[This article has been extensively revised and edited to reflect changes in Windows 10. The most recent revision was published in June 2020.]
Full version upgrades to a Windows PC used to be rare: Most people only had to deal with an upgrade once every three to five years, and then typically as part of the process of buying a new PC.
Now, in the "Windows as a service" era, you can expect a feature update (essentially a full version upgrade) roughly every six months. And although you can skip a feature update or even two, you can't wait longer than about 18 months.
If you're setting up a new PC or doing a clean install of Windows 10 on older hardware, follow the instructions in How to set up a new Windows 10 PC perfectly in one hour or less.
For upgrades, the process is considerably simpler. After about an hour (more or less, depending on the underlying hardware), you should be back at work, with most apps and settings migrated successfully.
In either case, clean install or upgrade, use this checklist to make sure you've covered some important bases that aren't part of Windows Setup. Note: All of these steps have been tested with the Windows 10 May 2019 Update (version 1903) and the Windows 10 October 2019 Update (version 1909).
Sure, your Windows 10 installation is working fine now, but if it ever fails to start properly, you'll be grateful you have a recovery drive handy. Booting from this specially formatted USB flash drive gives you access to the Windows Recovery Environment (WinRE), which you can use to fix most common startup problems.
You need a USB flash drive. It should be at least 512 MB in size for a bare recovery drive and at least 8 GB if you also want to include Windows installation files.
You'll find a shortcut to the Recovery Drive desktop app on Start, under the Windows Administrative Tools heading, or you can search for it. In either case, you'll need to provide an administrator's credentials to run the tool.
Full instructions for using this utility and adding the current Windows 10 installation files to the recovery drive are here: Windows 10 tip: Create a recovery drive.
If you use a local account, your sign-in credentials are stored locally, and there's no way to provide a second factor for authentication.
By contrast, signing in with a Microsoft account or an Azure Active Directory account (such as the account you use for an Office 365 Business or Enterprise subscription) means you can set up two-factor authentication (2FA) that requires external confirmation from an app on your trusted mobile device.
Both types of accounts are free. If you're worried about privacy, set up a new Microsoft account for use exclusively for this purpose, and don't associate the @outlook.com address with any other service.
To set up 2FA for a Microsoft account, sign in at https://account.live.com/proofs. That page displays the options shown here: You can turn on two-step verification, configure a mobile authenticator app, and manage trusted devices, among other tasks.
(That's just one of several handy shortcuts for managing a Microsoft account. For more, see Windows 10 tip: Take control of Microsoft account security and privacy settings.)
To manage security settings for an Azure AD account, go to https://portal.office.com/account, select Manage Security and Privacy, and follow the links under the Additional Security Verification heading. (To bookmark that page, use this link: https://account.activedirectory.windowsazure.com/Proofup.aspx.)
Finally, if you have the hardware to support it, turn on Windows Hello. The options for facial recognition and fingerprint identification are available under Settings > Accounts > Sign-in Options.
Encrypting every drive that contains personal data is a crucial security step. Without encryption, anyone who steals that device can mount the drive in an operating system of their choosing and siphon the data away with ease. With encryption, getting to your data requires an encryption key that is effectively uncrackable.
Full-strength BitLocker encryption requires a Trusted Platform Module (TPM) chip and a business edition of Windows. On modern portable PCs running Windows 10 Home, you can enable device encryption if you're signed in with a Microsoft account. This option protects the contents of the system drive but does not allow encryption of any secondary drives.
For step-by-step instructions that explain how to turn on BitLocker Drive Encryption, see: Windows 10 tip: Use BitLocker to encrypt your system drive. And make sure you save a copy (or two) of your BitLocker recovery key.
If your PC is currently running Windows 10 Home, you might be able to upgrade to Windows 10 Pro without having to pay the upgrade fee,. For instructions, see "How to upgrade from Windows 10 Home to Pro for free."
The good news is Windows 10 includes automatic, cumulative updates that ensure you're always running the most recent security patches. The bad news is those updates can arrive when you're not expecting them, with a small but non-zero chance that an update will break an app or feature you rely on for daily productivity.
If you'd rather let the rest of the world test each month's security and reliability updates before you OK the install, you should be running Windows 10 Pro or Enterprise, not Home. With those business editions, you can defer updates by up to 30 days.
After you complete a Windows 10 upgrade, the first thing you should do is go to Settings > Update & Security > Windows Update and click Check for updates. Install any available updates, including updated drivers.
Next, on the Windows Update page in Settings, click Change active hours to specify your normal work hours (a window of up to 18 hours), when you don't want to be interrupted by updates.
The next step depends on which Windows 10 version you're running.
For version 1909 or earlier, click Advanced options and set your deferral periods for monthly quality updates. Note that you must be signed in as an administrator to see the options shown here, and these options are not available if you are running a Windows 10 Insider preview build.
For version 2004 or later, those options are available only by adjusting Group Policy settings. Open Local Group Policy Manager (Gpedit.exe) and navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business, and then enable one or both of these policies:
I recommend setting a reminder in your calendar program for the second Tuesday of each month, the day on which Microsoft releases security updates for Windows. When you receive that reminder, you can choose to manually install the updates, or snooze the reminder and perform the task a few days later. Automatic updates won't download and install until the deferral period you specify has passed.
(I also recommend that you open the Store app and click the three dots in the upper right corner, then click Downloads and updates to install any available app updates. Windows 10 will update those apps automatically, but you can speed up the process by checking manually.)
By default, Microsoft collects a substantial amount of diagnostics information as you use Windows 10. That information is, according to Microsoft's privacy policies, used exclusively for personalizing your experience with Windows and "to help [Microsoft] provide a secure and reliable experience."
(For a full discussion of the privacy issues, see Microsoft defends (and explains) its Windows 10 privacy settings.)
You can't turn off the telemetry feature completely, but you can choose to send only a limited amount of data on your Windows 10 usage. To do so, go to Settings > Privacy > Diagnostics & Feedback and change the setting under the Diagnostic Data heading from Full to Basic. (Here, too, you must be running as an administrator, and this option is set to Full and can't be changed if you're running an Insider preview release.)
You can also make two other changes here. Turn off the Tailored experiences option and then, under Feedback frequency, change the setting to Never to tell Microsoft you prefer to not be asked for feedback as you use Windows 10.
The Microsoft account or Azure AD credentials that you use to sign in to Windows allow you to connect to apps using the same credentials. That makes it especially easy to get your email and schedule using the built in Mail & Calendar app.
If you have additional accounts (especially Office 365 and Gmail accounts), now is a good time to add them to Windows so that they're available for use within apps as well. If you need to use two-factor authentication for those accounts, you can do it once here and avoid hassles later. Connecting your Office 365 account, for example, allows you to add that account to Microsoft Outlook and configure OneDrive for Business without having to enter a password or supply a 2FA prompt.
To add accounts, go to Settings > Accounts > Email & Accounts and click Add an account. Note that your options here include specific choices for Office 365, Google, Yahoo, and iCloud accounts.
One of the signature features in Windows 10 is the Action Center, a pane that appears on the right side of the display when you swipe in from the right on a touchscreen or click the notifications icon at the far right of the taskbar.
For a portable PC, I recommend customizing the Quick Action buttons at the bottom of the Action Center pane. Hide any buttons you don't use, and make sure the four buttons you use most often are available in the top row so that you can get to them when the full set of buttons is collapsed to a single row. For instructions, see Windows 10 tip: Customize and rearrange the Quick Actions buttons.
Next, go through the list of apps that are permitted to interrupt you with notifications and silence those you never want to hear from. The settings here allow you to control pop-up messages and sounds or turn off notifications completely. See Windows 10 tip: Disable annoying app notifications for details.