Windows 10

What is Microsoft Editor?

Microsoft Editor is a new tool from Microsoft, which I’d never heard of before.

Funnily enough, I found out that Microsoft Editor existed after upgrading to Windows 10 2004. One of the fifteen tips when you ‘See what else is new in this update’ after upgrading is this tip below. I couldn’t really understand what application the tip was referring to – the home tab, in Word, in browser mode via Edge?

Although I then found other tips that seemed purely Office 365 related (like PowerPoint and Excel tips) which is strange to advertise as part of a Windows 10 upgrade, the button on this tip takes you to a page that does a much better job of explaining what it is:

Microsoft Editor checks grammar and more in documents, mail, and the web

Here it explains that Microsoft Editor (which the full name wasn’t mentioned in the tip!) is an optional add-in available for Microsoft Edge and Google Chrome. It’s also coming to Word and Outlook. Also, if you log into it with an account that has a Microsoft 365 subscription, you’ll get advanced grammar and style refinements.

There’s a bit more info about the Microsoft Editor browser extension here, with direct links for the Chrome and Edge add-ons.

Once installed, you’ll have this little icon in the top bar of the relevant browser:

Clicking it will ask you to sign in:

and you can sign in with a free consumer Microsoft account, or a Work account. After signing in, the icon will turn blue, and you can click it again to see your options.

Note that it uses English (United States) as the default language, which you can change by clicking on the current language which takes you to the options:

‘Show synonyms for spelling suggestions’ is also off by default, so I’ve turned that on.

Here’s a spelling correction and a grammar correction while writing this blog post:

Spelling correction
Grammar correction

I’ll have to use it more to see how good it is, but I am happy to see hopefully a useful tool to help everyone write better. If it’s being added into Word and Outlook, there’ll be extremely elevated expectations of this solution doing its job well!

Enabling Dictation in Windows 10

Dictation is a pretty cool feature in Windows 10. Press Winkey + H, and up comes a small prompt in the middle of your screen telling you it’s listening – you can start talking, and your words start appearing wherever your cursor is.

Not only that, but you can give commands like a light version of Dragon NaturallySpeaking such as ‘delete test’ to delete the last word ‘test’. Or ‘Select the next three words‘ to highlight them – basic cursor management you’d normally need a mouse for.

A managed Windows 10 computer however, may not have all the components required to use Dictation, and a user may not have the access to download the speech packs themselves.

I hit a problem where Dictation would say ‘Download a Speech package for dictation’, but clicking that link would take me to settings and show that it was already installed. An admin of the PC doing this however, would somehow trigger a component to install and Dictation would work fine.

An admin of the PC doing this however, would somehow trigger a component to install and Dictation would work fine.

Under the user context, going to the Speech settings would show all the options as greyed out and blank:

After raising this with Microsoft Support, this was the method we found to make it all work:

These are the components that I required for Dictation:

• Language Basic component
• Language Text-to-speech component
• Language Speech component

These components are available to download via the “Windows 10 Features on Demand Pack 1” which you can find in your MSDN My Visual Studio downloads (the latest being version 2004). You’ll probably need a subscription for this.

Features On Demand are also available via Windows Update but this may not help you if you have a WSUS server.

The resulting ISO, e.g. en_windows_10_features_on_demand_part_1_version_2004_x64_dvd_7669fc91.iso will contain a separate .cab file for each feature. From this, it’s then a matter of using the DISM tool to inject each feature into Windows 10:

Dism /Online /Add-Package /PackagePath:F:\Microsoft-Windows-LanguageFeatures-Basic-en-au-Package~31bf3856ad364e35~amd64~~.cab 

Note you can add multiple packages to the above command, so could do all three with a single line. If you want to know what packages are already installed on a Windows 10 device:

Dism /Online /Get-Packages 

Privacy

There’s one big other catch with Dictation. You’ll need to enable ‘Online speech recognition’ which leverages Microsoft cloud based services as part of using Dictation.

If you’re running a computer that’s logged on under a Microsoft account, everything you say is being captured. You can view this data here and choose to delete it:

https://account.microsoft.com/privacy/activity-history?view=voice

I’m still clarifying how this works in other scenarios, and will update this blog post if I find out any more information.

If as a company, you’ve decided and accepted this scenario, you can toggle the option on for users using this registry setting:

HKEY_CURRENT_USER\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy

HasAccepted DWORD

0 = Off

1 = On

Maybe you won’t need to do any of the above at all – but it’s worth understanding what’s out there, and if you understand and accept the privacy aspect; and if you do, then promoting it to your userbase as a potentially big timesaver… especially for those 1 finger keyboard typists!

It’s also worth nothing that several Microsoft 365 products include Dictate inside the app, more about that here.

Stopping Skype for Business Autostarting in Windows 10

Should be simple, right?

I installed Skype for Business for Office 365 on my home PC. I had Office 365 ProPlus, and the version of Skype for Business has to match that.

Worked great, and realising I didn’t want it running all the time on my home PC, I changed the option to ‘Automatically start the app when I log on to Windows’ in the Personal options:

The next day over the weekend, I noticed that Skype for Business had decided to still launch at login. Weird, so I checked what Task Manager had to say:

Skype for Business wasn’t even listed. I started mucking around a bit more, ticking the option to automatically start, pressing OK, turning it off, pressing OK, rebooting – but every time, Skype for Business just turned up, like a strange uncle you never invite to dinner but somehow still finds out and turns up every night.

Maybe it’s in the Startup folder in the Start Menu? Is that still a thing in Windows 10? Yes it is. It’s under C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup – replacing ‘username’ with what you’re thinking you should replace it with. Except, there was nothing there.

I also checked the standard Run locations in the registry, and then even searched for all instances of lync.exe which is still what runs Skype for Business… no hits that make any sense to it running at startup.

Of course, my next step is to complain on Twitter:

Interesting – Skype for Business runs at user login, but it’s not listed in Task Manager > Startup, or in the registry’s Run locations. The app even has ‘run at startup’ turned off. Not in the Start Menu Startup folder either. Don’t understand what’s triggering it…— Adam Fowler (@AdamFowler_IT) April 12, 2020

No winners in the responses – I checked sysinternaltools autoruns as suggested by Neil Clinch, and Guy Leech had a suggestion on how to completely block lync.exe from running ever, but I still wanted to use Skype for Business.

My Googling hadn’t fared any results, and I was getting desperate. I actually took a chance and read some answers.microsoft.com threads (which are usually sfc /scannow or unhelpful answers that didn’t read the question properly) and user Daniel Wherle had responded to a thread with my exact problem.

The answer was a setting called ‘Use my sign-in info to automatically finish setting up my device and reopen my apps after an update or restart’. This is hidden in Windows 10 Settings > Accounts > Sign-in options. It’s down the very bottom:

After I turned this option off and rebooted, Skype for Business no longer launched at startup. I even launched it manually, and restarted while it was running.

I turned the setting back on and rebooted, Skype for Business still didn’t autostart – that is, until I ran it with the option on, exited and rebooted.

It’s worth noting that even after completely exiting Skype for Business, lync.exe still ran in the background. I suspect this is part of the problem, because it also won’t re-open until that task is killed. I don’t have any other Office apps open, and it seems like a common enough problem that others will hit it – maybe with other programs too and this Windows 10 option enabled.

A strange one, but probably as far as I’ll dig on the issue.

How to stop Skype for Busines from Autostarting in Windows 10:

To stop Skype for Business from loading at startup:

  1. In Skype for Business – Options go to the Personal option
  2. Untick ‘Automatically start the app when I log on to Windows’

  3. If that doesn’t work:

  4. Go into Windows Settings > Accounts > Sign-in options.
  5. Click Accounts.
  6. In the Sign-in options section, untick ‘Use my sign-in info to automatically finish setting up my device and reopen my apps after an update or restart’

Applies To : Windows 10

Windows Hello for Business – A less forceful rollout option

How to roll out Windows Hello for Business as optional

To roll out Windows Hello for Business optionally:

  1. In Group Policy, enable the ‘Use Windows Hello for Business’ policy
  2. Tick the option ‘Do not start Windows Hello provisioning after sign-in’
  3. Users will then need to click the Windows Security icon to register

Applies To : Windows 10


When I first looked at Windows Hello for Business at launch, I was impressed by it but also concerned. Turning the option on would prompt all users or devices that had the policy on, strongly encouraging them to go through the Windows Hello for Business setup with their fingerprint/face recognition and PIN.

To roll out Windows Hello for Business, follow Microsoft’s documentation which is quite detailed due to the complexities of scenarios and requirements; such as Single-Sign On, MFA of some sort and Public Key Infrastructure.

It was a bit intrusive to have this almost forced registration process as a user might not be in a position to go through the setup and be trying to do something urgent first thing in the morning, but even more of a concern was the style of the userbase I support – anyone expects to be able to log onto any computer anywhere. Windows Hello for Business doesn’t follow the user around for good reason (you’re tying the things you have to a single device), so each new device will go through the prompts.

I also had concerns around desktop users who didn’t have any other method of authentication beyond the PIN, and the perception than a PIN is less secure than a password (again the PIN is tied to a single device, while the password can be used to log onto any device).

Thankfully, a new option turned in Group Policy under the ‘Use Windows Hello for Business’ policy, located under both the Computers and Users areas Policies > Administrative Templates > Windows Components > Windows Hello for Business. The tickbox ‘Do not start Windows Hello provisioning after sign-in’. (To be fair, this has now been there for a while and I just wasn’t aware):

This will instead provide a little warning in Windows Security under Account Protection, saying Windows Hello isn’t set up. It doesn’t pop up and alert this, but instead shows a yellow exclamation mark against the shield icon in the taskbar. A user can then click through this at their leisure and set up Windows Hello for Business.

To me, this is a great way of allowing all staff the chance to set it up when they’re ready to do so, and in a staggered fashion without really having to manage it. Each business is different of course, and some will prefer or require the heavy handed approach of Windows Hello for Business on all devices – but I’m glad this more relaxed option exists.

Note that Windows Hello for Business is supported in both Azure AD connected and Hybrid Azure AD devices. For further info, read Microsoft’s documentation: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification

Passwordless Sign-In with FIDO2 Security Key and Microsoft

We all know passwords are bad. Microsoft’s leading answer to this is Windows Hello – or Windows Hello for Business. Using a PIN or biometrics (fingerprint reader or facial recognition) is trying to move towards a passwordless world. We’ve still got a long way to go, but we’re off to a solid start with viable alternatives.

Source: Microsoft

FIDO2 Security Keys support true passwordless login, and supported devices can be used for both consumer Office 365, and Azure AD. eWBM makes these keys, and by the claim on their website are “world’s first and currently only FIDO2 Level 2 certified security keys”. They offered to send these out to Microsoft MVPs free of charge, so I took the opportunity to accept one, test it and write about my experience.

The eWBM key isn’t very large – on the smaller side of your standard USB flash drive. It’s designed to be plugged in (and comes in both USB-C and USB type A flavours) and then verified with a touch on the fingerprint reader.

To set up a key on Azure AD, it’s a matter of adding it as a sign in method, just like you would with other methods such as SMS or the Authenticator app. eWBM have a quick video on how to do this:

Once set up, using the key is pretty simple too. If you’re logging onto a site using your Azure AD account, instead of entering a password, you choose the ‘Sign in with a security key’ option, plug in and scan your fingerprint on the key, and you’re on.

If you’re wondering why you don’t even need to type the password, where you would with an SMS code – that’s because you’ve got two different authentication methods already built into the USB. Your unique fingerprint, and the unique USB key. Your fingerprint is tied to just that key, it won’t work anywhere else unless you configure another device separately. Combine that with needing to know which username those are tied to makes it a secure combination.

Source: Microsoft

The example above and what I’ve also tested, is a web login. There’s also a PC login option, but that’s currently in beta and you’ll need to be running a insider’s build of Windows 10 to try it.

I can see this working as an actual ‘password replacement’ solution because it provides less of an inconvenience than first logging in with a password, then using something else (SMS/Email/Code/Authenticator App). Instead it’s a single thing to do – plug in your USB key and put your fingerprint on it. The process of doing this is very quick, with the added benefit of being able to do it from any computer – web based sign ins will work from any PC.

A USB-C variant is also available and on it’s way to me, so you can pick from those two standards as to which is more fitting for your requirements.

eWBM sell the keys on their website and there should be more key makers on the way.

Update 28/02/2020

I’ve now received the USB-C version of the eWBM Goldengate Security Key – G320, pictured below against the G310.