This post serves to document the common asks from customers regarding what can and cannot be customized in Windows 10. Please check back regularly and share this post with others as I’ll be continuing to update it.
Last updated August 2016 for Windows 10, Version 1607 - You'll see (New!) in sections that contain new content.
There are many more settings than what's listed here - I'm just including the ones that are regular asks or issues that apply to many customers. Settings such as disabling the notification center aren't included because they remove a substantial benefit of the OS and generally aren't a good idea. I'm also not going to talk about things that are clearly unsupported such as deleting Windows files.
There also a number of Group Policy settings that only apply to the Enterprise and Education SKUs of Windows 10 - these are being collected and documented here:
Note that most MDM OMA URI’s listed below are documented here:
I've divided the settings up into categories:
- Identity & Security
- Interface & Shell
- Included Apps
- Other Customizations
Identity & Security
Block Microsoft Accounts
You can block MSA (Microsoft Account) using Group Policy, or MDM. These are the same settings available in Windows 8, but they behave slightly differently. While this setting continues to be enforced at the platform level, some pre-provisioned (built-in) apps (such as Photos and Store) allow you to sign into the app wth a Microsoft Account. Check out the blog post from my colleague below for more information about this.
Reference Blog Post: http://blog.scottbreen.tech/2016/02/24/block-microsoft-accounts-windows-10/
Group Policy: Computer\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft Accounts
MDM URI: ./Vendor/MSFT/Policy/Config/Accounts/AllowMicrosoftAccountConnection and AllowAddingNonMicrosoftAccountsManuall
(New!) Disable Wi-Fi Sense
This functionality is what allows users to connect to and share network details with others in their contacts. Many organisations like to disable this feature, which you can do so below. Note that the setting name only implies that it prevents users from connecting to networks shared with them, when in reality this setting blocks all aspects of Wi-Fi Sense, including the ability for your users to share networks with others, which is probably what you're looking for.
Update: Wi-Fi Sense as a feature has been removed / deprecated in the 1607 release onwards. As such this setting is no longer relevant for that version.
Group Policy: Computer\Admin Templates\Network\WLAN Service\Allow Windows to Automatically Connect to Suggested Open Hotspots
Interface & Shell
Set Lock Screen Background / Disable Windows Spotlight / Logon Screen Background
You can configure the lock screen background using the following setting. This setting is designed for Enterprise scenarios and doesn't work in the Pro or Home SKUs of Windows 10.
Update: This setting was previously (Prior to Anniversary) called "Force a specific lock screen image". The name was changed to reflect that this setting now also controls the logon screen background.
Group Policy: Computer\Admin Templates\Control Panel\Personalization\Force a specific default lock screen and logon image
Configure Start Menu Layout
There are a number of ways to do this. Previously you may have used CopyProfile in the Unattend to modify the default user profile but due to some issues with CopyProfile, it’s not a recommended approach currently.
Instead, the way that seems to suit most businesses is to use a partial start layout, as documented in the link below. When you do this, you can have a section of Start that is for corporate apps, etc – but the remainder is available for customization by the user.
To do this, configure a group on a test machine’s Start Menu the way you want it, and export it using the Export-StartLayout PowerShell cmdlet. Then use the file in one of the ways below.
Note: You make a StartLayout XML file a Partial Layout by modifying the XML as per the link below.
Reference Article: https://technet.microsoft.com/en-us/library/mt592638(v=vs.85).aspx
Group Policy: User or Computer / Administrative Templates/Start Menu and Taskbar/Start Layout
MDM URI: ./User/Vendor/MSFT/Policy/Config/Start/StartLayout
PowerShell: (eg, if you want to do this in the build to load in a layout one-time for new user profiles)
PS C:\> Export-StartLayout -Path <some path>\test.xml #Export on your lab machine setup the way you want
PS C:\> Import-StartLayout -LayoutPath c<some path>\test.xml -mountpath c:\ #Import during task sequence or script
(New!) Set Taskbar Pins (Aka - the dreaded "How to Unpin Edge" question)
Updated for 1607: This is now possible! This is documented here:
They key things to note is that this uses the same import methods for setting the Start Menu layout and requires editing that file to include the desired outcome for the taskbar. I'll be working on a separate blog post for this and I'll add a link here when it's available.
Unpin Edge, Windows Store etc: You should use the layoutmodification.xml method from the link above.
Disable Windows Store (including Unpinning from Taskbar)
You can disable the Windows Store altogether, but only in Enterprise editions of Windows. When you disable the store app using Computer Group Policy, the updating of pre-provisioned (built-in) apps is disabled. If you want to disable the Store and still allow these apps to download, set this via user GP.
Note that doing this will also result in the Store not being pinned to the taskbar. Also note that if you do this, you'll be unable to use the Private Store / Windows Store for Business functionality as this is accessed from within the Store application.
Group Policy: User (or Computer)\Administrative Templates\Windows Components\Store\Turn off the store application
MDM URI: No direct equivalent. You can use the AppLocker CSP to deny the Store App
Default Browser and File Associations
You can use this setting to make Internet Explorer the default browser in Windows 10. Feel free to set this, but remember that Edge is faster and more secure and is generally a better option for surfing the Internet. There is a separate setting (see below) for sending Intranet site traffic to IE in case you prefer that.
Set everything the way you want it and export: Dism /Online /Export-DefaultAppAssociations:\\Server\Share\AppAssoc.xml
Command Line: Dism.exe /Image:C:\ /Import-DefaultAppAssociations:\\Server\Share\AppAssoc.xml
Group Policy: User \ Admin Templates \ Windows Components \ File Explorer \
Set a default associations configuration file
(New!) Send Intranet Traffic to Internet Explorer
As an alternative to, or in conjunction with setting the default browser, you can have Intranet zone sites opened in Edge trigger Edge to launch the site in Internet Explorer.
Update: In Windows 10, Version 1607 - the intermediary page prompting the user to click to open the page in IE has been removed - the page just opens in IE as per IT configuration.
Group Policy: User or Computer\Admin Templates\Windows Components\Microsoft Edge\Send all intranet traffic over to Internet Explorer
OMA URI: None currently (March 2016)
(New!) Display Only The Business Store in The Windows Store App
This setting causes the Store App (it must be enabled itself) to only display the Private Store tab/pane and disables the retail experience. This is a much more preferred method versus disabling the store application altogether, and provides flexibility for you to configure and deploy and use Windows Store for Business at a later stage with minimal user impact.
Group Policy: In 1607 - there is a GP now for this: User / Admin Templates / Windows Components / Store / Only display the private store within the Windows Store app
MDM URI: ./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly
Disable Automatic Twitter, Candy Crush, etc
These are automatically added apps that install out of the box. Note that the setting will not remove the apps if they are already installed, you need to set this early on which is why I’ve included the registry key below in case you want to set this in the image/build. This setting also disables suggested apps on the Start menu.
Reference Blog Post: http://blogs.technet.com/b/mniehaus/archive/2015/11/23/seeing-extra-apps-turn-them-off.aspx
Group Policy: Computer / Admin Templates / Windows Components / Cloud Content / Turn off Microsoft consumer experiences
MDM URI: ./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures
Registry: HKLM \ Software \ Policies \ Microsoft \ Windows \ CloudContent \ DisableWindowsConsumerFeatures = 1
Disable Windows Tips
Windows Tips are the toast notifications you might have seen that are designed to help you get the most out of Windows. One of the reasons why you might want to disable these is because of the “Disable Apps to Help Improve Performance” tip that might be undesirable for your users if you’re already controlling what apps are disabled for them.
Group Policy: Computer \ Admin Templates \ Windows Components \ Cloud Content \
Do Not show Windows Tips
MDM URI: ./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsTips
Defer Updates (Windows Update for Business)
The Windows Update for Business settings are used to ensure clients are serviced in a delayed fashion, ensuring they are on the Current Branch for Business servicing model rather than Current Branch.
Group Policy: Computer\Admin Templates\Windows Components\Windows Update\Defer Upgrades
MDM URI: ./Vendor/MSFT/Policy/Config/Update/RequireDeferredUpdate
These settings control Windows sending telemetry data to Microsoft. Note that a setting of 0 does not mean Windows won’t connect to Microsoft – it just means telemetry data won’t be sent. Also note that Windows Update for Business settings (Defer Upgrades) won’t work with this set to 0.
Telemetry settings are documented in detail at the link below, so I won’t cover them here, but these are the levels:
0 – No telemetry data is sent from OS components (Only applies to Enterprise and Server)
1 – Sends basic telemetry data.
2 – Sends enhanced telemetry data including usage and insights data.
3 (default) – Sends full telemetry data including diagnostic data, such as system state.
Related Link: https://technet.microsoft.com/en-us/library/mt577208(v=vs.85).aspx
Group Policy: Computer\Admin Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry
MDM URI: ./User/Vendor/MSFT/Policy/Config/System/AllowTelemetry
I really hope the information above is a valuable resource to you. If you’ve found it helpful – remember to share it with others!
Until next time,