Advanced functions to Configure and Customize for Windows 10 and Windows 11 speed
Advanced functions to Configure and Customize for Windows 10 and Windows 11 speed
In this Article, the methods discussed will primarily be applicable to Windows 10 Enterprise and Education Editions. If your environment also includes the Professional Edition, you will find that some recommended settings do not work or apply as expected. Microsoft maintains an index of settings that only apply to Windows 10 Enterprise and Education editions; to know more. You should note that these are subject to change from release to release.
In this Article, we will learn the following:
- Windows as a service methodology
- Windows image configuration and customization options available to enterprise administrators
- New technologies that come with Windows 10 and enrich the user experience (for example, Cortana)
- Security configuration
- Windows Store management
Introducing Windows as a service
Microsoft has shifted design principles of Windows image configuration significantly between Windows 7 and Windows 10. Windows 10 and Server 2016 herald a new way of doing business for Microsoft, Windows as a service (WaaS). This is now the way Windows is being designed, implemented, and serviced throughout the world. In light of this, to help enterprise environments keep up, Microsoft appears to be making significant investments in tools and process development focused on deployment. This is likely to assist with the historically lengthy process of migrating and imaging machines. There is probably no better example than the availability of the Windows Configuration Designer in the Microsoft Store, as shown in the following screenshot:
While the tool changed, the idea of configuring and tweaking an image without having to go through time-consuming task sequence steps and rigorous and methodical tweaking of settings is certainly a boon for the enterprise administrator (and perhaps a bane for the deployment-focused IT professional). It's my firm belief that IT is heading down a path where imaging (as we now know it) will be a thing of the past, where a Windows 10 machine can be plugged into a network, joined to Active Directory or Azure Active Directory (Azure AD), and policies are pushed down to configure the user experience. I further suspect that eventually, a containerlike technology will take hold where the user profile is just a container to load at login. Given the preponderance of badly applied folder redirection and roaming profile group policies in enterprise environments, this is probably a good thing, as many administrators contend with difficult or conflicting guidance on deployment, or even outsource their imaging work due to the complex nature of the work.
One of the aspects of WaaS that might not be anticipated by a lot of IT professionals (yet) is that things are going to change underneath you from build to build of Windows more than likely. I'm not simply describing a User experience design (Ux) change or stability or anything like that. I'm speaking about the core of what Windows has been for enterprises for some time now.
Typically, enterprises are used to modifying the operating system to suit their needs. Need software to run an ATM? Great, Windows Embedded was always the answer. Want to launch missiles, view medical images, process payrolls, or any of the other of myriad tasks workers in businesses, government organizations, and even homes do? Great, Microsoft Windows is for you!
What I am saying is that the deep customization knobs we are used to from the Windows XP and Windows 7 days are in some ways gone. That is not to say that edge cases are no longer welcome in Windows land, not at all. What it is saying is that for corner cases, rather than forcing the square peg into the round hole, may be better served by using the appropriate tool available. For example, if you need Windows to be a kiosk, the use of assigned access is far preferred over hacking the registry in ways that may cause unintended issues later on.
Microsoft is actively taking feedback on the changes they make from build to build and modifying their roadmaps as a result of that feedback. Edge cases will still have a home in Windows, but it may be a different home than the old one.
So while user profile customization seems to be headed down a new and exciting path, image customization is still available and can be necessary and worth the effort. The tools for this are the Microsoft Deployment Toolkit (MDT) and Windows System Image Manager (Windows SIM) from the Windows Assessment and Deployment Kit (Windows ADK).
Cortana
One of the new features of Windows 10 is Cortana. A familiar entity from those who played the HaloTM game series, Cortana is more than a pretty face in Windows 10. It is deeply embedded into the operating system, and application developers can very easily integrate into the voice controls of Cortana to launch or manage their applications. Two examples of Cortana at work are shown in the following screenshots:
For enterprise environments, Azure AD is leveraged to manage some of their behaviors, and therefore, enterprises using Azure AD should really investigate the capabilities of Cortana. Strong integration with Office 365 and Power BI are two compelling use cases Microsoft supports now. The addition of the Microsoft Bots SDK and Cortana skills kit make this a customizable platform for enterprises to leverage for their own internal applications.
We're not simply talking to a computer, although that is part of what Cortana does for users. Imagine integration with Cortana Analytics on Azure, Power BI dashboards, and Excel pivot tables all integrated together and results available via a simple-to-use interface built into Windows 10. That's more a fit for what the vision and capabilities are here. Also look for more integration stunts with Microsoft's Office suite and other products and services coming in the future.
Security mitigation
For the significance of Windows 10's security focus, one simply needs to look at the news. It seems every day that another story emerges of a company or organization that has had ransomware installed and then been blackmailed into paying for an encryption key to regain access to their own data. A review of the work needed to protect from these types of attacks is worth the time.
One company, Third Tier, even has a kit they offer to help prevent this sort of intrusion on your network. From the Third Tier ransomware prevention kit site, http://www.thirdtier.net/ransomware-prevention-kit/, you can see that the package makes many modifications and recommendations, including group policies, WMI filtering, software restriction policies, blocking of known attack vectors, backups, recovery methods, and even training materials to teach users to be more security aware.
Even if you choose not to use it, it is a great checklist of have I thought of... when it comes to risk mitigation. In an age where antivirus products cannot protect against everything, especially social engineering attacks on end users, it behooves administrators to protect users from themselves in the best interest of the company.
Additionally, software products working in tandem with antivirus solutions, such as data loss prevention (DLP) software or even intrusion detection software/systems (IDS) can be used to protect organizations and their data from accidental or even intentional theft by third parties or rogue employees. The typical goal of an organization is to prevent their data from ending up on Wikileaks, so any steps that can be taken toward that end are a good target for the enterprise administrator.
While prevention is all well and good, what about the aftermath of a detected intrusion? Are you prepared for that scenario? More so, is your security team prepared? Forensics tools, Windows log configuration, and subsequent auditing can go a long way toward answering the questions of
what happened, how it happened, and what we lost. With Windows 10, suffice it to say that Microsoft has made many improvements on preventing attacks from occurring.
Image customization
In an enterprise environment with many legacy applications and department configurations, deploying an image preconfigured and set up for the user makes a lot of sense. Standing up a MDT environment in an enterprise is a relatively easy task (usually it takes more change in control/security procedures than actual install/setup time) that can be completed in an afternoon in most cases. Customizing the image is best done with reproducible tooling, and MDT will help with that as you can modify the default user profile.
That is, until all your applications are migrated to the Universal Windows Platform (UWP). Once this happens, your user profile/default application scenarios become a bit easier to plan and deploy.
This is Microsoft's long-term vision for all applications. If your organization hasn't started taking a look, it might make sense to help drive that adoption as a long-term goal for your company. There are many security and stability benefits to moving in this direction, and the link provided at the beginning of this paragraph will provide ample data points to argue the case.
Imaging process
Once your image is baked, you can take it and deploy it with SCCM or MDT or even give it to an Original Equipment Manufacturer (OEM) to have placed on your computers purchased from them before you receive them. The process for baking an image is generally this:
An environment is created that is off the production network. This is usually a virtualized environment and can even be all on a single host.
Standalone Dynamic Host Configuration Protocol (DHCP) and artificial subnet with a NAT rule for the MDT host is preferred.
A virtual machine is created that hosts the MDT server, 4 GB of RAM and a few processors is typically sufficient for image-creation purposes. A server OS is preferred for MDT but it can run on a client OS in a pinch.
A virtual machine is created for Windows Server Update Services (WSUS) to pull down appropriate patches and their approval/gatekeeping.
Another virtual machine is created that will be your reference image container. It should be set up with 4 GB RAM and two processors, which is generally sufficient for this purpose. This machine just needs to connect to the WSUS and MDT hosts and mount an ISO produced from the MDT server process.
MDT is used to build a reference image from the ISO of Windows 10 Enterprise, and a boot ISO is used to boot the virtual machine reference container and run the task sequence to capture the completed WIM for later deployment.
Later deployment can be through any generally available deployment mechanism. MDT and System Center Configuration Manager (SCCM) (via OSD) or even Windows Deployment Server (WDS) are all possible.
It's notable that two of these options are free (MDT is a solution accelerator that is free to customers, and WDS is a role in Windows Server).
There are some considerations to this process that need to be reviewed:
- How often are you going to patch/capture your image? If you don't, eventually the image will be in a state where it deploys to hardware, then runs Windows updates for over 30 minutes before the system is usable for the end user. Generally, organizations image to speed deployment, and if you don't service the golden image with frequent updates, you'll end up not meeting your original goal.
- Are you going to do Zero-Touch or Light-Touch deployment?
- Zero-Touch is done via SCCM OSD or a third-party product and involves (usually) MAC address reservation for a specific image, or perhaps a user runs through a script that determines the appropriate image to lay down on hardware.
- Light-Touch is done when some prodding is needed to spur the deployment on. This is not as automated but works for most use cases. It is achieved with SCCM OSD/MDT/WDS or any of the other third-party tools available commercially.
Customizing the image
Customization in Windows 10 can be a mix of PowerShell scripts, group policies/group policy preferences, and registry key tweaks.showing via a filter all the group policy objects that can be tweaked on Windows 10:
It is important to note with any customization effort that eventually, the administrator will run into a setting that cannot be edited or tweaked for all users by default. The Windows product group has determined that some settings are not for enterprises or admins to tweak but are instead user-only settings that are part of their personalization efforts.
A Group Policy is a somewhat fluid configuration option and has been for a while now. A great place to keep abreast of new changes coming to group policy processing is http://www.grouppolicy.biz/news/. This site also has tutorials, guides, best practices, and other resources that are a boon for the Windows administrator. Certainly, one could also consider attending a talk by Jeremy Moskowitz over at www.gpanswers.com. He is an MVP in Group Policy management and design and his talks are pretty good (speaking from firsthand experience).
But what if group policy or GPP cannot be used to achieve your desired outcome? Process Monitor logging while you configure the UI as desired may give a hint of a registry key that you need to modify (which can usually be added by group policy or REG ADD commands) to make the tweak happen.
This is a frowned-upon practice, however, primarily because those registry keys may change location (or just not work) on a build-to-build basis of Windows 10. So if you use group policy objects to handle tweaking, you are on a much more solid, supported path for your image and user experience than hacking the registry for undocumented setting tweaks.
Upgrade expectations
Historically, when Windows upgraded, it carried all its baggage with it from the previous install (for better or for worse). Windows 10, however, seems to have deviated from this. Now if an application is deemed incompatible with the build being upgraded to, the application will simply not be present in the post-upgrade operating system. Windows should warn the user of this prior to upgrade and, if ignored, report this in a report file at C:\Windows\Panther named miglog.xml that the application was not migrated forward.
When first faced with this news, it is logical to assume that this is a complete disaster and poor choice. However, consider the upgrade process as a guardian of sorts. After the upgrade, Microsoft would like you to be able to log in to the system and actually use it to do work. If an application is going to break the installation, why migrate it? Also note that I did not state the data would not be migrated. No, it is kept (if it is stored appropriately) in the user profile.
This makes the maneuvering of application compatibility between the OS and third-party software both problematic and somewhat pragmatic:
problematic in that a slow software developer of a key enterprise application can demonstrably keep an upgrade from moving forward without significant application shims or other tricks, pragmatic because either the software works and therefore is migrated during the upgrade process, or it doesn't work and won't be there to create a fuss later on for the user.
It is also worth noting that some older applications used to get away with hiding settings (or even data in the form of binary blobs, and so on) in the registry. This practice was never really a good one to follow and now it comes with a penalty. Areas of the registry managed by the OS tend to not keep custom key entries when the OS install is upgraded. Generally speaking, there is no guarantee that the oddball registry hacks from legacy or internal applications are going to migrate for you if they are in registry areas generally reserved for the operating system as a general rule. Your mileage may vary.
Internet Explorer 11 Enterprise Mode configuration
Windows has a capability to manage Internet Explorer 11's compatibility settings via central management. This allows enterprises that have internal web applications that have known compatibility issue with Edge of Internet Explorer 11 to adjust the compatibility and security settings as needed to make that specific site work. These settings are managed in a central XML file that is pushed via GPO or local policy.
There is a sample XML structure provided to follow for configuring this which is nice, but recently Microsoft released an Enterprise Mode Site List Manager tool and also an Enterprise Mode Site List Portal on GitHub. The tool is designed for relatively small implementations and the portal requires some infrastructure such as SQL and Active Directory to manage properly.
Windows 10 Start and taskbar layout
In Windows 8 there was a lot of difficulty with Start menu configurations. These problems are somewhat cleared up in Windows 10 after build 1607. There is now a PowerShell cmdlet to export and import Start menu layouts. Typically, this is done as part of a deployment task sequence using SCCM or MDT to ease the automation of the process. Group Policy and Mobile Device Management (MDM) policies can be used to do some of this as well.
Some thought needs to be put into this ahead of time. Take the existing mechanics into account:
If you apply a taskbar layout to a clean installation of Windows 10:
- The default configuration is merged somewhat with your configuration. Only applications that are in your configuration and default applications that are not specifically removed will be pinned to the taskbar.
If you apply a taskbar layout to an upgraded Windows 10 installation, things get messy, as you can see here:
- If the application was pinned to the taskbar by the user prior to upgrade, those pinned applications remain and new applications will be added to the right of the existing ones
- If the application was pinned during installation or by policy (not by the user) and the application is not in your XML configuration file, the application will be removed from the taskbar
- If the application was pinned during installation or by policy (not by the user) and the application is in your XML configuration file, the application will be added to the right of the existing applications
- New applications specified in your XML configuration file are pinned to the right of the user's pinned applications
Now, with all of that taken into account, no matter if you apply a taskbar configuration to a clean install or an updated one, the users can still pin additional applications, change the order of the pins, or even unpin them. The instructions for exporting the layout are as follows:
To define and export the desired Start menu layout, use the following steps:
1. Set up the desired layout of the Start menu/screen on an existing Windows 10 machine.
2. Make a directory called C:\temp.
3. Run PowerShell in Administrator mode.
4. Run the following command in the PowerShell console:
export-startlayout -path
c:\temp\customstartscreenlayout.xml –verbose
5. To then import the customized layout to a mounted WIM (where %systemdrive% is the path to the mounted WIM):
Run the following command in an elevated PowerShell console:
import-startlayout -layoutpath
c:\temp\customstartscreenlayout.xml
-mountpath %systemdrive%
This mechanism should provide relief for some administration tasks in the customization area.
Audit mode
Audit mode is another method of customizing the default user profile (administrator) for a system. It is a tried and true method of manual customization when automation will not fit the situation. One important item of note is that while it is still supported and fine to use, audit mode is not intended or supported as a method of customizing or tweaking the build from upgrade to upgrade. Again, fall back to group policies/group policy preferences and you'll be fine here.
Tips
Microsoft has been paying attention to how people use Windows. One of the reasons the Start Menu (as known in the days of XP) is gone is because people were spending a lot of time doing mouse movements and clicks just to launch a program. So when you look at the ease of use, clicking and moving the mouse (sometimes subtly depending on your monitor resolution) in an exact fashion just to write a Word document was not very efficient.
Windows + X is one of the best examples of the work Microsoft has done to optimize the user experience and make it more efficient:
Look at the options available. Most administrative tools can be opened with a simple key combination and a click. This is great!
Windows action center is another great resource that is an example of Microsoft thinking ahead for productivity and efficiency. If enterprise environments could customize this experience, it would be even more awesome.
One thing we haven't discussed so far is the usage of Microsoft Intune to help organize and patch devices. Some of the things people want to modify are now managed via MDM. Microsoft InTune is a great way to push MDM settings to enterprise devices and also integrates with on-site SCCM environments.
Virtual Desktop Infrastructure
In virtual desktop configurations (where many guest Windows installations reside on a virtualization stack and users connect to them via thin clients or RDP protocol apps), administrators are likely familiar with the variety of scripts used to tweak Windows 7 to make it a performant guest in a Virtual Desktop Infrastructure (VDI). The scripts were designed to reduce the unnecessary IO load on the disk subsystem of the VDI host(s) as well as reduce CPU usage (except when needed of course). These scripts made significant changes to the operating system and were supported to varying degrees by vendors, OEMs, and Microsoft.
In Windows 10, people I think are finding that this method of modifying the system wholesale is causing problems along with the solution. Either parts of the script do not work as intended/at all or, in some cases, the steps followed in the script cause the SYSPREP utility to outright fail to generalize the Windows instance for later capture.
User Experience Virtualization (UE-V) is an offering Microsoft has to help with this. Essentially, the desired outcome of all this configuration is that users have an expected configuration of Windows at login. Great! UEV can have some of the user-based settings roam instead of forcing them all to be baked into the image where they are now causing problems. Those who are still going down the old path for Windows 10 will find that WaaS changes are causing them issues. It is a change of mindset to use Windows 10 in the enterprise.
Layering technologies
If one is set on the VDI route, I would suggest exploring layering technology as a fit to bridge the gap of need/capability in Windows. Unidesk's technology (now owned by Citrix) is a great example of this capability. These technologies treat the OS image as a layer upon which registry changes, applications, documents, and so on can all be layered into the image before it is presented to the end user.
This thins the data that is relevant to the user considerably when we consider things such as backups, data integrity, and so forth. It also allows enterprises the agility to modify or remove/add applications quickly to a user or group of users with little of the traditional imaging overhead common to VDI.
Security Compliance Manager
For those concerned with security, Microsoft has had the Security Compliance Manager (SCM) for some time. Microsoft, and others and make them into group policies that you can import into your environment. Generally speaking, using this tool to securely configure your environment is preferred rather than going off into the woods on your own. The reasons for this are:
- The guidelines are created by expert security entities and professionals.
- When you have trouble and have to get support, is it better to say we followed the SCM template for secure desktops or we did a bunch of tweaks to the registry and security settings and now it doesn't work.
AppLocker
AppLocker is an extension of the native group policy software restriction policies. It can be used to block applications wholesale or can be granular, where it will only allow applications to run when they are a particular version or signed with an accepted digital signature/certificate.
Setting up AppLocker is a fairly simple exercise in the Group Policy management console. You can even put all your allowed programs into a reference folder and let AppLocker inventory the folder and develop a policy based on those binaries. This is an exercise well worth the effort for the administrator looking to prevent malware in their environment.
Microsoft Windows Store for Business, also known as Private Store
The Microsoft Windows Store for Business, also known as Private Store, is a new feature in build 1607 that allows enterprise administrators the ability to publish for use only certain approved applications. Furthermore, the general Windows Store can be disabled via policy, so only Windows Store for Business is allowed to install UWP apps. Conceptually, the Windows Store for Business offering is akin to SCCM's application library offering.
There are some prerequisites to enable this functionality for the enterprise. The IT administrator needs Azure AD and Windows 10 to do the initial signup, administration, distribution of apps, and license management. For the full experience though, the employees themselves need Azure AD accounts as well. The requirements are listed and explained here: https://technet.microsoft.com/en-us/itpro/windows/manage/prerequisites-windows-store-for-business. But generally, they are:
- Employees need Azure AD accounts when they access Store for Business content from Windows-based devices
- If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
Blocking access to the Windows Store outright can be achieved using AppLocker, MDM, or the Group Policy Turn off Store application.
Microsoft telemetry
The advent of forced telemetry in Windows 10 caused a stir in the IT Pro and Enterprise administration space. For those unaware of this, Windows 10 keeps logs of many activities performed on it and ships those (anonymized) data points back to Microsoft for advanced analytics. Before you panic, let's explore what is collected and why.
What is collected?
- Type of hardware being used
- Applications installed and usage details
- Reliability information on device drivers
Why is it collected?
Microsoft gives many reasons for collecting this data. The general takeaway here should be that Microsoft uses telemetry to do its best on the functionality of future versions as well as spending the resources to fix problems in a real-world priority scenario. For example, in the past, if 10,000,000 crashes occurred in Explorer.exe daily in the world and they all had the same debugging call stack in them, Microsoft might not have really been aware of this issue until either many calls were made by end users at home or enterprise customers called in with some frequency on the issue.
With Windows 10, Microsoft is listening to the stability metrics of the code they write. Given the same 10,000,000-crashes-a-day scenario in Windows 10, you can rest assured that Microsoft would dedicate resources to address the problem with all due haste. So there is a benefit here for home users, enterprise users, and everyone in between.
Now given all this, can you opt-out? If you are a home user, not really, no.
If you are an enterprise or school and are using the appropriate license/SKU, then yes, you can. But should you? Does the potential loss of important data to Microsoft or third-parties outweigh the benefits to all users (including your organization) having a better experience? For some organizations, this is an easy decision tree. For others, certainly, it may be a more complicated scenario.
There are different levels of telemetry collected as well. They go from a baseline of security collections only up to a full-blown delivery of application usage patterns at the highest level. Given the changing nature of the WaaS model, I encourage you to review the whole concept of telemetry as it exists during your implementation process.
Windows Spotlight
Windows Spotlight is a new feature in Windows 10 that allows you to have more than just an image for your lock screen. Instead of just a static page, now you can tweak (as a user or as an enterprise administrator) two items:
- What image(s) can appear as lock screens?
- Does Windows also display random tips and tricks to you on your lock screen?
Most organizations configure the lock screen to be a corporate logo or corporate-approved art pack to avoid HR issues from occurring and also to create uniformity in the office.
The tips most people can take or leave. I find most enterprises turn them off just in case a tip directs the user to do something the company doesn't want them doing (such as trying to self-resolve an issue rather than contacting the help desk for assistance).
Group Policy can manage the settings for this capability in the enterprise, and that is the recommended method of managing it.
Mandatory user profiles
Mandatory user profiles have been around for some time now, since Windows XP, in fact. For those who aren't familiar with this venerable Windows mechanism, mandatory user profiles are roaming profiles that have been configured with specific settings that are typically not able to be modified by the end user logging on to the Windows machine. Further, any changes to the profile that do get made (for example, malware) are not saved back to the mandatory profile. They are a one-way street of configuration.
These are great for education machines: testing centers, writing labs, and also kiosks sometimes fit a mandatory profile requirement.
When a server hosting the mandatory profile is unavailable (network issues, remote host away from the corporate LAN, and so on), a locally cached copy is loaded (if it exists, this is configurable). If the profile is not cached locally, a temporary profile can be served or the login can be rejected (via Group Policy).
Mandatory user profiles are, by and large, normal user profiles; the NTuser.dat has just been renamed to .man (for mandatory), marking the profile read only.
The process is documented in detail on TechNet so we won't repeat it here (and it is, in theory, subject to change anyway from build to build in the WaaS model).
One concern of mandatory profiles is login times. If you thought copying a profile across the network from a central host (even DFS or other replication) would make the user wait, you are in fact correct. It does. And a poorly configured mandatory profile (or even roaming profiles that aren't mandatory) can be a huge cause of Slow Boot Slow Login (SBSL) problems in the enterprise. Microsoft has provided this policy grid to demonstrate what policy functions to use depending on the version of Windows:
Assigned Access, also known as kiosk mode
I've mentioned kiosk functionality a few times; as it turns out, Windows 10 comes with a feature that will turn your Enterprise build into a kiosk serving a single application. So to do this manually, go to Settings | Accounts | Other people | Set up assigned access.
From here, it is as simple as assigning an account and an application that the account runs (essentially as its shell):
Once this is assigned an account and an application, when the account logs in, it opens that application. If the application closes, the user logs out.
For enterprise management, however, doing this configuration individually just won't scale. So there are guides on Technet on how to use PowerShell to configure this as well as MDM policies or even the Windows ICD.
Bring Your Own Device scenarios
For Bring Your Own Device (BYOD) scenarios, Intune is the recommended vehicle for management. The suite will utilize integrated MDM policies to manage what happens to the corporate data on a device when you determine the employee is no longer an employee, or if the device was stolen/missing and you needed to wipe it. Microsoft Intune is worth a book unto itself and is beyond the scope of this. Just be aware that if BYOD is part of your endpoint strategy, you should be looking at Intune or a competing offering to manage this properly.
If you are put into a situation where you must implement BYOD without an MDM solution, be sure to consider the software licensing aspects of your implementation. Are you legally allowed to install the software on a machine that isn't actually yours? Do you really want to do that? It's interesting licensing and support boundary talk that needs to be ironed out, even with MDM. Not having a proper solution to manage it makes it very muddy indeed.
Windows libraries
Windows libraries have come a long way since their inception. We're at the point now where they can easily include features such as federated search, indexing, and searching for media that is on servers or home computers.
There is a lot of flexibility here for the enterprise to present corporate data assets in logical methods other than "My data is on G:" and so forth. You can even implement folder redirection for known folders in libraries.
It's important to tread carefully here though, as slow performance can be encountered with folder redirection implemented badly. The capability of a central rollout of library configuration is done with a library description file and is managed in an XML schema file.
There are still some restrictions in place: no files hosted in Microsoft Exchange or Microsoft SharePoint, no files on NAS devices, and no DFS hosted files.
User Experience Virtualization
UE-V is the Microsoft solution from the Microsoft Desktop Optimization Pack (MDOP) that captures some custom settings and tweaks and stores them in a container. A lot of the functionality around UE-V is in application settings. So when users modify the default settings of, say, Microsoft Word, UE-V will capture that and make sure the changes follow the user.
It's pretty nifty and has come a long way. There were some concerns based on the potential performance impact of the UE-V agent (especially in VDI environments), but those have largely been addressed in consecutive iterations of the product. UE-V matter can fill a book, but suffice it to say that UE-V is a settings container agent for end users.
Admittedly, this configuration has some overhead associated with it. It is not a setup-and-go sort of install. Some thought needs to go into how it is used, and what it is going to capture, especially when the enterprise looks to capture custom application settings with the UE-V agent.
MBAM (BitLocker Administration) is another tool that helps with storing the BitLocker recovery keys in Active Directory or other escrow areas.
Summary
As you can see, Windows 10, and particularly build 1703, brings a lot to bear for enterprise administrators. But it is, again, a paradigm shift from the old Windows 7 image-crafting days. Carefully evaluate the capabilities at your disposal prior to starting your migration and adoption of this new technology, if possible.