Windows 10

windows 10.jpg

Windows 10 is a Microsoft operating system, designed to be run on Windows-compatible computers.   An upgrade to this operating system from previous versions of Windows is available to eligible individuals at UTSA under the terms of a campus-wide license agreement with Microsoft Corporation.   This product can be installed on eligible UTSA computing systems by OIT or a corresponding department's / college's Information Technology Associate (ITA).

To ensure compatibility with our campus computing infrastructure, OIT will support only the Windows 10 Enterprise version.  

 

  • Please Note:  Windows 10 is approved for use on campus with university owned devices or personally owned devices storing confidential (Category I) univeristy data as long as the steps outlined in the Windows 10 Deployment Guide and the  Standard For Minimum Security For Computer Systems​  are followed with no exceptions.
  • Support:  For assistance with Windows 10 on University owned computer devices, please contact OITConnect.    If you need help with this software after installing it on a home computer, please obtain support from a third-party service provider in your local area.
  • Applications:  Currently, UTSA Administrative Applications are not certified to run on Windows 10.   UTSA application review and testing on Windows 10 is ongoing.   As application compatibility is confirmed , this page will be updated with the applicable application information.

 

Windows 10 Deployment and Installation Guide

Windows 10 Enterprise is being made available primarily through OIT and will be installed on windows compatible UTSA owned computer devices through OIT's imaging process.   OIT's core Windows 10 image is being provided to ITA groups for their inclusion in their own computer configuration processes.   

The minimum computer hardware system requirements for running Windows 10, as recommended by Microsoft, are:

  • 1 GHz or faster processor
  • 2 GB RAM 
  • 20 GB available disk space
  • DirectX 9 graphics device with WDDM 1.0 or higher driver
  • TPM 1.2 or later is strongly recommended but not required for BitLocker Encryption support encryption service.

​​

Purpose:   With Windows 10, Microsoft introduced some new features that 1) mine user data for the purpose of making the operating system more social and personalized, 2) collect data about user's habits and usage patterns for the purposes of diagnostics and troubleshooting, and 3) allow users to share Windows updates with local networks and the Internet in order to crowd-source distribution of updates. These features are enabled by default in all Windows 10 editions. The use of these new features pose a significant risk for exfiltration of confidential university data to Microsoft (and then to undisclosed third parties at Microsoft's whim), and, in the case of distributed updates, may violate state law governing the use of government property.

  • In order to comply with standards implemented by UT System and UTSA university policy, these features of Windows 10 must be disabled. This is best done through GPO for all domain joined machines, but instructions are also provided for stand-alone devices.

 

  Scope:   Deployment of Windows 10 on UTSA computing devices applies to the following: 

  • All university-owned tablets, laptops, and desktops running Windows 10.
  • All personally-owned tablets, laptops, and desktops running Windows 10 that are used to store confidential (Category I) university data.

 

Deployment Requirements:   

 

Professionally-managed devices

Use Group Policy or Local Policy as needed to make the following changes:

Enforced1 Policy Name Policy Location Applies    To                       Notes
Yes Turn off Application Telemetry Administrative Templates | Windows Components | Application Compatibility At least Windows Server 2008 R2 or Windows 7 Set to Enabled
Yes

Allow Telemetry

https://wikis.utexas.edu/download/attachments/114004685/small-spacer.png?version=1&modificationDate=1443034208000&api=v2
Administrative Templates | Windows Components | Data Collection and Preview Builds At least Windows 10 Server, Windows 10 or Windows 10 RT Set policy to Enabled and set Options to "0 - Off [Enterprise Only]"
Yes Allow input personalization Administrative Templates | Control Panel | Regional and Language Options At least Windows Server Technical Preview 2, Windows 10 or Windows RT 8.1 Set to Disabled. This disables the use of Cortana, collection of speech and handwriting patterns, typing history, contacts, and calendar information.
Yes Allow Cortana Administrative Templates | Windows Components | Search At least Windows Server Technical Preview 2, Windows 10 or Windows RT 8.1 Set to Disabled
Yes Turn off picture password sign-in Administrative Templates | System | Logon At least Windows Server 2012, Windows 8 or Windows RT Set to Enabled
Yes Accounts: Block Microsoft Accounts Windows Settings | Security Settings | Local Policies | Security Options At least Windows Server 2012, Windows 8 or Windows RT Check "Define this policy setting" and choose "Users can't add or log on with Microsoft Accounts"
No Turn off the Advertising ID Administrative Templates | System | User Profiles At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1 Set to Enabled. This is not required, but is recommended to protect user privacy.
No Use Microsoft Passport for Work Administrative Templates | Windows Components | Microsoft Passport for Work At least Windows 10 Server or Windows 10 Set as desired. This functionality is used with biometrics and PINs
No Turn on PIN sign-in Administrative Templates | System | Logon At least Windows Server 2012, Windows 8 or Windows RT Set as desired. If PINs are allowed, they must comply with section 15.2 of the Information Resources Use and Security Policy.
Yes

Use digits

Use lowercase letters

Maximum PIN Length

Minimum PIN Length

Use special characters

Use uppercase letters

Administrative Templates | Windows Components | Microsoft Passport for Work| PIN complexity At least Windows 10 Server or Windows 10 All passwords, including device PINs, must comply with section 15.2 of the Information Resources Use and Security Policy. Another option is to disable PIN sign-in entirely.
Yes DownloadMode Preferences | Windows Settings | Registry All versions of Windows will accept the registry change, but will only be effective on Windows 10 This registry policy preference will disable peer-to-peer update sharing and should be created with the name "DownloadMode" as a "Replace" action, in the HKEY_LOCAL_MACHINE hive, at the "SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" key. The value type is "REG_DWORD", and the value data is "0". On the Common tab, the setting "Remove this item when it is no longer applied" should be checked.

1 These requirements will be enforced by GPO for all members of the UTSA Active Directory domain.

 

 

Self-Managed Devices:

Use Group Policy or Local Policy as needed to make the following changes.    This guide assumes that the operating system is already installed.   All of these settings may also be configured during installation if "Customise settings" is chosen during the "Get going fast" stage of installation.

 

Follow the instructions to make the following changes:

Requirement
Instructions

Disable "Getting to know you"

From the Start menu, click on "Settings"

Click on "Privacy"

 

Click on "Speech, inking, & typing"
Click on the button "Stop getting to know me"
Click on "Turn off" in the confirmation dialog

Disable sending diagnostic and usage data to

Microsoft (i.e. telemetry)

From the Start menu, click on "Settings"

Click on "Privacy"

 

Click on "Feedback & diagnostics"

Select "Basic" under "Diagnostic and usage data"

 

NOTE: With this setting, Windows 10 will still send some

telemetry data to Microsoft. In Enterprise editions of

Windows, telemetry can be completely disabled, but

only via (local or group) policy. Contact your IT support

staff for assistance with this if desired.

Disable receiving/sharing Windows updates with the

Internet (desktops) or both the Internet and local

networks (mobile devices)

From the Start menu, click on "Settings"

Click on "Update & security"

 

Under "Windows Update" click on "Advanced options"
Click on "Choose how updates are delivered"

For mobile devices, click the toggle to turn distributed

updates off entirely.

 

For desktops, ensure that "PCs on my local network" is

selected (or turn off distributed updates entirely via the

toggle).

Do not use a Microsoft account to sign-in

If you have already setup a Microsoft Account for authentication, you can switch

to a local account by doing the following:

From the Start menu, click on "Settings"

Click on "Accounts"

 

Click on "Sign in with a local account instead"
 

Do not use a picture password to sign-in. PINs must

meet password policy complexity requirements.

Section  15.2 of the Information Resources Use and Security Policy (IRUSP) mandates

the use of strong passwords for user authentication.


Non-Compliance and Exceptions:

 

If any of the configuration requirements contained within this document cannot be met, an Exception Process must be initiated that includes reporting the non-compliance to the UTSA Information Security Office, along with a plan for risk assessment and management.   (See Security Exception Report ).  Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit. 

University of Texas at San Antonio employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations.  In addition to university and System rules and regulations, University of Texas at San Antonio employees are required to comply with state laws and regulations.
 

Related UTSA Policies, Procedures, and Best Practices:

 

The policies and practices listed here inform the system hardening procedures described in this document and with which you should be familiar.  (This is not an all-inclusive list of policies and procedure that affect information technology resources).

 

Information Resources User

Acceptable Use

Minimum Security For Computer Systems

UTSA Data Classification Standard

UTSA Information Security Exception Process


 

​Helpful Links:  

How Do I Access VPN Using Windows 10?

Why Use VPN?

 Standard For Minimum Security For Computer Systems {Make weblink to actual standard document file location]

<< Back