Windows 10

App & Browser Control Warning in Windows 10 2004

The setting to block potentially unwanted apps is turned off. Your device may be vulnerable

After upgrading to Windows 10 2004, I noticed an alert in Windows Defender. It was alerting that something needed to be turned on, and I wondered what as I needed to do this in Group Policy for the entire organisation.

Clicking the area around the ‘turn on’ button takes you to the App & browser control – containing another ‘Turn on’.

Go into the ‘Reputation-based protection settings’ link and there’s more info:

Aha! an option that’s not on – Block downloads. This is actually a Microsoft Edge setting which you can toggle, and will at the same time tick ‘Block downloads’:

I couldn’t find where this was set in Group Policy, so used Procmon to work out what was changing with that toggle. I ended up working out it was in the registery: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled and setting the default value to 1:

Great, now I knew what was changing, I could work backwards. Using GPSearch I looked for “SmartScreenPuaEnabled” and came back with

Configure Microsoft Defender SmartScreen to block potentially unwanted apps – User Configuration\Administrative Templates\Microsoft Edge\SmartScreen settings\

I didn’t have this Group Policy setting, so checked I had the latest ADMX files loaded for Windows 10 2004 – which I did, and they include templates for the Chromium based Microsoft Edge.

What I then discovered (or remembered!) was that there were separate ADMX files to get for Microsoft Edge, updated with each release. Downloading and loading these into my central repository brought in the “Configure Microsoft Defender SmartScreen to block potentially unwanted apps” setting I wanted. Enabling that, running a gpupdate set the value to what I wanted, and cleared the Microsoft Defender alert.

Long story short – if you’re still using Group Policy like me, you may want to get into the habit of updating your ADMX files for Microsoft Edge more frequently than your Windows 10 builds – Microsoft releases major versions of Edge every 6 weeks.

What is Microsoft Editor?

Microsoft Editor is a new tool from Microsoft, which I’d never heard of before.

Funnily enough, I found out that Microsoft Editor existed after upgrading to Windows 10 2004. One of the fifteen tips when you ‘See what else is new in this update’ after upgrading is this tip below. I couldn’t really understand what application the tip was referring to – the home tab, in Word, in browser mode via Edge?

Although I then found other tips that seemed purely Office 365 related (like PowerPoint and Excel tips) which is strange to advertise as part of a Windows 10 upgrade, the button on this tip takes you to a page that does a much better job of explaining what it is:

Microsoft Editor checks grammar and more in documents, mail, and the web

Here it explains that Microsoft Editor (which the full name wasn’t mentioned in the tip!) is an optional add-in available for Microsoft Edge and Google Chrome. It’s also coming to Word and Outlook. Also, if you log into it with an account that has a Microsoft 365 subscription, you’ll get advanced grammar and style refinements.

There’s a bit more info about the Microsoft Editor browser extension here, with direct links for the Chrome and Edge add-ons.

Once installed, you’ll have this little icon in the top bar of the relevant browser:

Clicking it will ask you to sign in:

and you can sign in with a free consumer Microsoft account, or a Work account. After signing in, the icon will turn blue, and you can click it again to see your options.

Note that it uses English (United States) as the default language, which you can change by clicking on the current language which takes you to the options:

‘Show synonyms for spelling suggestions’ is also off by default, so I’ve turned that on.

Here’s a spelling correction and a grammar correction while writing this blog post:

Spelling correction
Grammar correction

I’ll have to use it more to see how good it is, but I am happy to see hopefully a useful tool to help everyone write better. If it’s being added into Word and Outlook, there’ll be extremely elevated expectations of this solution doing its job well!

Enabling Dictation in Windows 10

Dictation is a pretty cool feature in Windows 10. Press Winkey + H, and up comes a small prompt in the middle of your screen telling you it’s listening – you can start talking, and your words start appearing wherever your cursor is.

Not only that, but you can give commands like a light version of Dragon NaturallySpeaking such as ‘delete test’ to delete the last word ‘test’. Or ‘Select the next three words‘ to highlight them – basic cursor management you’d normally need a mouse for.

A managed Windows 10 computer however, may not have all the components required to use Dictation, and a user may not have the access to download the speech packs themselves.

I hit a problem where Dictation would say ‘Download a Speech package for dictation’, but clicking that link would take me to settings and show that it was already installed. An admin of the PC doing this however, would somehow trigger a component to install and Dictation would work fine.

An admin of the PC doing this however, would somehow trigger a component to install and Dictation would work fine.

Under the user context, going to the Speech settings would show all the options as greyed out and blank:

After raising this with Microsoft Support, this was the method we found to make it all work:

These are the components that I required for Dictation:

• Language Basic component
• Language Text-to-speech component
• Language Speech component

These components are available to download via the “Windows 10 Features on Demand Pack 1” which you can find in your MSDN My Visual Studio downloads (the latest being version 2004). You’ll probably need a subscription for this.

Features On Demand are also available via Windows Update but this may not help you if you have a WSUS server.

The resulting ISO, e.g. en_windows_10_features_on_demand_part_1_version_2004_x64_dvd_7669fc91.iso will contain a separate .cab file for each feature. From this, it’s then a matter of using the DISM tool to inject each feature into Windows 10:

Dism /Online /Add-Package /PackagePath:F:\Microsoft-Windows-LanguageFeatures-Basic-en-au-Package~31bf3856ad364e35~amd64~~.cab 

Note you can add multiple packages to the above command, so could do all three with a single line. If you want to know what packages are already installed on a Windows 10 device:

Dism /Online /Get-Packages 

Privacy

There’s one big other catch with Dictation. You’ll need to enable ‘Online speech recognition’ which leverages Microsoft cloud based services as part of using Dictation.

If you’re running a computer that’s logged on under a Microsoft account, everything you say is being captured. You can view this data here and choose to delete it:

https://account.microsoft.com/privacy/activity-history?view=voice

I’m still clarifying how this works in other scenarios, and will update this blog post if I find out any more information.

If as a company, you’ve decided and accepted this scenario, you can toggle the option on for users using this registry setting:

HKEY_CURRENT_USER\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy

HasAccepted DWORD

0 = Off

1 = On

Maybe you won’t need to do any of the above at all – but it’s worth understanding what’s out there, and if you understand and accept the privacy aspect; and if you do, then promoting it to your userbase as a potentially big timesaver… especially for those 1 finger keyboard typists!

It’s also worth nothing that several Microsoft 365 products include Dictate inside the app, more about that here.

Stopping Skype for Business Autostarting in Windows 10

Should be simple, right?

I installed Skype for Business for Office 365 on my home PC. I had Office 365 ProPlus, and the version of Skype for Business has to match that.

Worked great, and realising I didn’t want it running all the time on my home PC, I changed the option to ‘Automatically start the app when I log on to Windows’ in the Personal options:

The next day over the weekend, I noticed that Skype for Business had decided to still launch at login. Weird, so I checked what Task Manager had to say:

Skype for Business wasn’t even listed. I started mucking around a bit more, ticking the option to automatically start, pressing OK, turning it off, pressing OK, rebooting – but every time, Skype for Business just turned up, like a strange uncle you never invite to dinner but somehow still finds out and turns up every night.

Maybe it’s in the Startup folder in the Start Menu? Is that still a thing in Windows 10? Yes it is. It’s under C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup – replacing ‘username’ with what you’re thinking you should replace it with. Except, there was nothing there.

I also checked the standard Run locations in the registry, and then even searched for all instances of lync.exe which is still what runs Skype for Business… no hits that make any sense to it running at startup.

Of course, my next step is to complain on Twitter:

Interesting – Skype for Business runs at user login, but it’s not listed in Task Manager > Startup, or in the registry’s Run locations. The app even has ‘run at startup’ turned off. Not in the Start Menu Startup folder either. Don’t understand what’s triggering it…— Adam Fowler (@AdamFowler_IT) April 12, 2020

No winners in the responses – I checked sysinternaltools autoruns as suggested by Neil Clinch, and Guy Leech had a suggestion on how to completely block lync.exe from running ever, but I still wanted to use Skype for Business.

My Googling hadn’t fared any results, and I was getting desperate. I actually took a chance and read some answers.microsoft.com threads (which are usually sfc /scannow or unhelpful answers that didn’t read the question properly) and user Daniel Wherle had responded to a thread with my exact problem.

The answer was a setting called ‘Use my sign-in info to automatically finish setting up my device and reopen my apps after an update or restart’. This is hidden in Windows 10 Settings > Accounts > Sign-in options. It’s down the very bottom:

After I turned this option off and rebooted, Skype for Business no longer launched at startup. I even launched it manually, and restarted while it was running.

I turned the setting back on and rebooted, Skype for Business still didn’t autostart – that is, until I ran it with the option on, exited and rebooted.

It’s worth noting that even after completely exiting Skype for Business, lync.exe still ran in the background. I suspect this is part of the problem, because it also won’t re-open until that task is killed. I don’t have any other Office apps open, and it seems like a common enough problem that others will hit it – maybe with other programs too and this Windows 10 option enabled.

A strange one, but probably as far as I’ll dig on the issue.

How to stop Skype for Busines from Autostarting in Windows 10:

To stop Skype for Business from loading at startup:

  1. In Skype for Business – Options go to the Personal option
  2. Untick ‘Automatically start the app when I log on to Windows’

  3. If that doesn’t work:

  4. Go into Windows Settings > Accounts > Sign-in options.
  5. Click Accounts.
  6. In the Sign-in options section, untick ‘Use my sign-in info to automatically finish setting up my device and reopen my apps after an update or restart’

Applies To : Windows 10

Windows Hello for Business – A less forceful rollout option

How to roll out Windows Hello for Business as optional

To roll out Windows Hello for Business optionally:

  1. In Group Policy, enable the ‘Use Windows Hello for Business’ policy
  2. Tick the option ‘Do not start Windows Hello provisioning after sign-in’
  3. Users will then need to click the Windows Security icon to register

Applies To : Windows 10


When I first looked at Windows Hello for Business at launch, I was impressed by it but also concerned. Turning the option on would prompt all users or devices that had the policy on, strongly encouraging them to go through the Windows Hello for Business setup with their fingerprint/face recognition and PIN.

To roll out Windows Hello for Business, follow Microsoft’s documentation which is quite detailed due to the complexities of scenarios and requirements; such as Single-Sign On, MFA of some sort and Public Key Infrastructure.

It was a bit intrusive to have this almost forced registration process as a user might not be in a position to go through the setup and be trying to do something urgent first thing in the morning, but even more of a concern was the style of the userbase I support – anyone expects to be able to log onto any computer anywhere. Windows Hello for Business doesn’t follow the user around for good reason (you’re tying the things you have to a single device), so each new device will go through the prompts.

I also had concerns around desktop users who didn’t have any other method of authentication beyond the PIN, and the perception than a PIN is less secure than a password (again the PIN is tied to a single device, while the password can be used to log onto any device).

Thankfully, a new option turned in Group Policy under the ‘Use Windows Hello for Business’ policy, located under both the Computers and Users areas Policies > Administrative Templates > Windows Components > Windows Hello for Business. The tickbox ‘Do not start Windows Hello provisioning after sign-in’. (To be fair, this has now been there for a while and I just wasn’t aware):

This will instead provide a little warning in Windows Security under Account Protection, saying Windows Hello isn’t set up. It doesn’t pop up and alert this, but instead shows a yellow exclamation mark against the shield icon in the taskbar. A user can then click through this at their leisure and set up Windows Hello for Business.

To me, this is a great way of allowing all staff the chance to set it up when they’re ready to do so, and in a staggered fashion without really having to manage it. Each business is different of course, and some will prefer or require the heavy handed approach of Windows Hello for Business on all devices – but I’m glad this more relaxed option exists.

Note that Windows Hello for Business is supported in both Azure AD connected and Hybrid Azure AD devices. For further info, read Microsoft’s documentation: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification