the following procedure.

1. Click Start > Settings.

2. Click Update & Security > Activation > Change Product Key.

3. In the Enter A Product Key dialog box, type your 25-character product key.

4. On the Activate Windows page, click Next.

5. When prompted, click Close.

After you have activated Windows 10, you can view the activation status on the Activation tab of the Update & Security section of the Settings app. Also, you can view and manage the activation status of your Windows 10–based product by using the Slmgr.vbs command. For example, Figure 1-8 showed the result of typing the Slmgr.vbs -dli command. You can see that Windows 10 Pro is licensed properly.

Activate Windows 10 Virtual Machines

For Windows 10 virtual machines running on Windows 10, version 1803, a new feature called Inherited Activation allows Windows 10 virtual machines to inherit an activation state from their Windows 10 hosts.

When a user creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM will automatically inherit the activation state from a host machine. Inherited Activation requires that both the host computer and the VM are running Windows 10, version 1803 or later and that the host computer has been activated using a Windows 10 E3 or E5 license.

Troubleshoot activation issues

When a device running Windows 10 is not activated, the user is presented with a watermark on the lower-right corner of the screen requesting that you activate Windows. Additionally, you cannot personalize the device, such as changing wallpaper, accent colors, lock screen, themes, or sync settings between devices.

Unlike earlier versions of Windows, there is no grace period for how long you can use Windows 10 without activation. In the Windows 10 license agreement, users are authorized to use Windows 10 only if they are properly licensed and the software has been properly activated with a genuine product key or by another authorized method.

If you are having trouble activating Windows 10, you could try these actions to resolve common activation issues.

Configure Microsoft accounts

A Microsoft account (previously called Windows Live ID) provides you with an identity that you can use to securely sign in on multiple devices and access cloud services. You can also use the account to synchronize your personal settings between your Windows-based devices.

If Windows 10 detects an Internet connection during setup, you are prompted to specify your Microsoft account details, though you can skip this step and create a local account instead. You can link your Microsoft account to a local or AD DS domain account after setup is complete.

Microsoft accounts are primarily for consumer use. Domain users can benefit by using their personal Microsoft accounts in your enterprise, though there are no methods provided by Microsoft to provision Microsoft accounts within an enterprise. After you connect your Microsoft account to Windows 10, you can:

• Access and share photos, documents, and other files from sites, such as OneDrive, Outlook.com, Facebook, and Flickr.

• Integrated social media services providing contact information and status for your users’ friends and associates are automatically maintained from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn.

• Download and install Microsoft Store apps.

• App synchronization with Microsoft Store apps. After user sign-in, when an app is installed, any user-specific settings are automatically downloaded and applied.

• Sync your app settings between devices that are linked to your Microsoft account.

• Use single sign-on with credentials roaming across any devices running Windows 10, Windows 8.1, Windows 8, or Windows RT.

If Microsoft accounts are allowed in an enterprise environment, you should note that only the owner of the Microsoft account is able to change the password. A user can perform a password reset in the Microsoft account sign-in portal at https://account.microsoft.com.

Understand Multifactor Authentication

Traditional computer authentication is based on users providing a name and password. This allows an authentication authority to validate the exchange and grant access. Although password-based authentication is acceptable in many circumstances, Windows 10 provides for a number of additional, more secure methods for users to authenticate with their devices, including multifactor authentication (also referred to as two-factor authentication).

Multifactor authentication is based on the principle that users who wish to authenticate must have two (or more) things with which to identify themselves. Specifically, they must have knowledge of something, they must be in possession of something, and they must be something. For example, a user might know a password, possess a security token (in the form of a digital certificate), and be able to prove who they are with biometrics, such as fingerprints.

Explore Biometrics

Biometrics, like a fingerprint, provides more secure and often, more convenient methods for both user and administrator to be identified and verified. Windows 10 includes native support for biometrics through the Windows Biometric Framework (WBF), and when used as part of a multifactor authentication plan, biometrics is increasingly replacing passwords in modern workplaces.

Biometric information is obtained from the individual and stored as a biometric sample which is then securely saved in a template and mapped to a specific user. To capture a person’s fingerprint, you can use a fingerprint reader (you “enroll” the user when configuring this). Also, you can use a person’s face, her retina, or even her voice. The Windows Biometric service can be extended to also include behavioral traits such as body gait and typing rhythm.

Windows includes several Group Policy settings related to biometrics, as shown in Figure 1-10, that you can use to allow or block the use of biometrics from your devices. You can find Group Policy Objects here: Computer ConfigurationAdministrative Templates Windows ComponentsBiometrics.

Configure Windows Hello and Windows Hello for Business

Windows Hello is a two-factor biometric authentication mechanism built into Windows 10, and it is unique to the device on which it is set up. Windows Hello allows users to unlock their devices by using facial recognition, fingerprint scanning, or a PIN.

Windows Hello for Business is the enterprise implementation of Windows Hello and allows users to authenticate to an Active Directory or Azure Active Directory account, and it enables them to access network resources. Administrators can configure Windows Hello for Business using Group Policy or mobile device management (MDM) policy and uses asymmetric (public/private key) or certificate-based authentication.

Windows Hello provides the following benefits.

• Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites which reduces security. Windows Hello allows them to authenticate using their biometric data.

• Passwords are vulnerable to replay attacks, and server breaches can expose password-based credentials.

• Passwords offer less security because users can inadvertently expose their passwords because of phishing attacks.

• Windows Hello helps protect against credential theft. Because a malicious person must have both the device and the biometric information or PIN, it becomes more difficult to hack the authentication process.

• Windows Hello can be used both in cloud-only and hybrid deployment scenarios.

• Windows Hello logs you into your devices three times faster than a password.

To implement Windows Hello, your devices must be equipped with the appropriate hardware. For example, facial recognition requires that you use special cameras that see in infrared (IR) light. These can be external cameras or cameras incorporated into the device. The cameras can reliably tell the difference between a photograph or scan and a living person. For fingerprint recognition, your devices must be equipped with fingerprint readers, which can be external or integrated into laptops or USB keyboards.

If you have previously experienced poor reliability from legacy fingerprint readers, you should review the current generation of sensors, which offer significantly better reliability and are less error-prone.

After you have installed the necessary hardware devices, you can set up Windows Hello by openings Settings, clicking Accounts, and then, on the Sign-In Options page, under Windows Hello, reviewing the options for face or fingerprint. If you do not have Windows Hello- supported hardware, the Windows Hello section does not appear on the Sign-In Options page.

To configure Windows Hello, follow these steps:

1. Open the Settings App and select Accounts.

2. On the Accounts page, click Sign-in options.

3. Under the Windows Hello section, click Set Up under Face Recognition.

4. Click Get Started on the Windows Hello setup dialog page.

5. Enter your PIN or password to verify your identity.

6. Allow Windows Hello to capture your facial features, as shown in Figure 1-11.

   

7. Once complete, you are presented with an All Set! message that you can close.

Users can use Windows Hello for a convenient and secure sign-in method that is tied to the device on which it is set up.

For Enterprises that want to enable Windows Hello, they can configure and manage Windows Hello for Business. Windows Hello for Business uses key-based or certificate-based authentication for users by using Group Policy or mobile device management (MDM) policy or a mixture of both methods.

Configure PIN

To avoid authentication with passwords, Microsoft provided an authentication method that uses a PIN. When you set up Windows Hello, you’re asked to create a PIN first. This PIN enables you to sign in using the PIN as an alternative to when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. The PIN provides the same level of protection as Windows Hello.

Windows Hello PIN provides secure authentication without sending a password to an authenticating authority, such as Azure AD or an AD DS domain controller. Windows Hello for Business provides enterprises compliance with the new FIDO 2.0 (Fast IDentity Online) framework for end-to-end multifactor authentication.

Within a domain environment, a user cannot use a PIN on its own (known as a Convenience PIN). You will see from the user interface shown in Figure 1-12, that the PIN settings are within the Windows Hello section of the Sign-In Options. A user must first configure Windows Hello and be already be signed in using a local account, a domain account, a Microsoft account, or an Azure AD account. The user is then able to set up PIN authentication that is associated with the credential for the account.

After a user has completed the registration process, Windows Hello for Business generates a new public-private key pair on the device known as a protector key. If installed in the device, the Trusted Platform Module (TPM) generates and stores this protector key; if the device does not have a TPM, Windows encrypts the protector key and stores it on the file system. Windows Hello for Business also generates an administrative key that is used to reset credentials if necessary.

The user now has a PIN gesture defined on the device and an associated protector key for that PIN gesture. The user can now securely sign in to his device using the PIN and then add support for a biometric gesture as an alternative for the PIN. The gesture can be facial recognition, iris scanning, or fingerprint recognition, depending on available hardware in the device. When a user adds a biometric gesture, it follows the same basic sequence as mentioned in the previous section. The user authenticates to the system by using the PIN and then registers the new biometric. Windows generates a unique key pair and stores it securely. The user can then sign in using the PIN or a biometric gesture.

You can use MDM policies or GPOs to configure settings for Windows Hello for Business in your organization. For example, you can configure a policy that enables or disables the use of biometrics on devices affected by the policy.

To configure Windows Hello for Business in your organization, you use the appropriate GPOs within the following location:

Computer ConfigurationPoliciesAdministrative TemplatesWindows Components Windows Hello for Business

To configure PIN complexity with Windows 10 (with and without Windows Hello for Business), you can use the eight PIN Complexity Group Policy settings, which allow you to control PIN creation and management.

These policy settings can be deployed to computers or users. If you deploy settings to both, then the user policy settings have precedence over computer policy settings and GPO conflict resolution is based on the last applied policy. The policy settings included are:

• Require digits

• Require lowercase letters

• Maximum PIN length

• Minimum PIN length

• Expiration

• History

• Require special characters

• Require uppercase letters

In Windows 10, version 1703 and later, the PIN complexity Group Policy settings are located at: Administrative TemplatesSystemPIN Complexity under both the Computer and User Configuration nodes.

If an organization is not using Windows Hello for Business, they can still use the option to set a Convenience PIN. A Convenience PIN is very different to a Windows Hello for Business PIN because it is merely a wrapper for the user’s domain password. This means that the user’s password is cached and substituted by Windows when signing in with a Convenience PIN.

Since the Anniversary release (Windows 10, version 1607), the option to allow a Convenience PIN is disabled by default for domain-joined clients. To modify the option to sign in with the Convenience PIN you can use the Turn On Convenience PIN Sign-In GPO at Group Policy Computer ConfigurationAdministrative TemplatesSystemLogon.

Configure Picture Password

A picture password is another way to sign in to a computer. This feature does not use Windows Hello or Windows Hello for Business and therefore, it is not available to be used within a domain-based environment.

You sign in to a touch-enabled device by using a series of three movements consisting of lines, circles, and/or taps. You can pick any picture you want and provide a convenient method of signing in to touch-enabled, stand-alone devices. Picture password combinations are limitless because the pictures that can be used are limitless. Although picture passwords are considered more secure for stand-alone computers than typing a 4-digit PIN, a hacker may be able guess his way into a device by holding the screen up to a light to see where most of the gestures are (by following the smudges on the screen). This is especially true if the user touches the screen only to input the password and rarely uses touch for anything else.

To create a picture password follow these steps:

1. Open the Settings App and click Accounts.

2. Click Sign-in options.

3. Under Picture Password, click Add.

4. Input your current account password and click Choose Picture to browse to and select the picture to use.

5. Adjust the position of the picture and click Use This Picture.

6. Draw three gestures directly on your screen.

Remember that the size, position, and direction of the gestures are stored as part of the picture password.

7. You are prompted to repeat your gestures. If your repeated gestures match, click Finish.

There is only one GPO relating to this feature. To disable Picture Password using Local Group Policy, you can use the Turn Off Picture Password Sign-In GPO in the following location:

Computer ConfigurationAdministrative TemplatesSystemLogon.

Configure Dynamic Lock

Users with smartphones can take advantage of Dynamic Lock, which was introduced with the Creators Update for Windows 10. Dynamic Lock allows users to automatically lock their devices whenever they are not using them. (At the time of writing, the iPhone does not support this feature.)

The Dynamic Lock feature relies on a Bluetooth link between your PC and paired smartphone.

To configure Windows 10 Dynamic Lock, use the following steps:

1. Open the Settings App and click Accounts.

2. Click Sign-in options and scroll to Dynamic Lock.

3. Check the Allow Windows To Detect When You’re Away And Automatically Lock The Device option.

4. Click the Bluetooth & Other Devices link.

5. Add your smartphone using Bluetooth and pair it.

6. Return to the Dynamic Lock page and you should see your connected phone, as shown in Figure 1-13.

   

7. Your device will be automatically locked whenever Windows detects that your connected smartphone has moved away from your desk for 30 seconds.

You can configure dynamic lock functionality for your devices using the Configure Dynamic Lock Factors GPO. You can locate the policy setting at Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Hello for Business.

Customize Windows 10 Start

For users of earlier versions of Windows, the appearance of Start may be significantly different to what they have been used to. Start is dynamic, and its appearance depends on your device type. For example, a device with a small screen such as a tablet, Start appears full-screen, by default, which is easier to navigate when using a touch device.

If you are using a non-touch device, then, by default, Windows 10 displays Start as a menu that combines aspects that may be similar to the Start menu found in Windows 7 and Windows 8.1 (see Figure 1-14). This is more easily navigable by using a mouse than by using touch.

You can configure the Start menu behavior from the Settings app. Open the Settings App, click Personalization, and then click the Start tab. You can then select the option to Use Start full screen, as shown in Figure 1-15.

The Start customizations shown in Figure 1-15 are:

• Show More Tiles On Start This setting enables you to display more tiles when Start is configured for partial-screen mode.

• Show App List In Start Menu Enables an alphabetical list of all apps on the left side of the Start screen.

• Show Recently Added Apps Any recently installed apps are marked as new in Start.

• Show Most Used Apps Windows 10 tracks your app usage and lists your most frequently used apps in a Most Used Apps list in Start.

• Show Suggestions Occasionally In Start This setting enables or disables app suggestions in Start.

• Use Start Full Screen Enables Start to display full screen. This is more useful on a tablet device than on a device with a mouse.

• Show Recently Opened Items In Jump Lists On Start Or The Taskbar This setting enables Windows 10 to remember recently opened files and list those in the context menu of apps appearing in Start or on the taskbar.

• Choose Which Folders Appear On Start This setting enables you to set shortcuts for the following folders on Start: File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, Network, and Personal Folders.

Convertible Devices

Convertible devices, including the Microsoft Surface Pro, can switch in and out of Tablet Mode with the removal and reattachment of the keyboard, or by reorienting the device. When a device switches like this, you can choose whether Windows should switch to full-screen Start (Tablet Mode) automatically, as shown in Figure 1-16.

You can configure the default behavior through the Settings app. Click System and then open the Tablet Mode tab. As shown in Figure 1-17, you can then configure the following options.

• When I Sign In:

  • Use Tablet Mode

  • Use Desktop Mode

  • Use The Appropriate Mode For My Hardware

• When This Device Automatically Switches Tablet Mode On Or Off:

  • Don’t Ask Me And Don’t Switch

  • Always Ask Me Before Switching

  • Don’t Ask Me And Always Switch

• Hide App Icons On The Taskbar In Tablet Mode

• Automatically Hide The Taskbar In Tablet Mode

Note Tablet Mode

Tablet Mode also changes applications so that they run full screen.

Configuring Start Tiles

In addition to enabling or disabling Start Full-Screen behavior, you can also customize the application tiles that appear on Start and how those tiles look and behave. From Start, right-click the appropriate app, as shown in Figure 1-18. Click Pin To Start.

When a tile is pinned to Start, you can configure it. Right-click the tile and, from the context menu, you can choose:

• Unpin From Start

• Resize

  • Choose from Small, Medium, Large, and Wide, depending on the app.

• More

  • If the app is a Microsoft Store app, choose from Turn Live Tile Off, Pin To Taskbar, App Settings, Rate And Review, and Share.

  • If the app is a desktop app, choose from Pin To Taskbar, Run As Administrator, and Open File Location.

• Uninstall

Note Uninstalling Desktop Apps From Start

If the app you select to uninstall is a desktop app, Programs And Features opens in Control Panel allowing you to manually remove the desktop app.

If your device is touch-enabled, the procedure is slightly different from using a mouse to configure tiles. Rather than right-clicking a tile from Start, you must touch and hold a tile. Then you can unpin the tile by using the Unpin icon. Use the ellipse button (three dots) to access the context menu, as shown in Figure 1-19.

Export Start Layout

Although you can manually drag and resize tiles on Start for each computer in your organization, this is not practical at scale. Within a corporate environment, you can control the Start layout by creating a customized Start screen on a test computer and then export the layout to other devices.

Not all editions of Windows 10 support customizing Windows 10 Start and taskbar with Group Policy. These are shown in Table 1-10 as follows:

Table 1-10 Windows 10 Start and taskbar support

Windows Version	Supported Edition
Windows 10, version 1607	Windows 10 Enterprise and Windows 10 Education
Windows 10, version 1703	Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

You can choose to export a layout that applies a full or partial Start layout.

• Full Start layout Users cannot pin, unpin, or uninstall apps from Start. Users cannot pin any apps to Start.

• Partial Start layout The contents of the specified tile groups cannot be changed. Users can move groups and can create and customize their own groups.

The Start layout is exported as a .xml file, which can then be deployed to devices using:

• Group Policy

• Windows Configuration Designer provisioning package

• Mobile device management (MDM)

On your test computer, you can customize the Start layout prior to exporting the layout. Customization can include:

• Pin apps to Start.

• Unpin the apps that you don’t want to display.

• Drag the tiles on Start to reorder or group apps.

• Resize tiles.

• Create your own app groups.

• Name groups.

Once you have configured the desired Start layout, you use the Export-StartLayout Windows PowerShell cmdlet to export the Start layout to an .xml file using the following procedure.

1. Open Windows PowerShell.

2. Run the Export-StartLayout –path <path><file name>.xml cmdlet.

3. You can optionally edit the .xml file to add a taskbar configuration.

4. Copy the exported file to a shared folder.

5. Deploy the .xml file using any of the deployment methods.

If you use Group Policy, you must specify the .xml file in the GPO: User Configuration PoliciesAdministrative TemplatesStart Menu and TaskbarStart Layout. To do this, complete the following procedure.

1. Open Group Policy Management Console (GPMC) to configure a domain-based GPO.

2. Navigate to the appropriate AD DS container, such as your domain.

3. Open an existing GPO for editing or create a new GPO, link it to your chosen container, and open it for editing.

4. Navigate to the User ConfigurationPoliciesAdministrative TemplatesStart Menu And Taskbar folder and open the Start Layout GPO.

5. Enable the GPO and, in the Start Layout File text box, type the full UNC path name to your XML file, for example, \LON-SVR1MarketingMarketing.XML as shown in Figure 1-20.

6. Click OK and close Group Policy Management.

For the policy to be effective, users must sign out and sign back in. Alternatively, you can issue a Gpupdate.exe /force command from an elevated command prompt to force GPO propagation.

To configure a partial Start screen layout, you should export the Start layout and then open the layout .xml file. You should then add LayoutCustomizationRestrictionType=“Only SpecifiedGroups” to the <DefaultLayoutOverride> element as follows:

Click here to view code image

<DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups">

Then save the file and deploy the settings.

If you like, you can update an existing Start layout by replacing the .xml file that is specified in the Start Layout policy settings with an .xml file that has a newer timestamp.

Need More Review? Manage Windows 10 Start and Taskbar Layout

For more information about customizing Start and taskbar layout, visit the Microsoft website at https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout.

In addition to the Start layout, you can control other aspects of Start with Group Policy. Table 1-11 shows the elements that you can control with GPOs and the respective values to use within GPOs. Unless otherwise noted, the path for these GPO settings is User ConfigurationPoliciesAdministrative TemplatesStart Menu And Taskbar.

Table 1-11 Using Group Policy to configure Start

Start Element	Policy
User tile	Remove Logoff On The Start Menu
Most Used	Remove Frequent Programs List From The Start Menu
Suggestions	Computer ConfigurationPoliciesAdministrative TemplatesWindows Components Cloud ContentTurn Off Microsoft Consumer Experiences
Power	Remove And Prevent Access To The Shut Down, Restart, Sleep, And Hibernate Commands
All Apps	Remove All Programs List From The Start Menu
Jump lists	Do Not Keep History Of Recently Opened Documents
Start size	Force Start To Be Either Full Screen Size Or Menu Size
All Settings	Prevent Changes To Taskbar And Start Menu Settings

Note Manage Windows 10 Start and Taskbar Layout

If you have a workgroup environment, you may want to create a default Windows 10 Start and taskbar layout xml file. For the settings to be applied to all users on a device, copy the xml file to C:UsersDefaultAppDataLocalMicrosoftWindowsShelllocation.

Customize the Desktop

In addition to customizing Start to your requirements, you can configure the desktop and related settings. To configure the desktop, click Start > Settings > Personalization.

From the Personalization Settings app, you can configure the following settings.

• Background You can select and configure a desktop background color or picture image, or you can select a slideshow of images.

• Colors On the Color tab, you can choose a color scheme and optionally configure the following options.

  • Enable transparency effects.

  • Show accent color on the following surfaces: Start, taskbar, Action Center, title bars, and window borders.

  • Choose the default app mode: Light or Dark.

  • Access the High Contrast Settings.

• Lock Screen From the Lock Screen tab, as shown in Figure 1-21, you can select and configure a background image to display when your Windows 10 device is locked. A feature called Windows Spotlight allows you to display different background images on the lock screen each day and will occasionally suggest Windows 10 features that the user hasn’t tried yet, such as Snap Assist. In addition, you can

  • Choose a lock screen background image.

  • Choose An App To Show Detailed Status (for example, Calendar).

  • Choose Apps To Show Quick Status (for example, Facebook, Mail, Calendar, or Alarms & Clock).

  • Configure Cortana Lock Screen Settings.

  • Show Lock Screen Background Picture On The Sign-In Screen.

  • Configure Screen Timeout Settings and Screen Saver Settings.

• Themes This setting enables you to configure and apply theme settings. Themes enable you to define combinations of background, color, sound, and mouse cursor settings. You can also configure desktop icon settings, such as whether to display the Recycle Bin on the desktop. You can download from the dozens of additional themes available free from the Microsoft Store, as shown in Figure 1-22.

• Start You can also configure Start settings, as previously discussed.

• Taskbar From this tab, among other settings, you can.

  • Lock the taskbar.

  • Automatically hide the taskbar when in Desktop or Tablet Mode.

  • Use small taskbar buttons.

  • Configure the way running tasks and apps combine on the taskbar.

  • Configure whether the Command Prompt will appear instead of Windows PowerShell on Start; you can also configure whether the Command Prompt appears in the menu when the Windows key + X is pressed.

  • Change the taskbar location.

  • Customize the notification area.

  • Turn system icons on or off.

  • Customize the taskbar appearance when using multiple displays.

  • Customize the People settings.

Multiple desktops

Windows 10 provides support for multiple desktops. This provides a simplistic multitasking view. Rather than running apps in multiple windows on the same desktop, you can create additional desktops for groups of apps or individual apps. Multiple desktops can be useful for keeping unrelated windows or projects organized; multiple desktops are also useful for quickly switching to a clean desktop before a meeting.

To add a new desktop, click the Task View button on the taskbar and then click New Desktop in the upper-left of the display. You can also add a new desktop by pressing Windows key + Tab on your keyboard, or you can swipe with one finger from the left of your screen if you have touch.

To switch between desktops, click the Task View button, press Windows key + Tab, or swipe with one finger from the left of your touchscreen. You can then select the appropriate desktop as shown in Figure 1-23.

To remove a desktop, click the Task View button on the taskbar and then hover over the desktop that you want to delete and then click the X on the desktop.

Configure Action Center and taskbar

In Windows 10, Microsoft introduces an improved Action Center, as shown in Figure 1-24. This is accessible by swiping from the right or by clicking the Notifications icon in the system tray.

Action Center includes the following elements:

• Quick Action tiles As shown at the bottom of Figure 1-24, the displayed tiles are configurable and dependent on your device.

• Notifications area You can configure how Windows notifies you of events.

Configure Quick Action Tiles

The Quick Action tiles are shortcuts to commonly used features of the Windows 10 operating system. The expanded view allows a larger number of tiles to become visible as shown in Figure 1-24. The specific tiles that appear in the expanded view will depend on your device type and orientation. For example, if your computer is not a tablet and is not capable of converting into a tablet, the Tablet Mode tile is not available. By default, in the expanded view, the following tiles are available.

• Tablet Mode Enables you to switch between Tablet and Desktop Modes.

• Rotation Lock Enables or disables the rotation lock. Normally, the display orients itself based on the orientation of your Windows 10 device, switching between landscape and portrait modes. Use this option to lock the orientation irrespective of physical orientation.

• Airplane Mode Disables all internal radios in the device, including Wi-Fi and Bluetooth for use when you travel on an aircraft. This is also a convenient when you want to conserve battery power.

• All Settings Provides a convenient shortcut to the Settings app.

• Connect Enables you to find and connect to media servers. This includes Xbox and other devices running Windows that are sharing their media files. It can also include devices, such as TV set-top boxes.

• Project Enables you to link your device to an external monitor or wireless display.

• Battery Saver Only available when your device is running on battery alone; helps reduce power consumption. You can configure Power Options and Battery Saver in the Settings app.

• VPN Switches to the VPN tab in the Network & Internet Settings app. From there, you can set up, configure, or connect to a VPN.

• Bluetooth Enable or disable the Bluetooth radio.

• Brightness Enables you to control display brightness. Click this tile to step through brightness levels in 25 percent increments.

• Wi-Fi Enables or disables the Wi-Fi connection.

• Focus Assist (Called Quiet Hours in earlier versions of Windows 10) allows you to avoid distracting notifications when you need to stay focused by reducing the notifications you receive.

• Night Light Toggles your display to remove white light. You can configure Night Light in the Settings app.

• Location Enables or disables location services. Many services use location to customize services, such as mapping apps, for your device.

You can modify which quick action tiles are displayed by clicking the Add Or Remove Quick Actions and rearrange the location of the tiles by dragging and dropping them within the Settings app, as shown in Figure 1-25.

Configure Notifications

When Windows 10 wants to inform you about something, it raises a notification. You can see and act on the notifications in a list shown in Action Center. To respond to a notification, click it. You can remove notifications by clicking Clear All at the top of the page.

Windows notifies you about a variety of operating system events and situations, including the need to obtain updates or perform an antivirus scan, and Windows also prompts you about which actions you want to take when a new device, such as a USB memory stick, has been detected.

As shown in Figure 1-26, you can configure which notifications you receive by opening Settings. Click System > Notifications & Actions. Under Notifications, you can configure the following options.

• Show Notifications On The Lock Screen.

• Show Reminders And Incoming VoIP Calls On The Lock Screen.

• Show Me The Windows Welcome Experience After Updates And Occasionally When I Sign In To Highlight What’s New And Suggested.

• Get Tips, Tricks And Suggestions As You Use Windows.

• Get Notifications From Apps And Other Senders.

You can also configure notifications from individual apps. As shown in Figure 1-26, under the Get Notifications From These Apps heading, you can enable or disable notifications for each listed app. If you select an app from the list, such as for Microsoft Edge, as shown in Figure 1-27, you can fine tune the notifications for the application, including turning them on or off:

• Notifications

• Show Notification Banners

• Keep Notifications Private On The Lock Screen

• Show Notifications In Action Center

• Play A Sound When A Notification Arrives

• Number Of Notifications Visible In Action Center

• Priority Of Notifications In Action Center

Exam Tip

You can remove the Notification & Action Center from the notification area on the taskbar using Group Policy. Notifications will pop up, but users won’t be able to review any notifications they miss. Use the User ConfigurationPoliciesAdministrative TemplatesStart Menu

And Taskbar node and enable the Remove Notifications And Action Center GPO.

Configure the Notification Area

As shown in Figure 1-28, you can also configure taskbar options from the Personalization area of the Settings app. Open the Personalization area and then click the Taskbar tab. There are two headings under the Notification Area with options for each:

• Select Which Icons Appear On The Taskbar

  Options include:

  • Always Show All Icons In The Notification Area

  • Power

  • Network

  • Volume

  • Windows Security notification icon

  • Microsoft OneDrive

  • Location notification

• Turn System Icons On Or Off

  Options include:

  • Clock

  • Volume

  • Network

  • Power

  • Input Indicator

  • Location

  • Action Center

  • Touch Keyboard

  • Windows Ink Workspace

  • Touchpad

Customize Microsoft Edge

One of the benefits of the integration between Windows 10 and Microsoft Edge is the extensive ability to customize Microsoft Edge for your organization. These settings cover every aspect of the modern browser including configuring default tabs, security settings, allowed extensions and browser experience preferences, and more.

A list of the configuration options relating to Microsoft Edge, together with a link to the Group Policy and Microsoft Intune reference webpage, can be found in Table 1-12.

Table 1-12 Microsoft Edge configuration options

If your organization uses Group Policy, you can locate the majority of the Microsoft Edge Group Policy settings in the following location:

Computer ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Edge

Microsoft Edge kiosk mode

If you are running Windows 10, version 1809, (Professional, Enterprise, and Education editions only) you can use Microsoft Edge in a kiosk environment using assigned access. The assigned access feature allows you to lock down a Windows 10 device to only run a single-app or multi-app, which can then be used in a public space, such as a kiosk.

Microsoft Edge in kiosk mode allows you to operate a digital signage for presentation in a public area or to deploy devices for members of the public to use for web browsing in InPrivate mode. You can configure the behavior of Microsoft Edge when it’s running in kiosk mode by configuring the appropriate policy as shown in Table 1-13.

Table 1-13 Microsoft Edge kiosk mode policy

Microsoft Edge in kiosk mode supports four configuration types as shown in Table 1-14. The Group Policy settings are shown in Figure 1-31.

Microsoft Edge kiosk mode can be set up in various configurations depending on your requirements as listed in Table 1-14.

Table 1-14 Microsoft Edge kiosk mode configuration types

When you use Microsoft Edge in kiosk mode, the default experience includes:

• Safer browsing Microsoft Edge in kiosk mode for public browsing runs Microsoft Edge InPrivate mode. This protects user data and deletes the browsing history, temporary Internet files, and cookies once the session has ended or is reset.

• Automatic browser session reset Microsoft Edge kiosk mode has a built-in timer, which resets the browser session to the default URL after five minutes of idle time.

• Default URLs You must configure the URL to load when the kiosk session launches. The URL sets the Home button, Start page, and New Tab page.

• Assigned access required Configuring kiosk mode policy settings for Microsoft Edge are not applied unless Microsoft Edge is run using assigned access.

Microsoft Edge as a service

The Microsoft Edge web browser will have new features added on a regular basis, as has happened since the initial technical preview release in early 2015. Microsoft Edge is not available as a standalone download for Windows 10, though it is available as an app for Android and iOS devices through their respective app stores.

Microsoft Edge is updated through Windows Update, which will install security fixes, product feature enhancements, group policies and MDM settings for Microsoft Edge in a similar fashion to updates on Windows 10.

You can view the various update cadence in Table 1-15.

Table 1-15 Microsoft Edge update cadence

Enterprises can use several tools to manage the Microsoft Edge updates as part of the new Windows as a Service model, including:

• Windows Update (stand-alone)

• Windows Update for Business

• Windows Server Update Services (WSUS)

• System Center Configuration Manager

Every new update published includes all changes from previous updates, as well as new fixes; these updates are known as “latest cumulative update” (LCU) packages. A newly imaged device can simply become “up to date” by installing the most recent LCU.

When updates are available for download to Windows 10 using the Windows Update servicing engine, the operating system can scan the update and will automatically only install the updates that are needed by the device to become completely up to date.

Windows 10 users can expect new LCU packages to be published on the second Tuesday of each month (often referred to as Patch Tuesday), which is classified as a required security update and contains new security, non-security, and browser fixes.

You can check the installed version of Microsoft Edge by using the following steps:

1. Open the Microsoft Edge web browser.

2. Select the menu icon (...) and then choose Settings.

3. Scroll all the way down to the About This App section.

4. The versions of Edge and EdgeHTML are listed.

Enterprise Mode

We have seen how Microsoft Edge offers safer browsing for modern websites and apps, but the majority of the web—including company intranet sites—is still using older versions of HTML, ActiveX controls, and unsupported third-party add-ins. Internet Explorer 11 is included with Windows 10 to allow users to continue to access these websites in a supported, safe, and secure way.

Enterprise Mode is a business-focused feature that allows you to operate a dual-browser experience, using Microsoft Edge as your default browser but automatically switch to Internet Explorer 11 when users need to access sites that cannot be viewed in Microsoft Edge.

It is unrealistic to expect enterprises to only permit viewing of websites and apps that can be viewed by Microsoft Edge. It is expected that newer development projects will be written using modern web standards, which will be supported by Microsoft Edge.

For widespread compatibility problems with your popular, or required, websites and apps opening in Microsoft Edge you can populate the Enterprise Mode site list with these sites, so that they seamlessly open in Internet Explorer 11. Once the user completes browsing the site, they can close the browser, or if they attempt to browse to another website, which is not on the site list, then Microsoft Edge will automatically launch to continue the browsing experience.

Using Enterprise Mode allows that you can continue to use Microsoft Edge as your default browser, while also ensuring that websites and apps needed by your users continue working.

Enterprise Mode includes the following features:

• Web app and website compatibility Allows many legacy web apps run unmodified on IE11.

• Enterprise Mode Site List Manager Provides a management tool for website lists.

• Centralized Control Specify the websites or web apps, which Enterprise Mode will manage and store this XML file on a website or network, or it can be stored locally.

• Integrated Browsing Once set up, users can browse the web normally, letting the browser change modes automatically.

• Data Gathering Enterprise Mode can be used to collect website compatibility issues from your users’ browsing activity, which you can use to add URLs to your central site list.

Configure Enterprise Mode

To enable and configure Enterprise Mode for Microsoft Edge, use the following steps:

1. Download and install the Enterprise Mode Site List Manager (schema v.2) tool for Windows 10 from https://www.microsoft.com/download/confirmation.aspx?id=49974.

2. Open the Enterprise Mode Site List Manager tool.

3. Add the URLs of websites that you want to direct to Microsoft Edge or Internet Explorer 11. (You don’t need to include the http:// or https:// designation.)

4. For each URL, select None, IE11, or MSEdge to open the website.

5. Optionally, add any comments about the website into the Notes About URL box.

6. Click Save to validate your website and to add it to the site list.

7. Click File > Save To XML and save the file to a network share.

8. Open Group Policy Management Console (GPMC) to configure a domain-based GPO.

9. Navigate to the appropriate AD DS container, such as your domain.

10. Open an existing GPO for editing or create a new GPO, link it to your chosen container, and open it for editing.

11. Navigate to Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsMicrosoft Edge and enable the Configure The Enterprise Mode Site List policy.

12. In the Type The Location (URL) Of Your Enterprise Mode IE Website dialog box, type the location of the XML file you saved. For example, type \LON-SVR1MarketingMarketing. XML as shown in Figure 1-32.

13. Click OK and close Group Policy Management.

Need More Review? Use Enterprise Mode to Improve Compatibility

To review more about using and configuring Enterprise Mode and the Enterprise Mode Site List, visit this Microsoft website article at https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility.

Configure basic power options

You can control Windows 10 power settings in several ways. On a mobile device, you can configure basic power options by using the Power & Sleep tab in the System Settings app, as shown in Figure 1-36.

On the Power & Sleep tab, you can configure the following options.

• Screen Available options are

  • On Battery Power, Turn Off After Select a value or choose Never.

  • When Plugged In, Turn Off After Select a value or choose Never.

• Sleep Available options are

  • On Battery Power, PC Goes To Sleep After Select a value or choose Never.

  • When Plugged In, PC Goes To Sleep After Select a value or choose Never.

• Network Connection Available options are

  • When My PC Is Is Asleep And On Battery Power, Disconnect From The Network Select Always, Managed By Windows, or Never.

You can configure additional power options by clicking the Battery tab, as shown in Figure 1-37, and set the following options.

• Overview View estimated battery time remaining.

• See Which Apps Are Affecting Your Battery Life View a report showing battery usage over the preceding 6 hours, 24 hours, or one week; also, you can filter by Apps with usage, All Apps and Always Allowed Apps.

• Battery Notifications See notifications for battery life.

• Battery Saver Configure when battery saver is enabled, implement battery saver until the next charge, and configure lower screen brightness while the device is using battery saver.

• More Saving Options View battery saving tips and configure battery optimization settings for when watching films and playing video.

Configure power plans

In addition to the battery settings available within the Settings app, Windows 10 provides a number of preconfigured power plans, as shown in Table 1-16. You can access these power plans from the Settings app, by clicking System, Power & Sleep, and then click the Additional Power Settings link.

Table 1-16 Power plans

You can select from among existing power plans by clicking the desired power plan, or you can create a new power plan by clicking Create A Power Plan. Also, you can configure basic options, such as whether your device will prompt you for a password when it wakes up, and what the power buttons and lid do on your computer. To reconfigure a plan, click Change Plan Settings. Within the settings options, you can also choose Change Advanced Power Settings to configure detailed plan settings.

Windows 10 Pro for Workstations

If you’re running Windows 10 Pro for Workstations, there is a new Ultimate Performance power plan scheme available, as shown in Figure 1-38. This is intended to be used on high-end workstation devices that demand increased performance. The policy implements fine-grained power management techniques that allow devices to run at maximum performance by removing the power management, performance, and efficiency tradeoffs that are normally present in Windows 10.

Unless you are using the Windows 10 Pro for Workstations edition the Ultimate Performance power plan will be hidden in Power Options. The plan is not available on battery powered devices.

Using Powercfg.Exe

Powercfg.exe is a command-line tool you can use to configure and manage power settings. Using Powercfg.exe, you can view the power plans available and export power plans. Powercfg .exe can be useful when configuring a batch of devices, each with the same hardware specifications, such as a roll out of new laptops. You would create a custom power plan on one device, and then export the power management plan to a file using Powercfg.exe. You would then import the plan to the other devices either using Powercfg.exe or by using Group Policy.

To get a list of the available power plans using this command, type powercfg.exe list at a command prompt. If you haven’t yet created any custom plans, you’ll only see the three default plans that come with Windows 10, as shown in Figure 1-39. Choose the plan to export and note the GUID value. To export the policy, open an elevated command prompt, and run powercfg.exe export power.pow GUID (where the GUID value used is the plan that you want to export).

More Info Powercfg Command-Line Options

For more information about Powercfg.exe command line options, visit https://docs.microsoft.com/windows-hardware/design/device-experiences/powercfg-command-line-options.

There are some other parameters you can use with Powercfg.exe. You should review these so that you are familiar with them.

• changename This option modifies the name of a power scheme and optionally, its description.

• -delete This option deletes the power scheme with the specified GUID.

• -setactive This option makes the specified power scheme active on the system.

• /deviceenablewake and /devicedisablewake This option enables and disables a device from waking the system from a sleep state.

• /systempowerreport This option generates a diagnostic system power transition report.

• /batteryreport This option generates a report of battery usage characteristics over the lifetime of the system.

Some of the modern reports, such as the battery usage or system power reports, are generated in HTML format and provide a huge amount of detail, which is invaluable if you are troubleshooting issues with battery life or device power consumption.

Creating Power Policies

You can use Group Policy to set policies related to the available power plans. Use the Group Policy Management Editor to navigate to Computer ConfigurationAdministrative TemplatesSystemPower Management. When you expand Power Management in the left pane, you can see the additional containers: Button Settings, Energy Saver Settings, Hard Disk Settings, Notification Settings, Power Throttling Settings, Sleep Settings, and Video And Display Settings. In the right pane, you can see two options: Specify A Custom Active Power Plan and Select An Active Power Plan, as shown in Figure 1-40.

When you click one of the seven nodes under Power Management, more options appear. You can control every aspect of power management here. For instance, in the Sleep Settings node, you can configure, enable, and disable the following (and more).

• Specify The System Sleep Timeout (Plugged In) This policy setting allows you to specify the period of inactivity before the system is put into sleep mode while plugged into a power outlet.

• Specify The System Sleep Timeout (On Battery) This policy setting allows you to specify the period of inactivity before the system is put into sleep mode while running on battery power.

• Require A Password When The Computer Wakes (Plugged In) This policy setting specifies whether the user is prompted for a password when the system resumes from sleep while plugged into a power outlet.

• Require A Password When The Computer Wakes (On Battery) This policy setting specifies whether the user is prompted for a password when the system resumes from sleep while running on battery power.

• Allow Standby States (S1 S3) When Sleeping (Plugged In) This policy setting specifies whether a device can use standby states other than hibernate when putting the computer in a sleep state while plugged into a power outlet.

• Allow Standby States (S1 S3) When Sleeping (On Battery) This policy setting specifies whether a device is able to use standby states other than hibernate when putting the computer in a sleep state while running on battery power.

You should review these policies in each node to familiarize yourself with the various options available.

Viewing Process Power Usage

A new feature within Task Manager allows you to view the instantaneous power usage of apps and services using your device’s power.

Task Manager now includes two new columns in the Processes tab, as shown in Figure 1-41, to show energy impact of the running process on your system. This can be helpful to understand the levels of power that apps and services are using. Task Manager considers the processor, graphics, and disk drive power when calculating power usage. There are two columns available, as follows.

• Power Usage Provides an instantaneous view of apps and services using power.

• Power Usage Trend Provides a power usage trend over the previous two minutes for running apps and services.

Using Task Manager, you can also see if a process has been suspended. To view suspended apps, look in the Status column of the Processes tab for a leaf icon. You can see that the Photos, Microsoft Edge, and Settings apps have been suspended, as shown in Figure 1-41. You should also see that when the cursor is hovered over the leaf icon next to Microsoft Edge, a tooltip describing the status is displayed.

Configure presentation settings

Windows 10 includes a useful utility called the Windows Mobility Center, which can be used to configure various mobility settings, all from one location. Depending upon your system, some or all the following settings might be available on your mobile device, as shown in Figure 1-42.

• Brightness Enables you to adjust the brightness of your display.

• Volume Enables you to adjust the speaker volume of your device; also, you can select the Mute check box to silence the speaker.

• Battery Status Lets you view how much charge is remaining on your battery and change the active power plan.

• Screen Orientation Lets you change the orientation of your device screen from portrait to landscape, or vice versa.

• External Display Enables connection to an additional monitor to your device.

• Sync Center Enables you to sync with external data sources, such as Offline Files.

• Presentation Settings Lets you turn on presentation settings during a presentation.

  Enabling presentation settings will temporarily have the following effects.

  • Disables pop-ups and notifications area pop-ups (such as from Outlook)

  • Prevents Windows from going into sleep mode

  • Prevents Windows from turning the screen off

  • Uses the display background and volume settings defined in the Presentation Settings, as shown in Figure 1-43

The Windows Mobility Center is only available on mobile devices, such as laptops and tablets.

The Presentation Settings utility, as shown in Figure 1-43, can be used in association with the Windows Mobility Center to configure turning off the screen saver, controlling the volume, and selecting a background image to be displayed when you give a presentation.

You can access the Presentation Settings utility on a mobile device by clicking the Presentation Settings icon or by using these steps.

1. Click Start and search for Presentation Settings.

2. In the search results, select Adjust Settings Before Giving A Presentation Control Panel.

3. The Presentation Settings utility appears, as shown in Figure 1-43.