Windows 10 is full of great functionality for the enterprise, but not every environment is suitable for everything Windows 10 has to offer. Fortunately, each feature or app lends itself to a good amount of tuning to fit the needs of both users and organizational policies. And by using Group Policy or mobile management device (MDM) settings, an administrator can set a policy setting and then copy it for multiple users, computers or devices, greatly reducing administrative effort.
This article looks at ways to wrangle Cortana, Windows Hello, Microsoft Edge and Windows Store settings, whether that means restricting parameters for more control or disabling them outright.
Cortana, the personal assistant
Although Cortana is super handy, its chattiness can be disruptive to co-workers within earshot and isn’t conducive to certain business environments. To disable Cortana dictation on the desktop for a single user, open the Settings app, go to Privacy > Speech, Inking and Typing, and click the Stop getting to know me button. Be aware that, in addition to voice control, this setting enables Cortana to gather data about the user, which helps the feature deliver services. Disabling the feature also deletes data collected by Cortana previously.
[Related: Why DISM is the Swiss Army knife of Windows 10 maintenance]
Administrators can control Cortana at the Group Policy and MDM level as well. For example, to turn off Cortana but still allow users to perform searches, modify these settings:
- Group policy: Computer ConfigurationAdministrative TemplatesWindows ComponentsSearchAllow Cortana
- MDM: Experience/AllowCortana
Several other settings may be disabled, but doing so also disables Cortana functionality. Some of those settings are automatic learning (where speech, typing, handwriting and calendar information is collected), location-aware search and safe search (to filter adult content; applies to Windows Mobile only). The same applies to several Start menu search box settings, such as whether the menu may search for files, programs, Control Panel items and communications.
Windows Hello for biometrics and authentication
Windows Hello uses biometrics – fingerprint, facial or iris – to sign in to Windows 10 devices with just a finger swipe or a look into the device’s camera (backed by a PIN), effectively eliminating the need for users to memorize long, complex passwords. After recognition using Windows Hello, Microsoft Passport provides multi-factor authentication before allowing access to any resources.
Microsoft Passport servers can be added to an existing on-premises infrastructure, without the need to change the domain or forest functional level, or can be deployed using Microsoft Azure Active Directory. Like Cortana, an administrator can use Group Policy or MDM to control Microsoft Passport settings. In the Group Policy Editor (GPE), the settings for Microsoft Passport are located at Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Passport for Work. The MDM settings use the PassportForWork configuration service provider (CSP), which is an interface for manipulating settings on the device.
Here, an administrator can enable Microsoft Passport for Work, which provisions the feature using keys or certificates, and enable biometrics. If a PIN is used, there are various PIN complexity settings available, such as minimum and maximum length, as well as requiring digits, uppercase and lowercase letters.
As a security precaution, Windows Hello biometric data is always stored on the local device and not transferred to a server.
Microsoft Edge for Web browsing
Microsoft Edge, the default browser for Windows 10, can be controlled by Group Policy or Microsoft Intune (for MDM) to manage settings and preferences. Using Group Policy, navigate to Computer ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Edge. Some settings that can be modified are:
- Whether content appears (or does not) when Microsoft Edge opens a new tab
- Sending Do Not Track headers to Web sites that request tracking information
- Allowing or blocking cookies
- Allowing or blocking pop-ups
- Whether an intranet site should use Internet Explorer 11 by default
- Which sites appear on the default Favorites list
- Whether to use Enterprise Mode for compatibility with certain Web apps
- Whether users can override SmartScreen Filter warnings
- Whether users can use Autofill for form fields
[Related: How to perform a clean install of Windows 10]
Some other Windows 10 settings that are associated with Microsoft Edge include the Allow Cortana setting (described previously in this article) and these:
- Whether a user can use the Sync your Settings option to sync user settings to and from a device: Computer ConfigurationAdministrative TemplatesWindows Componentssync your settingsDo not sync
- Whether a browser group can use the Sync your Settings options (for things like History and Favorites): Computer ConfigurationAdministrative TemplatesWindows Componentssync your settingsDo not sync browser settings
Windows Store for apps
Many IT departments do not allow users to download and install Windows Store apps on company-owned computers and devices as a matter of policy. Windows 10 Enterprise and Windows 10 Mobile let administrators block Windows Store access using AppLocker, and Group Policy can be used to control the same in Windows 10 Enterprise.
The AppLocker method requires opening the Local Security Policy Editor, drilling down to AppLocker, and creating a new rule under Packaged app Rules. (Full instructions are on the Configure Access to Windows Store page in TechNet for Windows 10). For the Group Policy method, you turn off the Windows Store app. To do so, go to Computer Configuration > Administrative Templates > Windows Components > Store in the GPE. In the Setting pane, click Turn Off Store application, and then click Edit Policy Setting. On the Turn Off Store application setting page, click Enabled and then click OK.