Workstation Setup for Windows 10

This is a best practice guide for setting up and hardening a new Workstation from scratch. It will cover all steps in preparing a Workstation for the use of IPFusion, however, it will not cover how to download and install IPFusion. This guide will have 9 steps:

  1. Windows 10 IoT Install
  2. Drivers and Updates
  3. Basic Configuration
  4. Group Policy Editor
  5. Control Panel Configuration
  6. Windows 10 IoT Settings Menu
  7. Services
  8. Windows Media Player
  9. Project Specific Tasks

A bootable USB with a Windows 10 IoT image on it will be required.

1. Windows 10 IoT Install

Check and install the latest System Bios

Install the latest Windows 10 IoT Enterprise through USB following these steps

  1. Choose the following Settings:
    • Language to Install: English (United States)
    • Time and Currency Format: English (United States)
    • Keyboard or input method: US

      Click Next.

  2. Click Install now, and then install Windows 10 Enterprise.
  3. Accept the user agreement.
  4. Choose Custom Install.
  5. Delete all existing partitions (if present).
  6. Select Drive 0 Unallocated Space and press Next.
  7. Windows will now install. The computer may restart during this process.
  8. Choose Region: select the current location.
  9. Keyboard Layout: US and skip second keyboard layout.
  10. If not connected to a network, follow the next three steps. In the Let's connect you to a network screen, press Shift+F10 to launch Command Prompt.
  11. Type in the following command: OOBE\BYPASSNRO
  12. After successful execution, the system will restart the OOBE session box. When you reach the Let's connect you to a network screen, click I don't have Internet, continue to click limited setup, accept the license agreement and continue to create a local user account.
  13. Select Domain join instead.
  14. Default User: Operator; Default Password: Operator
  15. Make Cortana your personal assistant: No (if present).
  16. Choose security questions.
  17. Privacy:
    • Location: No
    • Find my device: No
    • Diagnostics: Required only
    • Improve inking & typing: No
    • Tailored Experiences with diagnostic Data: No
    • Advertising ID: No

Set Time Zone according to your location

Note: If the computer is not connected to internet, continue with the Drivers and Updates Guide and return to set up the time zone after the internet is connected.

Select 'Private Type' network

In the Windows search bar, type in Network Status. Click on Properties and select Private under Network Profile.

2. Drivers and Updates

Obtain the Latest Drivers from the Manufacturer Website

Download drivers for:
  • Motherboard
  • Graphics card (if present)
    Note: If the computer does not have internet, use a separate computer that is connected to the internet and transfer over the drivers using a USB drive.

Download and Install Drivers into their Respective Folders as Follows:

  1. C:\Drivers\Audio
  2. C:\Drivers\Chipset
  3. C:\Drivers\LAN
  4. C:\Drivers\Video
  5. Any other categories

Install Drivers in the Following Order Restarting the Computer After Each Install:

  1. Chipset
  2. Video
  3. Any other drivers
    Note: Installation of drivers out of order can result in significant performance and stability issues.

Check the Device Manager for any Driver-Related Issues

Install Windows Updates

Warning: Do not install driver updates delivered through Windows Update.

3. Basic Configuration

Create a C:\IPFusion folder. Enable sharing and disable Read Only

Right click the IPFusion folder and click Properties. Find the Sharing tab and select Operator under Name and click Share. Afterwards, under the General tab find Attributes and click Read Only to disable it.

  1. Inside the folder create a folder named Installs and place a copy of all installed software.
  2. Inside the folder create a folder named Tools and place the desktop background image.

Delete any Windows Desktop shortcuts, but keep Recycle Bin

Depending on the graphic card brand, find out how to disable any graphics card Hot Keys such as screen rotation

Unpin Microsoft Edge, and Microsoft Store from the Taskbar

Right click on the Taskbar and select Taskbar setting:

Taskbar settings:
  • Uncheck Show Touch Keyboard button from the Taskbar

  • Uncheck Show Task View button from the Taskbar

  • Set Cortana → Show Search Box to Hidden

In the BIOS, set after power failure: Restore Last State

Install Notepad++

  1. Install Notepad++
  2. In the application, go to Settings and then Preferences
    • Backup → Uncheck Remember current session for next launch
    • MISC. → Uncheck Enable Notepad++ auto-updater
  3. Go to Plugins and click on Plugins Admin
    • Install the XML Tools Plug-In
    • Install the Compare Plug-In

Uninstall the following Programs (if present):

  • 3D Builder
  • Camera
  • Get Office
  • Get Skype
  • Get Started
  • Groove Music
  • Maps
  • Money
  • Movies & TV
  • News
  • OneNote
  • People
  • Companion
  • Photos
  • Store
  • Sports
  • Solitaire Collection
  • Voice Recorder
  • Weather
  • Xbox
  • Xbox Live
    Note: Use the following PowerShell command to uninstall native Windows feature tiles:
    • Get-AppxPackage *AppName* | Remove-AppxPackage

4. Group Policy Editor

→ Start → Search → gpedit.msc

OneDrive

  1. Computer Configuration → Administrative Templates → Windows Components → OneDrive
  2. Prevent the usage of OneDrive for File Storage
    • Set it to Enabled
    • Also need to open the TaskManager → Startup select OneDrive and set it to Disabled

Microsoft Store

The following steps will prevent users from opening and using Windows Store.

  1. Computer Configuration → Windows Settings → Security Settings → Software restriction policies
    • Right click → New Software Restriction Policy
  2. Additional Rules

    • Right click → New Path Rule

    • Enter the Microsoft Store path: %programfiles%\WindowsApps\Microsoft.WindowsStore*

      Note: Be sure to include the * wildcard at the end of the path.

5. Control Panel Configuration

The following configuration is all done through the control panel. Each subsection heading is an option that can be selected in the control panel. Set control panel to → View by: Small Icons

Power Options

Set these options based on the desired use of the computer. The following is recommended:

First ensure that hibernate is completely disabled.
  1. Click Start, and then type cmd in the Start Search box.
  2. In the search results list, right-click Command Prompt, and then click Run as Administrator.
  3. When you are prompted by User Account Control, click Continue.
  4. At the command prompt, type powercfg.exe /hibernate off, and then press Enter.
  5. Type powercfg /a to see all available power states.
  6. Type exit, and then press enter to chose the Command Prompt window.
  7. Reboot the computer. Then return to the control panel Power Options.
  8. Click Show additional plans, set the Power Plan to High performance, then select Change Plan Settings and then click Change advanced power settings (Make sure High performance is selected from the drop-down).
    • Turn off all power saving
    • Set turn off Display to Never
    • Set the Hard Disk to Never
    • Set the USB selective suspend settings to Disabled
    • Set Hibernate to Never (if present)
    • Set Sleep button to Do Nothing (if present)
    • Set the Lid Close action to Do Nothing (if present)

Start → Turn Windows features on or off

  1. Turn Windows features on or off
    • Remove any unnecessary bundled Windows software (Games, Windows DVD Maker, etc.)
    • Turn ON Media Features (Required for IPFusion to play sound)
    • Turn ON the Telnet Client
    • Turn ON the Telnet (if the project is going to use Windows Backup Images)

Security and Maintenance

  1. Type in Security and Maintenance and then click on Change Security and Maintenance settings
    • Uncheck everything under Security messages and Maintenance messages
  2. Next, go back to Security and Maintenance and click on Change User Account Control settings
    • Set to Never Notify and disable messages about User Account Control
  3. In the Security and Maintenance page expand the Security tab
    • Turn off all messages about Windows Firewall, Spyware, Smart Screen, Virus Protection, Windows Update, Windows Backup, etc.
  4. In the Security and Maintenance page expand the Maintenance tab
    • Turn off messages about Check for Solution to Problem Reports

Sound

Sound → under AdvancedMore Sound Settingsselect the device and click Properties → Advanced tab
  • Switch Enable audio enhancements to Off

System

Type in Remote Desktop Settings in the search bar
  • Click Allow Remote Connections to this computer

Windows Firewall

Turn Windows Firewall On or Off
  • Turn off Windows Firewall for all networks

6. Windows 10 Settings Menu

The following configuration is all done through the → Start → Settings menu. Each subsection heading is a selectable option in the settings menu.

System

Set these options based on the desired use of the computer. The following is recommended:

  1. PersonalizationTaskbar
    • Set all to Off except maybe value or other project useful icons.
  2. Notifications
    • Set all Notifications to Off
      1. Notifications
        • Uncheck all boxes under Additional Settings.

Multitasking

  • Set all Snap settings to OFF

Network & Internet

EthernetNetwork and Sharing Center then select the Change Advanced Sharing Settings
  • Set Make this PC discoverable to On. This will set it to a private network.
    Note: these options are only available when connected to a network.

Setting → Personalization

Start settings:
  • Show recently added apps: Off
  • Show most used apps: Off
  • Occasionally show suggestions in start: Off (if present)
  • Show recently opened Jump Lists: Off
  • Show recommendation for tips: Off (if present)
  • Show account related notifications: Off

Privacy & Security

  1. General
    • Set these privacy settings all to Off
  2. Diagnostics & Feedback
    • Set Feedback frequency to Never

Windows Update

  1. Windows Update
    • Select Check for updates
    • Install updates and reboot until there are no more updates
  2. Windows Update→ Advanced Options
    • Change updates to Show a notification when your PC requires a restart to finish updating
  3. Virus & threat protection settings
    • Turn Off the Real-time protection, turn Off the Cloud-delivered Protection, and turn Off the Automatic sample submission

7. Services

Services

  1. Device Setup Manager service should be stopped and disabled because it will try and fail to connect to the internet.
  2. Windows Time service either should be enabled or disabled depending on if windows time sync or an external time sync program will be used for this project.
  3. Windows Update service should be stopped and disabled after all updates are complete because it will try and fail to connect to the internet.

8. Windows Media Player

Windows Media Player

Windows Media Player is required to be installed for IPFusion to play sound. Start WMP to configure the first-time run settings:
  • Choose Custom Settings
  • Uncheck all options and then select to make WMP as the default player

9. Project Specific Tasks

Install Touchscreen Drivers

  • Get the latest touchscreen drivers from the internet and install.
    Note: At this point, complete any other tasks or configurations required for the specific project.