Best practices for managing Windows 10 in the enterprise

Windows and the enterprise market have gone together like peas and carrots since computers were brought into the mainstream, and that relationship has continued since then. Managing a fleet of Windows 10 computers in an enterprise setting is easier than ever, but there are still some things to consider when setting up your environment.

A small bit of backstory on me: my day job involves configuring, tracking and managing Windows laptops and desktops for a ~500 person non-profit. The tips I'm sharing below are what I've picked up since starting the job seven months ago.

Use SCCM

Why you can trust Windows Central Our expert reviewers spend hours testing and comparing products and services so you can choose the best for you. Find out more about how we test.

System Center Configuration Manager — or SCCM — is Microsoft's own suite for managing Windows deployments in an enterprise setting. Administrators can use SCCM to remotely control client machines, manage updates and patches and even manage iOS and Android devices. SCCM does have a licensing cost per device, which keeps my company from using it. But, do some research and find out if SCCM is worth the cost for your company.

Have one installation image

In the past, a Windows installation image would need to be customized with specific drivers for each machine. One of my favorite parts of Windows 10 is that the base image has generic drivers for networking, display output, audio and other key components. This means I need to have one single installation image for all of my machines, making it easier to ensure each machine is set up and patched in a uniform way.

Rely on Windows Update

The other piece that lets me just use one installation image is how great Windows Update has become over the years. Starting with Windows 10, Update can now detect which components your computer is using and if those components need an update. This includes networking, display, audio, trackpads, firmware updates (for Surface devices) and more.

Windows Update isn't entirely fool proof, though it does work 90% of the time. For some components, you may need to check for updates in Device Manager or download an update utility from the computer's manufacturer.

Speaking of Windows Update, it's worth taking the time to set up an update server for your company. This will let you test updates before rolling them out to client computers. Almost as important, it will let you reduce Internet costs and bandwidth use. If everything is configured correctly, your client computers will pull the update files from your internal Windows Update server, rather than dozens or hundreds of computers all pulling the update from Microsoft's servers.

Install as few programs as possible

Until every program is available in the Windows Store, each program you install is going to rely on its own update service and connection to the Internet. Each of those update services represents a potential attack vector for the machine and your network, so only install the essentials for each user. For us, that's Google Chrome (more on that later), Chrome Remote Desktop, ESET Anti-Virus (opens in new tab), Forticlient VPN, Parallels Client (opens in new tab), and 8X8 Virtual Office. Within Chrome, we only allow a few extensions — Chrome Remote Desktop, LastPass (opens in new tab), Adblock Plus — because browser extensions are also an attack vector.

Document everything and have a plan when things go bad

This is something I need to get better at. Even though I have my initial setup process for desktops and laptops down to a T, I still need to actually write it down. There will be a day when I'm on vacation or no longer working for my company, and someone else will need to set up a Windows computer. If you're an IT admin, just write down the processes for everything you do. Even if the end product isn't pretty, it's better than nothing.

Also, know that you're going to have bad days. You're going to have times when your bosses demand a fix for that thing they heard about on the news, and the only answer you can give them is, "We have to wait for updates." It happens. Know it's going to happen, so you're not blindsided.

Consider other operating systems

Truth be told, most people don't need everything that Windows does. I mentioned Google Chrome earlier because a vast majority of our users are on Chromebooks and Chromeboxes. This may sound counterintuitive, but if your users don't need anything more than a web browser, a Chromebook is a good option. Chromebooks are criticized for not being able to run the same software that Windows computers are, but that has a big benefit: malware designed for Windows computers just doesn't work on a Chromebook.

What say you?

Do you manage Windows computers for your company? What advice do you have? Let us know down below!

Tom Westrick
12 Comments
  • Quick question pls. The company I work for uses windows 10. I have my work account and personal account logged in. D company blocked/doesn't allow onedrive sync but sometimes, photos and messages from my phone (Lumia 950) makes it thru d "firewall". It's not reliable but sometimes some updates make it through like photos, Gmail and Yahoo, phone texts and chats. Anything I can tweak to get these notifications & updates to be more reliable?
  • SCCM is a great tool, but it does require a lot to maintain and isn't suitable for all. For many smaller companies, Microsoft Autopilot is an excellent option, provided that you only use Windows 10 (1703 or later), have Intune and Azure AD Premium P1 or P2. You can order a new PC, have it delivered straight from the manufacturer to the end user and still control the setup experience, deploy applications and policies as well as join the computer to the local Active Directory. It can even show the intended users logon name at startup, so the user only needs to enter his/her password, preferably with some form of MFA.
  • Here's another odd one. Our district started to roll out new machines with Win 10 but is keeping old ones as they are. Prior to this, I created one of those 365 for education accounts that MS gives .edu/.org addresses. When I got my new win 10 machine, I logged in with that account, but somehow it created a new Personal account with the same email address instead of using the 365 for education account I wanted it to use. So for some time now, I've had to specify when logging into MS websites which account I wanted to use, personal, or 365 for education. First of all, I can't fathom how a company can do this. Why would MS allow two different accounts with the exact same email address?? (which for what it's worth, it's a Gmail address since our district is all in on Google crap, but it's all tied together, our passwords for our windows machines are the same as the Chromebooks.) THEN to make matters worse, now when I try to access the 365 for education account it says it doesn't exist and when I log into other windows 10 machines and start using office products it says I'm logged into a completely different account with a different suffix than our email addresses since we are normally .org and this is .edu. Furthermore, if I try to log into an MS website with this strange new .edu address it says the account doesn't exist either. What the heck is going on at MS with accounts!!!??? I bet you didn't count on doing tech support on this article, lol but seriously, who do I even talk to about this? Our district doesn't really have a clue about the MS accounts, as again they are all  Google-eyed, and MS wants me to pay for support
  • This article is aimed at users with a Microsoft account (personal) and a Office 365 account (Work or school) with the same logon name: https://support.microsoft.com/en-us/help/11545/microsoft-account-rename-your-personal-account
  • Thanks for the article! Sadly, I simply don't want a personal account other than the one I use for my own stuff which has nothing to do with my work email and since I'm established on my own personal account, creating a new alias to move it to really doesn't seem worthwhile. I just can't understand how this issue occurred in the first place. An email address should be the unique identifier and thus incapable of making both personal and work accounts from.
  • I use sccm its ok. The remote control tool does not work with display scaling and it will drive you mad. Have to keep vnc or LogMeIn on all pcs for when ad, sccm have issues.
  • Windows Update sucks.  They take too long to install.  Also, I'm struggling with the best settings for a company that uses all laptops.  No good time to force these updates on people.
  • From my experience in IT, Windows 10 is the worst to manage ever. Reason: feature updates. Every 6 months or so, a new version of Windows 10 is released. The fact that feature updates are released isn't bad, what is bad is how they are installed. Installing a feature update resets a number of settings to defaults. Many of these settings can be managed by GPOs, but not all. This means that after every feature update (every 6 months), I need to go to every computer at my company and change these few settings back to what they should be. It is a real pain.
  • There's a couple of things I would say, mostly that your approach will depend on the size of your company and the number of legacy applications you need to support. SCCM is great, but it is overly complex if you only have a few PCs, and as for cost wise, I would be looking at intune these days as it offers more flexibility if you have a lot of field staff. Same with WSUS, great for on premise deployment (can integrate it into SCCM), but unless you make it internet facing, you may be better off with Windows Updates for business should you have a high level of field workers, (This also integrates well with intune), both should be combined with Windows Store for Business, and to complete the experience, Office 365. Windows Analytics (free azure service, but may require a AAD level 1/2 subscription for some functionality) is also your friend for keeping track of your upgrades, updates and device health. All in all the cloud is the way to go if you've a truck load of bandwidth, or a large number of field workers. On-Premise is mainly for larger desk bound organisations. YMMV.
  • SCCM is actually the Society of Critical Care Medicine, Microsoft expects us to say ConfigMgr as the shorthand version. A couple of things, for small-scale deployments in an Enterprise, Microsoft Deployment Toolkit (MDT) along with Windows Assessment and Deployment Kit (Windows ADK) should be an option. This offers you the ability to have OS Deployment via a Task Sequences ala ConfigMgr, yet as a free offering. This can then leverage Windows Deployment Services (WDS) from Windows Server to allow PXE booting to build remote PCs, or create offline USB media. ConfigMgr is not a complicated beast, as long as your implementation is good, and your collection/folder structure is great, and simplistic, that you shouldn't then need documentation to follow the linkages. Also surprised that there was no mention of AppV, which is one of the core benefits of deploying Windows 10 Enterprise over Windows 10 Professional now, which like UWP apps containerizes the applications and can then be either streamed or run locally thru ConfigMgr or thru the AppV Server-side software as a part of the Microsoft Desktop Optimization Pack (MDOP) or Windows 10/EMS E3/E5 licencing (EMS is about $9 max per device/user, which includes Intune, ConfigMgr and Azure AD Premium P1 as well as many other great services).
  • can you centrally manage chromebooks with Microsoft active directory and management tools?
  • "managing Windows 10" -> "Consider other operating systems" This what I love about the "lost in concept" concept in Windows Central.