New Computer – Need some Windows 10 Set Up Advice

Topic

New Reply

Been running Win 7 Pro x64 for last 6 years with casual eye on Win 10.

Had custom system built which is coming with Win 10 Pro x64 and I assume the very latest version 1709 Fall Creators. This is a work computer which I want to lock down as much as possible to a local stand alone system. And keep update issues to a minimum as possible.

Feel like a fish out of water with a lot to learn and settings to figure out ahead.

During initial set up I intend to create a Local Account vs MS Account, and do a Custom install to de-select everything I can regarding Privacy invasion, telemetrics, Cortana, etc. Apps will be locally installed (Office 2010), no cloud storage etc.

What other settings are the first thing that I want to perform? And any direction would be appreciated.

Restrict Windows Updates/Features

Set Restore Points

Read something regarding Not Accept Driver Updates

Privacy setting regarding IE11 and Edge

Anything else

Thx very much for help/advice

1 user thanked author for this post.

Know Whey

Reply | Quote

Replies

You have five major Tools for controlling Win10: Settings, Group Policy, Registry Editor, Task Scheduler and Services. There are other tweaks you can do also, both internally and with third-party software. Each of us has our own set of controls. Noel Carboni is the ultimate tweaker!

Reply | Quote

@anonymous First and foremost when your ready to fire up your new machine, make sure its not connected to the net. Get all your settings in place before you do. You’ll only get the option to create a “Local account”. Win10 when it detects a network connection starts downloading stuff right from the “get go” even before you reach the desktop, and you wont have to fight its cunningly worded attempts to try and get you to buy in to\or sign up for an M$ account.
not sure how deep you want me to go with this:
Restrict Windows Updates/Features
https://www.askwoody.com/wp-content/uploads/2017/11/1709UD-Settings-showing-options.png
Set Restore Points
can be configured in control panel ->system & security->system->advanced->System protection Tab
Read something regarding Not Accept Driver Updates
WIN-R type gpedit.msc, Computer configuration->Administrative Templates->Windows Components->Windows Update: “Configure Windows update” set to 2. and\or get updates for other windows products box ticked (your call if you want Office etc to update), “Do not Include drivers with Windows update” set to: enabled.
https://www.askwoody.com/wp-content/uploads/2017/04/gpol-data-settings.png have a look in there as well it may be of interest
Privacy setting regarding IE11 and Edge
Not sure what you really wish to do with these your call fairly straight forward, disabling M$ account will stop Edge from sending your browsing data, mostly to the cloud
Anything else:
couple of suggestions Winaero Tweaker, stops any more Ad’s and unwanted apps being installed when you finally connect to the net and customisations and Windows club to remove unwanted Apps.
https://winaero.com/
http://www.thewindowsclub.com/10appsmanager-windows-10
That’s about all I can think about as a bare minimum, works well here with Win10 1709 Pro, which I am guessing you’ll get.
Good luck hope it works for ya

PS set your settings in “Settings” first before you go in to Group Policies, seems to work better that way you may have to do a reboot to enforce the set policies, oh & Telemetry can be set to basic either in Settings or GPOL to basic. You not allowed to disable completely and any way some stuff doesent work right and even in Enterprise Vers. Win10 still “calls Home”.
You’ll still get some updates and drivers but hopefully not the bad ones and a few language settings BUT you wont be in to those potentially calamitous big updates right off the Hop at least you’ll get the chance to choose…..if your happy then connect to the NET after all that

Reply | Quote

And create a backup to an external disk as soon as you settle the new install.
There are several free backup programs that will do a good job, Aomei Backupper, EaseUS ToDo, Paragon, Macruim Reflect etc.

cheers, Paul

Reply | Quote

Your question asks for Set Up advice.

But for after-its-running-initially tuning suggestions, you may wish to consult Black Viper, http://www.blackviper.com/ . In all the months that I’ve been lurking here on AW I don’t recall ever seeing any reference to his site.

I first became aware of BV back in the XP days. He has discussions all the way from XP to Win 10. Besides the material on the home page, see also the [tab] Guides > Service Configurations.

The latest update was made Dec. 29, 2017, and includes Windows 10 “Fall Creators Update (version 1709/16299.15) released on October 2017”. For Win 10 he limits himself to the Home and Pro editions; for earlier versions of Windows he had broader edition coverage.

Reply | Quote

? says:

PaulK how right you are:

http://www.blackviper.com/service-configurations/black-vipers-windows-10-service-configurations/

and a link to the power shell eazy script:

https://github.com/madbomb122/BlackViperScript

Charles “Black Viper” Sparks is da bomb

Reply | Quote

Original poster here, cant seem to get Reply button to work:

Thanks to all for responses, most helpful & feel free to add to.

BobbyB: Regarding your first advice – make settings before connecting to the internet.

I was under the impression from reading etc that part of the Win 10 setup process was making the internet controller setup (intend to use wire LAN).  If I dont allow this step initially, how do I later make Win 10 setup the proper internet connection and type?

Also Win 10 will be partially installed by the computer maker (Maingear) so I am not sure where in the Win 10 install process it will first boot to.

Advise?  Is there any real harm in connecting to the internet before first boot other than MS screens attempting to direct you to set up a MS account vs Local account?

Thx

Reply | Quote

Well its a matter of personal preference, again, I suppose. Right away it updates the Desktop Apps so they’re all there when you hit the desktop including some of the “Crud” like Candy crush, Age of Empires etc (actually I sort of like CC so I kind of sneak that one back in later, don’t say a word in here lol ) Any way most has to be taken out later as I simply don’t use them. The first update of all the Apps and some unwanted “crud” which happens in the background is a fair amount of Data that normally gets removed here. As you mentioned drivers, by the time your at the desktop, Win10’s already into downloading Audio, Graphic’s and other stuff it thinks your machine needs. The updates, which I forgot to mention in detail, you generally get what I call the “Golden Hour” i.e. 1-2 hours before Win10 Pro attempts to get them, if you don’t intervene. I was erring on the side of caution by advising on non-connection to the net. (My network I have to go scrabbling round under the desk to disconnect the internet\network) so you have answered that concern because if wireless just don’t enter your password and the wireless doesent connect hence a “local account” So those are basically the concern’s I am guessing you have.
As an aside this is more “apres Install” if you have a M$ account already you can use Mail, Calender just by signing in to the Apps on “App by App basis” without surrendering your machine to the nosey M$, so far had no problem here. Made that mistake way, way back of getting an account on Win10 1507 Ver, absolutely hated it taking over the machine, promptly wiped it and reinstalled, but, as you mention its a Business Machine, not only can you use an M$ account for the desktop Mail Calender, it works exceptionally well with Outlook 2010 onwards if you use it with the Exchange settings (mega easy to set up) and they’re both interchangeable\swop\sync settings etc as far as I know it doesent send any more data off to M$ than they would normally get, although I just use my ISP account with Outlook 2010 onwards and never enter it in to Win10 mail although you can if you wish, I still don’t want M$ to know too much.(Oh and they do “Spam” occasionally, but hilariously, Bing and M$ stuff gets filed in the Junk Email folder without any intervention from me) lol
Lastly, sorry about making this a long one, the installation. It did give me worries as to the depth I needed to go in to. Basically a disk & a Key and life is good you get to control everything. DISM install\deployment of either a “SYSPREP Image” or “offline” updated Image, isn’t the end of the world it just depends what they did to it, hopefully Drivers of a proprietry nature is good in fact excellent, some times better that the M$ offereings (hopefully the with a key for emergencies etc or in the BIOS, fairly unlikely if its an “out of box” Motherboard\custom) Win10 normally activates first connect to net, but a key enables you to use any “old” Win10 image should the need arise reinstall etc again just erring here on the side of caution …”worry ye not” I am sure it’ll be fine, have a chat with a Tech at the company if you can or if they’ll divulge any “secrets” if you have some major worries. There’s a good few of us in here, mainly the MVPS, Da Boss etc who know about this stuff in detail, certainly more than me and I have been known, not as often as I used to, assemble these infernal machines from scratch and deploy\install OS’s on the same. Give us a shout, and I hope this helps and sorry it took so long to reply

Reply | Quote

If I dont allow this step initially, how do I later make Win 10 setup the proper internet connection and type?

PS am I bad? don’t worry if your on Ethernet etc and using DHCP and your network card is setup correctly drivers etc Win10 will find your network. Obviously you’ll probably need a P|W if applicable If your on a static IP net work you’ll need to contact your Admin for IP address SUBNET mask etc but Win10’s fairly good and it pretty much 99% of the time select the settings accordingly, it’ll ask with a little yellow bar in Network whether you want NETWORK DISCOVERY turned on, some Networks I do but quite a few I don’t it depends on the security aspect whether you want your Machine hidden or not, which is doable and still connect just makes it harder for folk to find, 99% use network discovery and DHCP and ever since Win7 its relatively hassle free unless you get in to the “MASTER BROWSER” scenario…grrrr that’s my pet peeve.

Reply | Quote

I’m another one who is new to Windows 10. I have a refurbished machine with Win10 Pro currently on version 1703, build 15063.726 . I just activated it last week and it immediately wanted to do a 3 hour update. I paused that or said “not now” because I thought it might have been going to update to version 1709. I had read on this site that the idea is to get the settings right before going online, and that didn’t happen, so I managed to pause it.

I’ve read and noted Woody’s articles here and on Computerworld, but haven’t gone through an update cycle yet. In one article with steps to install Win10 patches, Woody says to set the advanced settings to Current Branch, 0 deferral feature updates, 0 deferral quality updates, pause updates turned off, and then ‘Check for Updates’.

My question:Wouldn’t that propel the machine immediately to version 1709?

I’ve got the machine locked down as per Woody’s instructions and I do know about the Defcon system. As we all know, Microsoft has made updating very simple … I suppose my current plan is to wait for Defcon 3 and instructions via Woody. Part of me thinks that I should go get the updates for version 1703 since 15063.726 , but my perhaps more sensible side says “Wait”. Any insight will be appreciated.

Edit to remove HTML.
Please convert to plain text (.txt) before cut/paste

Reply | Quote

@Seattle27:

You can download what ever update sub-version to Win10 1703 that you want to get to from the MS Update Catalog web site found here:

https://www.catalog.update.microsoft.com/home.aspx

You can find the KB number of what ever sub-version you want to update 1703 to on this web page:

https://technet.microsoft.com/en-us/windows/release-info.aspx

Once you have the KB number, go to the MS Update Catalog web site, put that number in the Search box in the upper right-hand corner of the screen, then download it and install it with your system off-line so there won’t be any conflict with Windows Update trying to jam one on while you do it manually.

When your system re-boots, you should be on the sub-version you want. At that time, take what ever steps you are using to block/delay any auto-updates from MS.

This is how I catch up ‘new’ referbed systems I get for clients…they usually come with some OLD version of Win10 on them, and doing it manually is the fastest way to catch them up. Also to catch up client systems that got stuck on some older version, EG: one client system that I worked on last month has only a satellite connection, was way behind on major versions, so I just did a manual ‘upgrade’ from an ISO downloaded from MS, then updated it with the current version KB number.

2 users thanked author for this post.

Seattle27, Elly

Reply | Quote

@Seattle27:

How did your task of getting Win10 1703 caught up to a more recent sub-version turn out?

If you got 1703 ‘updated’, then how did blocking forced updates to 1709 work?

Reply | Quote

@SkipH

I put in the Dec 2017 cumulative update for 1703 following your steps, which went smoothly. Thank you for the info about that.

I’m still unclear on how to update once Defcon 3 rolls around. Something about changing the feature update setting to ‘Current Branch, defer 0 days’ makes me think 1709 will ensue. (That’s one of the steps in one of Woody’s articles.) It doesn’t seem to me that 1709 is stable yet, so I don’t want that. May I ask how you get required updates while avoiding a ‘feature update’ (new version) ?

My current settings are:
Configure auto updates: enabled, notify to download and auto install
Current Branch for Business: deferred 365
Quality updates: deferred 30 days
Updates are paused until March 31

Pausing updates may not have been necessary. I’m not sure what happens once that date arrives. (I’m capable of learning how this stuff works, but I’m still in Windows 7 thought-patterns.) Again, any insight is appreciated.

Reply | Quote

I have my settings at:
Configure auto updates: enabled, notify to download and auto install
Current Branch for Business
Feature updates deferred 365
Quality updates: deferred 0 days
Updates are not paused
(I also have it WU set not to install driver updates)

The configure Windows Updates setting = 2 has notified me when updates are available but has never downloaded them without clicking on the “Download” button is Settings. They just sit there waiting.

This month, actually today 3/4, I wanted to install KB4074592 (Build 15063.909) but I did not want to install KB4077528 (Build 15063.936). I used wushowhide to hide the latter. After hiding, I reboot, which may not be necessary but I do it anyway.

Then I went to Win Update and installed KB4074592 along with MSRT, Flash, and the Office updates.

1 user thanked author for this post.

Seattle27

Reply | Quote

@Seattle27:

You will have to get that type of advice from some members (EG: PKCano) that actually use Win10 on a regular basis…I do not.

I just set up systems for clients, pat them on the back, and say, call me if you have any problems with updates, LOL No, not quite that bad, I do warn them that they might have problems at some point down the road.

I looked back at your posts, and didn’t see any mention of what version of Win10 you are running. I think PKCano’s setting pertain to Win10 Pro, so I don’t know if you can use all of those settings…some might require a Windows utility program that you might not have. Again I’m guessing.

On my test Win10 systems (all Win10 Pro), I mess with O&O’s ShutUp10 utility that can change all kinds of settings that are otherwise hard to change manually. I also have those other easy-to-set settings set as PKCano mentioned: Current Branch for Business, Feature Updates deferred 180 days (maybe?), Quality updates: 30 days (?) but updates not paused (I think ShutUp10 changes stuff like this also).

I know that IF I want to get updates from MS using their system, I have to have ShutUp10 set all of its tweaked settings back to ‘factory’ mode, and set the Quality Updates to zero to get at least some updates. I also use the WUShowHide.diagcab utility to hide any un-wanted updates before I turn the Win10 updating system loose.

Or if all the messing with the Windows Update system ‘breaks’ it…I just do as I said in an earlier post: figure out what sub-version I want to update to and go get it off the Windows Update Catalog web site. Since my test systems are just a basic Win10 install, there’s usually no extra software that needs to be updated.

Same for a major release ‘Upgrade’: I basically never let it get downloaded and installed by MS. I go grab an ISO copy of the Upgrade, and put it on manually while disconnected from the Internet. Serious users with real programs on their system should make a full backup before doing it like this. If it crashes my system, I really don’t care, as the systems are just for testing, not used for real. I can just do a totally fresh install, since I have a full ISO, install a few utilities, shrug my shoulders, and remind myself this is why I’m staying on Windows 7.

1 user thanked author for this post.

Seattle27

Reply | Quote

I think your update settings should be determined by what devices and programs you have installed.  I’ve had servers and desktop machines running Win7/Server2008R2 set to notify before update and then just updated within a day or two. Before that it was XP & Server2003 (various service packs). Now with Win7/Win10 and Server2012/2016 I just let them update. In all this time I can count on less than one hand how many issues I’ve had with Windows updates. IIRC, it was .NET updates on XP. Since that is no longer an issue I have not worried about updates. IMO, the less obscure devices and programs you have the better off you’ll be. Likewise, the newer the devices and programs the better off you’ll be. The less tinkering with your system by some obscure registry settings the better off you’ll be.

I know that in absolute numbers there are quite a few machines that have problems. However, I believe the percentage is quite low. For most users, trying to avoid updates is a waste of time and energy. You are better off having a good, solid backup and recovery plan.

--Joe

1 user thanked author for this post.

Seattle27

Reply | Quote