So a colleague just bought a new PC and it came pre-installed with “Windows 10 in S mode”. This is a locked down version of Windows where you can only install apps from the app store. Regular exe files etc are blocked.
Luckily you can disable the locked down mode rather easily. However, as of today, there’s no way to reactivate it again, so keep that in mind. Your 85 y/o grandma might be better off having it enabled as it’s a good way to block potential viruses.
The annoying thing is that in order to disable S mode, you actually have to “download” or run an app from the app store, and this requires a Microsoft account. So, for those of us who likes to use a local user account instead of logging on with a Microsoft account, we still have to login in order to run the app from the Microsoft Store.
Steps for disabling Windows 10 S mode:
1: Open Settings
2: Go to Updates & Security
3: Open the Activation tab.
You will see that your current Windows edition is set to “Windows 10 X in S mode” (where X is probably Home or Pro).
4. Click on the Go to the Store button. This will open the necessary “app” you need to run in order to unlock the regular Windows mode.
5. Run the app. Login with your Microsoft account when prompted (or create a throwaway account). Your PC is now unlocked.
It’s actually really simple, but you’ll need administrator access on the domain controller in order to read the security event log so you might have to consult upper sys admins.
It seems to not want to filter/sort by username though so if you’re managing a huge enterprise with thousands of users this could be a bit tedious. On the other side, if that’s the case I suppose you already have better tools for the job.
Anyway, all invalid login attempts are logged as event id 4776 (Credential Validation).
Open Event Viewer and connect to domain controller
Go to Windows Logs -> Security
Click on Filter Current Log... in the right navigation menu
Enter 4776 into the input field which says <All Event IDs>
Browse through the invalid login attempts till you find the one which belongs to your user and look in the description text field where it says “Source Workstation: hostname”