20 April 2017

Windows 10 Creators Edition 1703


Updates for Windows 10 are streamlined into monthly cumulative features and fixes, a smaller version of just fixes, and periodic new builds.  These new builds are similar to new versions of Windows, and come out about as often as new versions of popular Linux distros; they don't appear in the Catalog, but are provided as new OS installers instead.


Installing Build 1703

 

Since the GWX offer, we’ve become more comfortable with installing new versions of Windows over existing installations, something we’d have usually avoided in the past.  It’s still a brittle process, sometimes leaving the system tied up behind a black screen for hours on end when things go wrong.

If yours is one of those systems that gets lost in “do not switch off your computer” or black-screen space, then it’s best to install the upgrade more formally.

First, use the Media Creation Tool to create an .iso of the new Windows 10 installation disc for your system’s edition of Windows.  Do not click the in-your-face “Update now” button; scroll down to “Using the tool to create installation media…”, as what you want is the .iso to build a bootable DVD.

The tool is a small download, which will do the real work when you run it.  It will default to building an installer for your system, so if you want something different, UNcheck the relevant check box and then choose your edition and bits to taste.  The same installer will work for both Home and Pro editions, but if you have Single Language (i.e. you’d GWX’d from Windows 8.x SL) then you will need to select the specific edition for that, else your Activation key won’t work.

The tool will take ages to first download the material, then build it into the .iso, then clean up afterwards.  As downloaders go, it’s not slow; it’s just a lot of material!  Once downloaded, you can copy the contents of the .iso (either directly via 7-Zip, or after making the disc) to a permanent “source” subtree on the system to be upgraded.  You can also add the most recent Cumulative update from the Catalog web site (the link should open to April 2017 Cumulative; navigate from there if reading this in later months).

Second, clean up your C: partition via Disk Cleanup, and make a partition image backup of this as your Undo, should things go pear-shaped.  If your hard drive is set up as ”one big doomed NTFS C:” then this will be a capacity challenge, as will GPT partitioning, which reduces your choice of tools and undermines confidence that a “restore” will work.  I use Boot It New Generation (BING), an old free product from these guys; their newer Boot It Bare Metal is a lot naggier and less useful in free form, but does work with GPT partitioning.  It’s also a good idea to exclude malware and do other cleanups before you make this “undo” partition image.

Third, get off the Internet and all networks, stay off the Internet throughout the installation process, and when you see “check for updates” during the setup process, UNcheck that.  This will limit the installation to what is in your pre-downloaded source material, avoiding update-of-the-week surprises and the tar-pit effect of flaky Internet access and performance.

Fourth, run the Setup.exe for the new build, from an always-available location, e.g. local hard drive volume other than C:, that can be a long head-travel away but is always present.  That way, any future references to the installation source can properly resolve.

Fifth, after the new build is installed, run the pre-downloaded Cumulative if you have that, then check settings etc. before going online for the first time, and doing online updates.

Checking for Lost Settings

 

After a successful “feature” update, there’s likely to be new features set up with unsafe duhfault settings, so you need to check Settings in general, and Privacy in particular.  Expect to see new additions allowed to use the camera, mic, and run as background processes; fix to taste.

However, there are some unexpected lost settings, especially as Microsoft pushed their OneDrive cloud storage service.  What’s better than having your code on users’ systems that can snoop their stuff?  Having users spend their communications dime on sending you their stuff so you can play with it unseen on your servers… hence so many vendors pushing cloud storage offers.

This article shows the new install-time privacy summary options, but what this doesn’t tell you is that you’ll not only see this when updating an existing Windows 10 installation (at least as done by running the .iso file set’s Setup.exe from within Windows), but the settings will ignore what you’d previously set, and start off with “everything on” duhfaults.  So, watch that screen and make sure you scroll it down to check all settings anew.

Windows 10 may turn off System Protection by default, and installing the new Build 1703 disabled this although I’d previously enabled the setting.  My systems use MBR partitioning with shell folders relocated off NTFS C: to FAT32 logical volumes on an extended partition, and maybe this influences how Windows 10 treats this setting; the same may apply to mobile systems with puny flash storage that have to use mSD cards to extend “internal” storage in a similar way.  With System Protection disabled, you’ll lose not only Previous Versions of files stored on C:, but also System Restore.

If you’d turned off Live Tiles, you will find all of them turned back on after installing Build 1703.  You should also check the registry setting to kill Live Tiles (i.e. stop external sources from squirting content directly into “your” desktop UI), in case that was cleared:

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications]
"NoTileApplicationNotification"=dword:00000001

Settings to curb OneDrive are likely to be lost, so check those, as well as adding a setting to reduce UI spam that pushes the cloud storage service.  Expect unwanted UI popups to “just” set up OneDrive, some days after the 1703 upgrade; a fairly common vendor tactic that aims to catch the user after their tech has walked away after doing the upgrade.

[HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}]
"System.IsPinnedToNameSpaceTree"=dword:00000000

[HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}]
"System.IsPinnedToNameSpaceTree"=dword:00000000

Yep, both of the above settings were enabled, after 1703, which re-enabled OneDrive integration into the shell.  If that’s not what you want, you need to re-assert those settings.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.Explorer.Notification.{B2E2D052-B051-D751-3E74-F8D4290BD1BC}]
"Enabled"=dword:00000001

The above setting blocks OneDrive spam delivered as a “sync notification”, and is worth asserting, though you’ll prolly get ongoing UI pressure to “just” sign up a Microsoft online account and/or use OneDrive.  While you’re there, you may want to check these…

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings]
"NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK"=dword:00000000
"NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay]
"Enabled"=dword:00000000

…which reduce info exposure on the locked side of the “lock” screen, and reduce AutoPlay risks when arbitrary external storage is detected by the shell.  For the latter “hello, Stuxnet” malware risk, I still use…

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000df
"NoDriveAutoRun"=hex:ff,ff,ff,03

…to disable AutoRun and AutoPlay on basis of both device type and drive letter.  The latter setting is a bit field for drive letters, and you can edit to enable particular letters only.

If you prefer to disable Windows Scripting Host, you may find some of the settings will have been lost after Build 1703, so check these…

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
"EnableRemoteLaunch"="N"
"EnableRemoteConnect"="N"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"ActiveDebugging"="1"
"UseWINSAFER"="1"
"Enabled"="0"
"IgnoreUserSettings"="0"

…as I found the last two were lost after 1703.

There’s prolly more side-effects and collateral damage that I’ve missed; feel free to add such tips via Comments!