MD 100T00A ENU TrainerHandbook

Microsoft
Official
Course
MD-100T00
Windows 10
MD-100T00
Windows 10
II Disclaimer

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is
not responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.

© 2019 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/trademarks 1are trademarks of the
Microsoft group of companies. All other trademarks are property of their respective owners.

1 http://www.microsoft.com/trademarks
EULA III
MICROSOFT LICENSE TERMS

MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one
of its affiliates) and you. Please read them. They apply to your use of the content accompanying this
agreement which includes the media on which you received it, if any. These license terms also apply to
Trainer Content and any updates and supplements for the Licensed Content unless other terms accompa-
ny those items. If so, those terms apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
1. “Authorized Learning Center” means a Microsoft Imagine Academy (MSIA) Program Member,
Microsoft Learning Competency Member, or such other entity as Microsoft may designate from
time to time.
2. “Authorized Training Session” means the instructor-led training class using Microsoft Instruc-
tor-Led Courseware conducted by a Trainer at or through an Authorized Learning Center.
3. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center
owns or controls that is located at an Authorized Learning Center’s training facilities that meets or
exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.
4. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training
Session or Private Training Session, (ii) an employee of an MPN Member (defined below), or (iii) a
Microsoft full-time employee, a Microsoft Imagine Academy (MSIA) Program Member, or a
Microsoft Learn for Educators – Validated Educator.
5. “Licensed Content” means the content accompanying this agreement which may include the
Microsoft Instructor-Led Courseware or Trainer Content.
6. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training
session to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) current-
ly certified as a Microsoft Certified Trainer under the Microsoft Certification Program.
7. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course
that educates IT professionals, developers, students at an academic institution, and other learners
on Microsoft technologies. A Microsoft Instructor-Led Courseware title may be branded as MOC,
Microsoft Dynamics, or Microsoft Business Group courseware.
8. “Microsoft Imagine Academy (MSIA) Program Member” means an active member of the Microsoft
Imagine Academy Program.
9. “Microsoft Learn for Educators – Validated Educator” means an educator who has been validated
through the Microsoft Learn for Educators program as an active educator at a college, university,
community college, polytechnic or K-12 institution.
10. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner
Network program in good standing that currently holds the Learning Competency status.
11. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as
Microsoft Official Course that educates IT professionals, developers, students at an academic
institution, and other learners on Microsoft technologies.
12. “MPN Member” means an active Microsoft Partner Network program member in good standing.
IV EULA
13. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic
device that you personally own or control that meets or exceeds the hardware level specified for
the particular Microsoft Instructor-Led Courseware.
14. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led
Courseware. These classes are not advertised or promoted to the general public and class attend-
ance is restricted to individuals employed by or contracted by the corporate customer.
15. “Trainer” means (i) an academically accredited educator engaged by a Microsoft Imagine Academy
Program Member to teach an Authorized Training Session, (ii) an academically accredited educator
validated as a Microsoft Learn for Educators – Validated Educator, and/or (iii) a MCT.
16. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and
additional supplemental content designated solely for Trainers’ use to teach a training session
using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint
presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs,
classroom setup guide and Pre-release course feedback form. To clarify, Trainer Content does not
include any software, virtual hard disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed, not sold. The Licensed Content is licensed on a one
copy per user basis, such that you must acquire a license for each individual that accesses or uses the
Licensed Content.
●● 2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
1. If you are a Microsoft Imagine Academy (MSIA) Program Member:
1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc-
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3)
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device
you do not own or control.
2. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User who is enrolled in the Authorized Training Session, and only immediately
prior to the commencement of the Authorized Training Session that is the subject matter
of the Microsoft Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they
can access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content.
3. For each license you acquire, you must comply with the following:
1. you will only provide access to the Licensed Content to those individuals who have
acquired a valid license to the Licensed Content,
2. you will ensure each End User attending an Authorized Training Session has their own
valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the
Authorized Training Session,
3. you will ensure that each End User provided with the hard-copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
EULA V
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agree-
ment in a manner that is enforceable under local law prior to their accessing the Micro-
soft Instructor-Led Courseware,
4. you will ensure that each Trainer teaching an Authorized Training Session has their own
valid licensed copy of the Trainer Content that is the subject of the Authorized Training
Session,
5. you will only use qualified Trainers who have in-depth knowledge of and experience with
the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware
being taught for all your Authorized Training Sessions,
6. you will only deliver a maximum of 15 hours of training per week for each Authorized
Training Session that uses a MOC title, and
7. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer
resources for the Microsoft Instructor-Led Courseware.
2. If you are a Microsoft Learning Competency Member:
1. Each license acquire may only be used to review one (1) copy of the Microsoft Instruc-
tor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Course-
ware is in digital format, you may install one (1) copy on up to three (3) Personal Devices.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or
control.
2. For each license you acquire on behalf of an End User or MCT, you may either:
(1) End User attending the Authorized Training Session and only immediately prior to
the commencement of the Authorized Training Session that is the subject matter of the
Microsoft Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) MCT with the unique redemption code and instructions on how
they can access one (1) Trainer Content.
2. you will ensure that each End User attending an Authorized Training Session has their
own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of
the Authorized Training Session,
3. you will ensure that each End User provided with a hard-copy version of the Microsoft
VI EULA
4. you will ensure that each MCT teaching an Authorized Training Session has their own
valid licensed copy of the Trainer Content that is the subject of the Authorized Training
Session,
5. you will only use qualified MCTs who also hold the applicable Microsoft Certification
credential that is the subject of the MOC title being taught for all your Authorized
Training Sessions using MOC,
6. you will only provide access to the Microsoft Instructor-Led Courseware to End Users,
and
7. you will only provide access to the Trainer Content to MCTs.
3. If you are a MPN Member:
1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc-
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3)
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device
you do not own or control.
2. For each license you acquire on behalf of an End User or Trainer, you may either:
(1) End User attending the Private Training Session, and only immediately prior to the
commencement of the Private Training Session that is the subject matter of the Micro-
soft Instructor-Led Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the
unique redemption code and instructions on how they can access one (1) Trainer
Content.
2. you will ensure that each End User attending an Private Training Session has their own
valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the
Private Training Session,
3. you will ensure that each End User provided with a hard copy version of the Microsoft
4. you will ensure that each Trainer teaching an Private Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Private Training Session,
EULA VII
5. you will only use qualified Trainers who hold the applicable Microsoft Certification
credential that is the subject of the Microsoft Instructor-Led Courseware being taught
for all your Private Training Sessions,
6. you will only use qualified MCTs who hold the applicable Microsoft Certification creden-
tial that is the subject of the MOC title being taught for all your Private Training Sessions
using MOC,
7. you will only provide access to the Microsoft Instructor-Led Courseware to End Users,
and
8. you will only provide access to the Trainer Content to Trainers.
4. If you are an End User:
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for
your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you
may access the Microsoft Instructor-Led Courseware online using the unique redemption code
provided to you by the training provider and install and use one (1) copy of the Microsoft
Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy
of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led
Courseware on a device you do not own or control.
5. If you are a Trainer.
1. For each license you acquire, you may install and use one (1) copy of the Trainer Content in
the form provided to you on one (1) Personal Device solely to prepare and deliver an
Authorized Training Session or Private Training Session, and install one (1) additional copy
on another Personal Device as a backup copy, which may be used only to reinstall the
Trainer Content. You may not install or use a copy of the Trainer Content on a device you do
not own or control. You may also print one (1) copy of the Trainer Content solely to prepare
for and deliver an Authorized Training Session or Private Training Session.
2. If you are an MCT, you may customize the written portions of the Trainer Content that are
logically associated with instruction of a training session in accordance with the most recent
version of the MCT agreement.
3. If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private
Training Sessions, and (ii) all customizations will comply with this agreement. For clarity, any
use of “customize” refers only to changing the order of slides and content, and/or not using
all the slides or content, it does not mean changing or modifying any slide or content.
●● 2.2 Separation of Components. The Licensed Content is licensed as a single unit and you
may not separate their components and install them on different devices.
●● 2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights
above, you may not distribute any Licensed Content or any portion thereof (including any permit-
ted modifications) to any third parties without the express written permission of Microsoft.
●● 2.4 Third Party Notices. The Licensed Content may include third party code that Micro-
soft, not the third party, licenses to you under this agreement. Notices, if any, for the third party
code are included for your information only.
●● 2.5 Additional Terms. Some Licensed Content may contain components with additional
terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions
and licenses also apply to your use of that respective component and supplements the terms
described in this agreement.
VIII EULA
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to
the other provisions in this agreement, these terms also apply:
1. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release
version of the Microsoft technology. The technology may not work the way a final version of the
technology will and we may change the technology for the final version. We also may not release a
final version. Licensed Content based on the final version of the technology may not contain the
same information as the Licensed Content based on the Pre-release version. Microsoft is under no
obligation to provide you with any further content, including any Licensed Content based on the
final version of the technology.
2. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly
or through its third party designee, you give to Microsoft without charge, the right to use, share
and commercialize your feedback in any way and for any purpose. You also give to third parties,
without charge, any patent rights needed for their products, technologies and services to use or
interface with any specific parts of a Microsoft technology, Microsoft product, or service that
includes the feedback. You will not give feedback that is subject to a license that requires Micro-
soft to license its technology, technologies, or products to third parties because we include your
feedback in them. These rights survive this agreement.
3. Pre-release Term. If you are an Microsoft Imagine Academy Program Member, Microsoft Learn-
ing Competency Member, MPN Member, Microsoft Learn for Educators – Validated Educator, or
Trainer, you will cease using all copies of the Licensed Content on the Pre-release technology upon
(i) the date which Microsoft informs you is the end date for using the Licensed Content on the
Pre-release technology, or (ii) sixty (60) days after the commercial release of the technology that is
the subject of the Licensed Content, whichever is earliest (“Pre-release term”). Upon expiration or
termination of the Pre-release term, you will irretrievably delete and destroy all copies of the
Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in
this agreement. In doing so, you must comply with any technical limitations in the Licensed Content
that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you
may not:
●● access or allow any individual to access the Licensed Content if they have not acquired a valid
license for the Licensed Content,
●● alter, remove or obscure any copyright or other protective notices (including watermarks), brand-
ing or identifications contained in the Licensed Content,
●● modify or create a derivative work of any Licensed Content,
●● publicly display, or make the Licensed Content available for others to access or use,
●● copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
●● work around any technical limitations in the Licensed Content, or
●● reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property
EULA IX
laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property
rights in the Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regula-
tions. You must comply with all domestic and international export laws and regulations that apply to
the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is provided “as is”, we are not obligated to
provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of this agreement. Upon termination of this agreement
for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed
Content in your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible
for the contents of any third party sites, any links contained in third party sites, or any changes or
updates to third party sites. Microsoft is not responsible for webcasting or any other form of trans-
mission received from any third party sites. Microsoft is providing these links to third party sites to
you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft
of the third party site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.
1. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
2. Outside the United States. If you acquired the Licensed Content in any other country, the laws of
that country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILA-
BLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO
EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CON-
SUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILI-
ATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICU-
LAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO
US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST
PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
X EULA
This limitation applies to

●● anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
●● claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion
or limitation of incidental, consequential, or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection
dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les
garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contre-
façon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAG-
ES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les
autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
●● tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
●● les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de
négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus
ne s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois
de votre pays si celles-ci ne le permettent pas.
Revised April 2019
Contents
■■ Module 0 Welcome to Windows 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Welcome to Windows 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
■■ Module 1 Installing Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Introducing Windows 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Windows 10 Editions and Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Installation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Upgrading and Migrating to Windows 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Deployment Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Practice Labs and Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
■■ Module 2 Configuring Authorization and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Managing Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Configuring User Account Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Implementing Device Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
■■ Module 3 Post-Installation Configuration and Personalization . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Configure and Customize the Windows Start Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Common Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Advanced Configuration Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Managing Drivers and Device Peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
■■ Module 4 Updating Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Widows Servicing Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Updating Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
■■ Module 5 Configuring Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Configure IP Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Implement Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Implement Wireless Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Remote Access Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
■■ Module 6 Configuring Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Managing Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Maintaining Disks and Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Managing Storage Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
■■ Module 7 Configuring Data Access and Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Overview of File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Configuring and Managing File Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Configuring and Managing Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Managing User Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
■■ Module 8 Managing Apps in Windows 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Providing Apps to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Managing Universal Windows Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Web Browsers in Windows 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
■■ Module 9 Configuring Threat Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Malware and Threat Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Microsoft Defender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Connection Security Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Advanced Protection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
■■ Module 10 Supporting the Windows 10 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Windows Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Support and Diagnostic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Monitoring and Troubleshooting Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
■■ Module 11 Troubleshooting Files and Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
File Recovery in Windows 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Application Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
■■ Module 12 Troubleshooting the OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Troubleshooting Windows Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Troubleshooting Operating System Service Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
■■ Module 13 Troubleshooting Hardware and Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Troubleshooting Device Driver Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Overview of Hardware Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Troubleshooting Physical Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Module 0 Welcome to Windows 10
Welcome to Windows 10
Course Introduction
Welcome to MD-100 - Windows 10!
Windows 10 is Microsoft's latest version of its OS and the most widely-adopted version in use today.
Unlike previous Windows OS versions, Windows 10 is continuously updated with new features and
capabilities, and offers new methods of deployment, management, and integration with today's cloud
technologies.
In this course, students will learn the tasks needed to install, configure, protect, and maintain the Win-
dows 10 desktop. The tasks and information covered is designed for IT professionals supporting clients
and devices within an organization.
In this series, you will learn how to:
●● Install, personalize and update Windows 10
●● Configure networking and storage
●● Install and manage applications
●● Configure authentication and permissions
●● Protect the OS and data
●● Support and troubleshoot common issues
This course contains the following modules:
●● Installing Windows
●● Post-installation Configuration and Personalization
●● Updating Windows
●● Configuring Networking
●● Configuring Storage
2 Module 0 Welcome to Windows 10
●● Managing Apps in Windows 10

●● Configuring Authorization & Authentication
●● Configuring Data Access and Usage
●● Configuring Threat Protection and Advanced Security
●● Supporting the Windows 10 Environment
●● Troubleshooting Files & Applications
●● Troubleshooting the Windows OS
●● Troubleshooting Hardware and Drivers
At the end of each module, there will be practice labs and review questions that you can use to test your
understanding of the concepts covered.
Students taking this course already having the following skills:
●● Basic understanding of computer networks and hardware concepts.
●● Basic understanding of OS and Application concepts.
●● Experience with using the Windows OS.
The course helps prepare for exam MD-100. This course the first of two courses supporting the Microsoft
365 Certified: Modern Desktop Administrator Associate certification. It is recommended that students
complete this course prior to taking course MD-101 - Managing Modern Desktops.
Lab Introduction
Throughout the course you will be provided with the opportunity of completing a series of hands-on labs
that will test your ability to perform tasks in the software. Practice labs appear embedded throughout the
course near where you learned a skill. These labs allow you to practice what you just learned through a
hosted virtual software environment accessed through a web-browser.
The lab environment consists of VMs configured as follows:
●● SEA-DC1 - Windows Server 2016 Domain Controller for adatum.com domain
●● SEA-CL1- Windows 10 client joined to adatum.com domain
●● LON-CL2 - Windows 10 client joined to adatum.com domain
●● LON-CL3 - WIndows 10 client WORKGROUP member
●● LON-CL4 - Windows 10 client WORKGROUP member
●● LON-HOST1 - Windows Server 2016 Hyper-V Host
●● LON-CL5 - Windows 10 client nested virtual machine on LON-HOST1
●● LON-CL6 - Windows 7 client WORKGROUP member
Note: Some VMs not listed above may be visible in the environment, but are not used for this course.
The password for all accounts (unless otherwise noted) is Pa55w.rd - ths includes the local and domain
Administrator accounts.
The labs are located at the end of a module, however your instructor may choose to perform them at
different points during the course. The student manual includes a high-level summary and lab scenario.
Lab steps are either located in the lab environment itself of provided by the instructor. Your instructor will
provide instructions for how to connect to the lab environment.
Welcome to Windows 10 3
While the lab environment is intended as a tool for practicing, keep in mind the lab environment is
persistent throughout the course. Should the labs need to be reset, you should consult the instructor
before doing so. Note that resetting the labs in the middle of the course may require some steps from
previous labs. While most exercises are independent, there are a small number that are dependant on
steps of another lab being complete. These dependencies are noted in the content.
WARNING – Be prepared for UI changes
Given the dynamic nature of Microsoft cloud tools, you may experience user interface (UI) changes that
were made following the development of this training content. This will manifest itself in UI changes that
do not match up with the detailed instructions presented in this lab manual. The Microsoft World-Wide
Learning team will update this training course as soon as any such changes are brought to our attention.
However, given the dynamic nature of cloud updates, you may run into UI changes before this training
content is updated. If this occurs, you will have to adapt to the changes and work through them in the lab
exercises as needed.
Module 1 Installing Windows
Introducing Windows 10
Lesson Introduction
Windows 10 operates across a wide range of devices, including desktop computers, laptops, tablets, and
other touch-enabled devices and phones. To optimize your users’ experience, you can choose between
several Windows 10 editions, each of which has slightly different features. This lesson describes the new
features in Windows 10 and provides guidance with respect to navigating and customizing the user
interface.
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe Windows 10.
●● Explain the new features available in Windows 10.
●● Explain the benefits of using Windows 10 for small and medium-sized organizations.
●● Discuss managing Windows 10 in an enterprise environment.
●● Describe the elements of the new Windows 10 user interface.
Overview of the Windows Client

Windows has been around for almost three decades, and the Windows operating system is widely
adopted within organizations around the world. The Windows operating system is a stable and trusted
platform that users install on server computers, desktop computers, laptops, and other computing
devices.
Historically, Microsoft would create a new version of their client operating system that capitalizes on the
ongoing changes in computer hardware technology, and which acknowledges changes in the way users
wish to work with their computing devices. These architectural updates often incorporate user-interface
changes. Devices would be kept up to date through the Windows Update service, however these updates
6 Module 1 Installing Windows
were typically maintenance related. They generally focused on enhancing security, performance, and
minor feature improvements.
With Windows 10, Microsoft has shifted from releasing a new version every few years to releasing new
capabilities at regular intervals. Instead of replacing or upgrading the previous OS with a new version,
new capabilities and features are delivered similarly to how OS updates are delivered. This is also known
as Windows as a service, which is covered more in-depth later in this course.
In recent years, Microsoft sought to expand the range of devices that its client operating system sup-
ports. Windows 8 had introduced a touch-centric interface that enabled users to utilize the operating
system on handheld devices, such as tablets, as well as more traditional computing platforms, such as
desktop computers and laptops. At the same time, modifications to the operating system’s architecture
enabled support for non-Intel, processor-based devices, including devices installed with ARM processors.
Note: ARM provides a lightweight form factor with excellent battery life specifically for mobile devices.
However, please note that Windows 10 does not support ARM.
Windows 8 also supported touch-enabled versions of Microsoft apps, including Microsoft Office. Addi-
tionally, the operating system allowed users to install small, more task-focused apps from an online store,
similar to what users might do with their other computing devices, such as Android phones and tablets,
or the Apple iPhone.
Windows 10 is the latest version of Microsoft’s client operating system. It offers many improvements over
Windows 7 and provides numerous important enhancements and functional improvements over Win-
dows 8.1. You can install and run it on a variety of hardware platforms, ranging from traditional desktop
and laptop computers to tablets, phones, and other devices, such as the Xbox.
The release of Windows 10 incorporates feedback that Microsoft received from Windows 8.1 users
regarding interacting with the user interface when users installed the operating system on desktop
computers. The operating system now senses its own environment. When it discovers a desktop comput-
er, Windows 10 runs in desktop mode. In this mode, apps are resizable, and a more familiar, although
enhanced, Start menu is available to navigate the operating system. When running on a tablet, Windows
10 runs in the tablet mode with apps defaulting to a full-screen layout, and the Start menu becomes a
full-screen app. These subtle changes greatly increase the usability of the operating system.
Introducing Windows 10 7
What's New in Windows 10

The differences that you notice in Windows 10 depend on the operating system from which you are
transitioning. If you were using Windows 7 previously, Windows 10 is radically different in both function-
ality, and in look and feel. If you are using Windows 8.1 currently, you will notice more nuanced changes
in Windows 10.
This topic highlights some of the important features that are new or improved in Windows 10 since
Windows 7.
●● Start screen and Start menu improvements. The Start screen represents a significant change in the
way users find and interact with apps and information in Windows 10. The Start screen is tile-based,
and its configurable tiles can display live information and provide an interactive hub experience for
users. It has a touch-friendly layout and is significantly different from the Windows 7 Start button
interface. However, for users with desktop devices, it displays a more traditional Start menu. This, too,
is tile-based and similarly configurable, but more practical for non-touch devices.
●● Cloud integration. Windows 10 provides increased integration with cloud-based services and
information. Users signing in to a Windows 10 device can connect instantly to the information and
settings that are important to them. Windows 10 ensures a consistent user experience across devices,
regardless of a specific device’s location.
Recovery tools
●● Reset this PC. By using the Reset this PC feature, you can return a device to its initial state, or recover
Windows 10 from corrupted operating system files and other errors. When you launch Reset this PC,
you can choose to:
●● Keep my files. This option retains your personal files, but removes apps and settings, and reinstalls
Windows.
●● Remove everything. This option removes all personal data, apps, and settings from the device, and
reinstalls Windows.
●● Advanced start-up options. These recovery features enable you to recover Windows 10 from
common errors. Options include:
●● Use a device. Enables you to recover Windows by using a universal serial bus (USB) drive, network
connection, or recovery disk.
●● Troubleshoot. Enables you to access Advanced options, including System Restore, System Image
Recovery, Startup Repair, Command Prompt, and Unified Extensible Firmware Interface (UEFI)
settings.
Virtualization
●● Client Hyper-V. on Windows 10 provides a flexible and high-performing client virtualization environ-
ment. You can use this environment to use a single device to test applications and IT scenarios in
multiple operating system configurations. By using Client Hyper-V, IT departments can provide a
consolidated and efficient virtual environment through virtual-machine compatibility with Windows
Server.
●● Windows Sandbox provides a lightweight desktop environment for temporarily running applications
in an isolated environment. Launching Sandbox creates a pristine installation of Windows, isolated
from the host and without the need to download or create a separate VHD. When the application is
closed, everything is discarded.
Mobility Improvements
●● Support for multiple device types. Windows 10 runs on desktop and laptop computers, tablets and
similar devices, phones, the Xbox platform, and Microsoft HoloLens, thereby providing users with very
extensive access to the Windows 10 environment.
●● Bring Your Own Device support. Many users have their own personal computing devices, and they
might wish to connect these devices to their corporate networks so that they can access apps and
services, and work with data files. Bring Your Own Device (BYOD) is the ability to connect users’
personal devices to a corporate network. Windows 10 introduces a number of features that improve
the support of users who wish to bring their own devices.
●● Mobile broadband. Windows 10 provides support for embedded wireless radio. This support helps
to improve power efficiency and reduce the size of some devices.
●● Broadband tethering. You can turn your Windows 10 device into a Wi-Fi hotspot.
●● Auto-triggered VPN. If an app requires access to your company’s intranet, Windows 10 can auto-
matically trigger a virtual private network (VPN) connection.
Security Enhancements
●● Remote Business Data Removal. With Windows 10 and Windows Server, you can use Remote
Business Data Removal to classify and flag corporate files, and to differentiate between these files and
user files. With this classification, the remote wipe of a Windows 10 device will not remove us-
er-owned data when securing or removing corporate data on the device.
●● Improved biometrics. Windows 10 provides a number of improvements in the area of biometrics,
including the use of Windows sign-in, remote access, and user account control (UAC). Furthermore,
you can configure biometric authentication to enable Windows Store access.
●● Pervasive device encryption. On Microsoft Surface devices, device encryption is enabled by default,
and you can configure additional BitLocker Drive Encryption protection. You also can enable addition-
al management capability on the Windows 10 Pro and Enterprise editions.
●● Malware resistance. Windows Defender now includes network-behavior monitoring that can help to
detect and prevent the execution of known and unknown malware.
●● Device lockdown. The Assigned Access feature enables you to restrict the Windows Store app
experience on a device to a specific subset of apps, or even to a single app. This could be a line-of-
business (LOB) app in a kiosk scenario, or a set of educational apps for children in a school setting.
●● Virtual secure mode. This is a secure process-execution environment that Windows 10 introduces.
This execution environment helps protect system processes by running them in a separate, virtualized
container, known as a trustlet, rather than in the operating system itself. Because the Windows operat-
ing system does not have access to these trustlets, processes and data within them are safer.
●● Nearby Sharing. Nearby Sharing lets you instantly share your videos, photos, documents, and
websites with people and devices near you over Bluetooth or Wi-Fi.
Windows as a Service
Windows 10 will use a new method of delivering new features and functional changes. This method is
known as Windows as a Service. This is a major change from the past, when new Windows versions
arrived approximately every three years. This new way of delivering new functionality is comparable to
when the Windows 8.1 update came one year after the Windows 8 release.
With Windows 10, you can expect shorter release cycles, with bigger changes happening once a year.
Updates will no longer just be available on the second Tuesday of each month. Security and driver
updates will automatically download and install as soon as they become available for some Windows 10
editions. Other editions can defer some updates for a non-configurable period.
For more information about the new features in Windows 10, refer to What's new in Windows 10 at:
http://aka.ms/sfakvk
Benefits of Windows 10 for Small and Medi-

um-Sized Organizations
In most organizations, the typical lifetime of a desktop or laptop computer typically is three and four
years. During that time, it is possible that the computer receives hardware upgrades, such as memory and
possibly replacement disks. However, the operating system deployed to many workstations remains
constant for the devices’ lifetime, except for updates, patches, and fixes.
The current generation of hardware devices often employs touch as one of the input mechanisms, and
sometimes it is the only input mechanism. Additionally, many users have access to multiple devices, and
it is common for a user to utilize a laptop, a tablet, and a phone regularly, and often simultaneously.
Furthermore, many of these devices might belong to the users themselves, and they might desire to
connect to their corporate network from these devices.
Despite the investment required, both in terms of software licenses, as well as increasing employees’
knowledge and skills with new hardware, there are compelling reasons for small and medium organiza-
tions to update to Windows 10 from Windows 7, including:
●● Easier to use. Windows 10 is easier to use, which means fewer calls to your support desk. The features
that make Windows 10 more easy to use include:
●● Support for touch. Using a touch device is intuitive. For example, working with images and
navigating an operating system is easier when you are using touch rather than a mouse and
keyboard, especially if the user is not in a traditional office environment. Windows 10 supports
touch-enabled devices and optimizes itself for this environment, while continuing to support more
traditional input methods where required. An intuitive, user-friendly interface helps to reduce calls
for support.
●● A consistent user interface. If your users are using phones, tablets, and computers, they can work
more effectively and efficiently if you provide a consistent interface and access to Windows
Universal apps that they can use on any device.
●● Performance improvements. Windows 10 starts up more quickly, and due to improvements in
the architecture, navigating the operating system is faster, as well.
●● Continuous updates. Microsoft plans to provide updates on a continuous basis. This means that
rather than periodic upgrades, such as from Windows 7 to Windows 10, there will be a constant
process of smaller updates. Therefore, you will not have to perform wipe-and-load upgrades when a
new Windows version arrives. This reduces support efforts and costs.
●● Improved device management. You can choose to manage your Windows 10 devices by using
Configuration Manager or Microsoft Intune, which are part of Microsoft Endpoint Manager platform.
The method that you choose depends on your needs, the number of devices you have, and the
complexity of your environment. For example, with Microsoft Intune, you can provide for cloud-based
management of mobile devices, apps, and PCs. You can provide your users with access to your
corporate apps, data, and resources from virtually anywhere and on almost any device.
●● Distribution of apps by using the Windows Store. Microsoft will provide organizations with the
ability to acquire Windows Store apps, and then by using a web portal, make those apps available to
their users. Additionally, Microsoft will allow organizations to create an organizational private app
repository within Windows Store for Business. These changes will allow you to deploy and manage
apps within your organization more easily.
●● More secure. Several new and improved Windows 7 features make Windows 10 more secure. Keep-
ing users’ devices safe and secure helps reduce supports costs.
Managing Desktops in an Enterprise Environ-

ment
Enterprise environments provide a substantial number of challenges when it comes to managing desktop
computers. Although the size of an enterprise environment varies, most typically include hundreds and
sometimes tens of thousands of computers.
Because of the large number of computers in enterprise environments, the ability to centrally manage
these computers is essential. For example, using one solution to install software updates across large
numbers of computers is much more efficient than installing a software update manually on each
computer in the organization.
By allowing users to manage their own computers, the following problems could occur:
●● Software update problems. Many users are unaware of the need to keep operating system and
application software up-to-date with security and operating system patches. Without centralized
update management, some users will not maintain software updates.
●● Anti-malware problems. Unless managed centrally, many users do not ensure that anti-malware
software is enabled and up-to-date.
●● Application management. Without centrally managed “locked down” configurations, users could
install unauthorized software. Users often install unauthorized applications as an alternative to going
through cumbersome organizational processes for requisitioning software.
●● Hardware support. When enterprises purchase hardware, they often sign contracts for extended
support. Should hardware fail, it is often relatively straightforward to obtain replacement parts, even
entire replacement computers, within the support period. When users purchase their own hardware,
they often are left to determine how best to repair the hardware should a failure occur.
To more efficiently manage a large fleet of computers, enterprises often use one or more standard
operating environments (SOEs). An SOE is a set operating system, application, and hardware configura-
tion. SOEs have the following benefits:
●● Simplified deployment of new and replacement computers. Should new computers be required,
deploying an SOE is more straightforward than building a configuration from scratch. You often can
deploy an SOE from images using products such as Windows Deployment Services or Microsoft
Endpoint Configuration Manager.
●● Consistent applications and hardware across the organization. Should a failure occur, information
technology (IT) employees can replace the computer more quickly, enabling the user to remain
productive. The replacement computer will have the same applications as the original computer,
thereby ensuring that the user will have fewer adjustments to make to the replacement system.
●● Simplified inventory. Organizations must keep track of hardware and software assets. It is far simpler
to track hardware and software assets when all employees are using similarly configured computers,
than it is to track hardware and software assets when each person has a uniquely configured comput-
er, operating system, and application suite.
●● Simplified updating. SOEs make the process of managing operating system and application updates
simpler as the updates only need to be tested against a limited set of configurations.
●● Simpler software deployment. Products such as Intune or Configuration Manager help simplify the
process for deploying new or updated applications to computers.
Windows 10 User Interface

If you are currently using Windows 7, then the changes in the user interface of Windows 10 are signifi-
cant. If you have used Windows 8.1, then the changes are not as significant and represent more of an
on-going interface evolution.
Using touch actions

The most significant change from Windows 7 is the support for touch. Before examining the user inter-
face in more detail, it is worth discussing the terminology for touch actions within the operating system.
You are doubtless familiar with the concept of using a mouse to navigate the Windows operating system.
For example, you click an item to select it, double-click an item to open it, and right-click an item to
access a context menu. These actions remain the same for Windows 10 when you use a mouse to
navigate. However, when you use touch, you must use gestures to complete the same tasks. Therefore, to
select an item, you tap it. To open an item, use double-tap. To access an item's context menu, use tap and
hold.
Changes to the user interface

This section describes the new interface and highlights the most significant changes, which include:
●● Sign in. You can sign in to Windows 10 by swiping up from the bottom of your tablet's display to
access the sign-in page. Tap the Username box, and the virtual keyboard appears. Enter your user-
name and password, and then tap the right arrow. If you want to sign in with a different account, tap
Other user in the lower left of your display.
●● Windows 10 also supports sign-in by using a personal identification number (PIN), as well as biomet-
ric and multi-factor authentication options enabled by Windows Hello.
Note: If you are using a device with a keyboard, you can press Esc to access the sign-in page.
●● Start. The device type and orientation controls the behavior of Start:
●● Non-touch. If you sign in by using a device that does not support touch, Windows starts in
Desktop mode. This means that a Start menu represents the Start screen, and this menu is accessi-
ble when you select Start in the lower left of the taskbar.
●● Touch-enabled. If you sign in by using a device that is touch-enabled, or is a convertible device,
like a Microsoft Surface tablet, and which is placed as a tablet (that is, the keyboard is detached or
folded out of the way), Windows starts in the Tablet mode. In this scenario, Windows presents Start
as a full-screen app.
Note: You can force Windows manually to switch between Desktop and Tablet modes by using the Tablet
mode tile in the Action Center to toggle between settings.
Start consists of a list on the left side of the display of your Most used apps and shortcuts for File Explor-
er, Settings, Power, and All apps. The right side of Start has tiles that you can use to launch apps. You can
configure which tiles display and how, and you can group the tiles into meaningful collections. Apps
using tiles also can track what displays on the tile when a user selects it, in order to provide context
within the app, when opened.
Action Center
The Action Center consolidates notifications from the operating system with shortcut tiles that enable
you to perform common or frequently accessed tasks. To access the Action Center, select the Notifica-
tions icon in the notification area in the Desktop mode, or swipe from the right in the Tablet mode.
Available tiles include:
●● Tablet mode. Switches between Desktop and Tablet modes. In the Tablet mode, all apps run full
screen, and Start displays as a full-screen app. The Desktop mode runs apps in resizable windows, with
Start appearing as a menu.
●● Rotation lock. Enables you to lock the display in either portrait or landscape modes.
●● Connect. Searches for and allows you to connect to wireless display and audio devices in the local
area.
●● Note. Opens a new note in Microsoft OneNote.
●● All settings. Launches the Settings app, which provides access to options for the device's configura-
tion and settings.
●● Battery saver. Toggles into battery saver mode. This reduces power consumption by reducing display
brightness and configuring other power-intensive operating-system components. Note: You can
configure Battery saver settings by using All settings, accessing System, and then Battery saver.
●● VPN. Enables you to configure and connect to a VPN.
●● Bluetooth. Enables you to toggle the Bluetooth radio on or off.
●● Brightness. Use this tile to step up or down the brightness range.
●● WiFi. Enables you to toggle the Wi-Fi radio on or off.
●● Flight mode. Enables you to disable all radios so that your device can safely be used onboard an
aircraft.
●● Quiet hours. Toggles into a setting that reduces the notifications that you receive.
●● Location. Toggles the location setting. Many apps use location to customize behavior and to provide
geographically pertinent information to the user.
●● Settings. You can access Settings from the All settings tile in the Action Center or by tapping Settings
in Start. You can configure almost all device settings within the Settings app.
Note: The specific tiles that you see vary depending upon the type of device that you are using. For
example, a desktop computer does not display the Rotation lock tile.
Windows 10 Editions and Requirements

Lesson Introduction
You can use Windows 10 on a variety of computing devices, from traditional platforms to the latest tablet,
phone, and gaming platforms. This lesson introduces the different editions of Windows 10, the features
of each, and describes why and when you might select a specific Windows edition. This lesson also covers
methods for installations.
Lesson Objectives
●● Explain the differences between the different editions of Windows 10.
●● Select the most suitable Windows 10 device for your needs.
●● Describe the minimum recommended hardware requirements for installing Windows 10.
Windows 10 Editions and Capabilities

Before you can install Windows 10, you must select the most suitable edition for your organization. The
different editions of Windows 10 address the needs of consumers ranging from individuals to large
enterprises. This topic describes the different features of each edition and the differences between the
32-bit and 64-bit editions of Windows 10.
Edition Audience Availability

Windows 10 Home Individual home use Everyone
Windows 10 Pro Small and mid-sized businesses, Everyone
advanced users
Windows 10 Pro for Worksta- Users with advanced perfor- Everyone
tions mance and storage requirements
Windows 10 Enterprise Large enterprise organizations Available to Volume License
customers
Windows 10 Enterprise LTSC Large enterprise organizations Available to Volume License
with restrictive change require- customers
ments
Windows 10 Pro Education Comparable to Windows 10 Pro Available to academic Volume
for school staff, administrators, License customers
teachers, and students
Windows 10 Education Comparable to Windows 10 Available to academic Volume
Enterprise for school staff, License customers
administrators, teachers, and stu-
dents
Windows 10 Home
Windows 10 Home is the consumer-oriented desktop edition of Windows 10. It offers the familiar
Windows experience for PCs, tablets, and the new hybrid laptop/tablets. Windows 10 Home includes
several new features:
●● Cortana, the new personal digital assistant
Windows 10 Editions and Requirements 15
●● Microsoft Edge, the new web browser

●● Continuum tablet mode for touch-capable devices
●● Windows Hello biometric sign-in
●● Virtual Desktops
●● Photos, Maps, Mail, Calendar, Music and Video, and other built-in universal Windows apps
●● New updates and features received automatically
●● Support for Windows Information Protection through Mobile Application Management (MAM).
Windows 10 Pro
Windows 10 Pro builds on the features of Windows 10 Home, with many extra features to meet the needs
of small and medium-sized businesses. Windows 10 Pro is also suitable for advanced consumers who are
looking for features such as BitLocker and virtualization.
Some of the features Windows 10 Pro provides:
●● Windows Autopilot. Leverages an existing Windows 10 installation to transform or reset the device to
a “business-ready” state, applying settings, policies, apps, and edition changes, without the need to
re-image.
●● Windows Update for Business. Manage Windows Update deployments for domain and non-domain
joined clients using tools such as Group Policy, an MDM, or Configuration Manager.
●● Domain Join. Computers that support domain join can be joined to an Active Directory domain.
●● Ability to join Azure Active Directory. This enables them to perform single sign-on (SSO) to
cloud-hosted apps.
●● Group Policy Management. Computers that support the Group Policy Management feature can be
managed using Group Policy when they are joined to an Active Directory domain.
●● BitLocker. BitLocker functions as a full volume encryption and boot environment protection solution.
●● Enterprise Mode Internet Explorer. A compatibility mode for Microsoft Internet Explorer enables
Internet Explorer 11 to emulate Internet Explorer 7 or Internet Explorer 8.
●● Assigned Access. This feature enables administrators to restrict a specific user account to use of a
single, specific Windows Store app. This feature is useful in kiosk scenarios where you want to allow
use of only a single app rather than all possible apps that are available to the computer or user.
●● Remote Desktop. This feature enables Remote Desktop connections from compatible Remote Desktop
Connection clients.
●● Client Hyper-V. Client Hyper-V enables you to host virtual machines on a client computer that has
sufficient hardware resources.
●● Windows Store for Business. Using Windows 10 Enterprise, you can use special Windows Store for the
organization in addition to the normal Windows Store for apps.
●● Windows Update for Business. A cloud-based Windows Update solution that includes the ability to
configure distribution rings, maintenance windows, peer-to-peer delivery, and integration with
existing tools such as Microsoft System Center and Intune.
●● Enterprise Data Protection. This new Windows 10 feature enables organizations to control which
applications can access sensitive data.
●● Granular UX Control. This feature enables administrators to lock the user interface so that users can
perform specific tasks only. This feature is useful when deploying Windows 10 as a kiosk.
Note: Group Policy settings that affect features found in the Enterprise edition, but not in the Pro edition,
will have no effect on devices running Windows 10 Pro.
Windows 10 Pro for Workstations

Windows 10 Pro for Workstations offers the same features as Windows 10 Pro. It includes additional
features intended for workloads that require higher performance and resilience.
●● ReFS (Resilient File System). ReFS provides cloud-grade resiliency for data on fault-tolerant storage
spaces and manages very large volumes.
●● Persistent memory. Support for non-volitile memory modules (NVDIMM-N), where data and files in
memory persist when the workstation is turned off.
●● SMB Direct. Supports network adapters that have Remote Direct Memory Access capability. This offers
improved performance when transferring large amounts of data on remote SMB file shares.
●● Expanded Hardware Support. Takes full advantage of high-performance hardware such as serv-
er-grade Intel Xeon and AMD Opteron processors, with support for up to 4 CPUs and 6TB of memory.
Windows 10 Enterprise
Windows 10 Enterprise builds on the features of Windows 10 Pro, with additional features that meet the
needs of large enterprises. Windows 10 Enterprise is available to Volume Licensing customers only. They
can choose the pace at which they adopt new technology, including the option to use the new Windows
Update for Business.
Windows 10 Enterprise also supports a broad range of options for operating system deployment and
device and app management.
Some of the features Windows 10 Enterprise provides:
●● DirectAccess. DirectAccess is a computer authenticated persistent virtual private network (VPN)
connection using IPSec. It allows remote computers to access internal network resources. It also allows
remote management of client computers. Note: Always On VPN, which was introduced in the Win-
dows 10 Anniversary Update and offers a similar experience to Direct Access, is supported by Win-
dows 10 Home, Professional and Enterprise.
●● Windows To Go Creator. The Windows To Go Creator enables you to create a bootable installation of
Windows 10 on a supported USB storage device.
●● AppLocker. AppLocker is a feature of Windows 10 that enables administrators to control which
applications can act on a computer, including limiting access so that only specific versions of an
application can run.
●● Start Screen Control with Group Policy. This feature enables you to use Group Policy to customize the
appearance and content of the start menu or start screen.
●● Windows Defender Credential Guard. Virtualization based security isolates secrets so only privileged
users can access them.
●● Windows Defender Application Control. Controls what applications run within your environment to
help block against malware and untrusted apps.
●● Windows Defender Application Guard. Opens untrusted websites in a Hyper-V container to isolate in
case the site is malicious.
●● Microsoft Application Virtualization (App-V). Enables organizations to deliver Win32 applications to

users as virtual applications.
●● Microsoft User Experience Virtualization (UE-V). Capture user-customized Windows and application
settings and store them on a centrally managed network.
●● License rights for virtual desktops and edition step-up from Windows 10 Pro using cloud activation.
Windows 10 Enterprise LTSC

Windows 10 Enterprise Long Term Servicing Channel (LTSC) is a special edition of Windows 10 Enterprise
that Microsoft will not update with any new features. Windows 10 Enterprise LTSC only gets security
updates and other important updates. You can install Windows 10 Enterprise LTSC to devices that run in a
known environment that does not change. The differences between Windows 10 Enterprise LTSC and the
normal Windows 10 Enterprise are the following:
●● Does not receive feature upgrades
●● No Microsoft Edge browser
●● No Windows Store client
●● No Cortana
●● Many built-in universal Windows apps are missing
Windows 10 Enterprise 2019 LTSC is the current release of Windows 10, and includes the cumulative
updates provided up to and including version 1809.
Note: The Long Term Servicing Channel edition was previously called the Long Term Servicing Branch
(LTSB).
Windows 10 Pro Education and Windows 10 Education

Windows 10 Pro Education and Windows 10 Education offers the same features as Windows 10 Pro and
Enterprise respectively, except for Long Term Servicing Channel. These editions of Windows 10 have
configurations more suitable for school staff, administrators, teachers, and students. Windows 10 Pro
Education and Windows 10 Education are only available through academic Volume Licensing.
Selecting a Windows 10 Edition

Windows 10 runs on several different types of devices or form factors. However, not all editions of
Windows 10 can run on all device types. This discussion will help you to decide which form factor and
edition of Windows 10 to choose in different scenarios.
Form factors
Prior to Windows 8, Microsoft had three types of devices: traditional PCs, mobile phones, and Xbox. The
release of Windows 8 saw new device types emerge, including tablets and other touch-enabled devices.
With Windows 10, Microsoft introduces two new types of devices: Microsoft Surface Hub and Microsoft
HoloLens. Here is a list of the different form factors and their typical use in a work environment:
●● Desktop PC. The desktop PC is the form factor of choice in businesses where the need for high
performance is predominant, such as computer-aided design (CAD).
●● Laptop. Traditionally, travelling users were the primary users of laptops. However, recently laptop sales
have surpassed desktop PC sales, perhaps due to increasing workforce mobility and superior laptop
performance. When a consumer uses a laptop as an office computer, the addition of an external
keyboard, mouse, and monitor can remedy the lack of workplace ergonomics.
●● Tablet. Tablets are popular for reading emails, doing presentations, or as entertainment devices. The
latest developments bring improved performance, but still lack in expansion possibilities.
●● Hybrid. The popularity of the tablet has led to the innovation of a hybrid device that converts from a
normal laptop to a tablet. Hybrid devices are more popular than tablets among users whose work
involves more typing. These devices also offer better performance than typical tablets.
●● Xbox. The Xbox is a device that is most popular for gaming and entertainment.
●● HoloLens. The HoloLens is one of the first holographic computers. It has many uses for educational
purposes, design, and constructing businesses.
●● Surface Hub. The Surface Hub is a large-format, touch friendly monitor used in meetings.
Choosing between 32-bit and 64-bit editions for installation

All desktop editions of Windows 10 are available in both 32-bit and 64-bit versions. Most devices in use
today capable of running Windows 10 have 64-bit architectures. You should install the 64-bit version of
Windows to take advantage of the increased performance, memory, and security capabilities available
with 64-bit hardware. When choosing 32-bit or 64-bit editions, consider:
●● You can install 64-bit editions of Windows 10 only on computers with 64-bit processor architecture.
●● You can install 32-bit editions of Windows 10 on computers with 32-bit or 64-bit processor architec-
ture. When you install a 32-bit edition of Windows 10 on a 64-bit processor architecture, the operat-
ing system does not take advantage of any 64-bit processor architecture features or functionality.
Most notable is that 32-bit editions of Windows cannot address more than 4MB of memory.
●● 32-bit drivers will not work in 64-bit editions of Windows 10. If you have hardware for which only
32-bit drivers are available, you must use a 32-bit edition of Windows 10, regardless of the computer’s
processor architecture.
●● The 64-bit edition of Widows 10 supports running native 32-bit and 64-bit applications. 64-bit
applications cannot run on the 32-bit edition of Windows 10. 16-bit applications will not run natively
on Windows 10 64-bit editions.
32-bit editions of Windows should only be installed on legacy hardware or drivers that only supports
32-bit architectures or when 16-bit Windows applications are still used in the organization. Given the
significant trade-offs of not leveraging 64-bit, organizations should consider solutions such as virtualiza-
tion to support legacy apps as an alternative.
Scenarios
●● Scenario 1. Contoso Pharmaceuticals considers purchasing new computers to control and supervise its
production lines. The production lines require special hardware with sensors in the computers that
employees will use to perform the supervision. The production line software is sensitive to major
changes in the operating system. Which edition of Windows 10 would you recommend for purchase
by Contoso Pharmaceuticals for supervision of its production lines?
●● Scenario 2. Samuel is an independent contractor. He travels often with his laptop, which contains
sensitive customer financial data. He is concerned about the impact to his business if his laptop is lost
or stolen. Which edition of Windows 10 would be best suited to protect his data?
●● Scenario 3. Contoso Pharmaceuticals is trying to secure their information technology (IT) infrastructure
by limiting the apps that users can run. Some employees install unauthorized apps on their devices.
Contoso wants to limit users to apps that are on the company’s list of approved apps. Which edition
of Windows 10 would you recommend that Contoso Pharmaceuticals use?
Scenario Answers
●● Scenario 1: Windows 10 Enterprise LTSC. As it does not receive feature updates, this minimize changes to
the OS that may impact the sensitive application.
●● Scenario 2: Windows 10 Pro. While he can leverage any edition of Windows to take advantage of
features such as OneDrive to minimize losing data, or Windows Hello for biometric authentication,
features like BitLocker found in Windows Pro can protect his data from being accessed in the event his
device is stolen.
●● Scenario 3: Windows 10 Enterprise. With Enterprise edition, AppLocker can be used to limit users to run
only authorized apps.
Windows 10 Hardware Requirements

Windows 10 is capable of running on similar hardware as Windows 7 and 8. Many computers in enter-
prises today easily meet the minimum hardware requirements for Windows 10.
OS requirements
The following section lists the minimum recommended hardware requirements for Windows 10. Windows
10 will install if some of these requirements are not met. However, user experience and operating system
performance might be compromised if the computer does not meet or exceed the following specifica-
tions:
●● Processor: 1 gigahertz (GHz) or faster processor, or system on a chip (SOC)
●● RAM: 1 GB for 32-bit or 2 GB for 64-bit
●● Hard disk space: 16 GB for 32-bit or 20 GB for 64-bit
●● Graphics card: DirectX 9 or newer with Windows Display Driver Model (WDDM) 1.0 driver
●● Display: 800x600 pixels
Feature-specific requirements
Windows 10 offers additional features if the correct hardware is present. The following are some of the
hardware and software requirements for various additional features:
●● Windows Hello requires a specialized illuminated infrared camera for facial recognition or iris detec-
tion, or a fingerprint reader that supports the Windows Biometric Framework.
●● Two factor authentication requires the use of a PIN, fingerprint reader, or illuminated infrared camera,
or a phone with Wi-Fi or Bluetooth capabilities.
●● Depending on the resolution of the monitor, the number of simultaneously snapped applications
might be limited.
●● Touch requires a tablet or a monitor that supports multi-touch for full functionality.
●● Secure boot requires firmware that supports Unified Extensible Firmware Interface (UEFI) and has the
Microsoft Windows Certification Authority in the UEFI signature database. The secure boot process
takes advantage of UEFI to prevent the launching of unknown or potentially unwanted operating-sys-
tem boot loaders between the system’s BIOS start and the Windows 10 operating system start. While
the secure boot process is not mandatory for Windows 10, it greatly increases the integrity of the
boot process.
●● Some applications might require a graphics card that is compatible with DirectX 10 or newer versions
for optimal performance.
●● BitLocker requires either Trusted Platform Module (TPM) or a USB flash drive (Windows 10 Pro,
Windows 10 Enterprise, and Windows 10 Education).
●● Client Hyper-V requires a 64-bit system with second level address translation capabilities and an
additional 2 GB of RAM (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education).
Second level address translation reduces the overhead incurred during the virtual-to-physical address
mapping process performed for virtual machines.
●● Miracast requires a display adapter that supports WDDM, and a Wi-Fi adapter that supports Wi-Fi
Direct.
●● Wi-Fi Direct Printing requires a Wi-Fi adapter that supports Wi-Fi Direct and a device that supports
Wi-Fi Direct Printing.
●● InstantGo works only with computers designed for connected standby. InstantGo allows network
connectivity in standby mode and allows for receiving updates, mail, and Skype calls with the screen
turned off.
Device drivers
Windows will detect most hardware and install the appropriate driver needed to support the device.
Many companies producing hardware have their drivers tested and certified at the Windows Hardware
Quality Labs and are delivered through Windows update.
However, you might not be able to find a built-in driver for a specific piece of hardware. Depending on
your deployment method, there may be a need to deploy the driver as part of the OS installation. The
best way to find drivers for hardware is to search the manufacturer’s website.
Check for Hyper-V Compatibility

To verify compatibility, open PowerShell window or a command prompt and run systeminfo.exe. If all
listed Hyper-V requirements have a value of Yes, your system can run the Hyper-V role. Below you can
see the hardware requirements highlighted above are checked when systeminfo.exe is run.
If Hyper-V is already enabled on the system, you will see the following message from systeminfo.exe:
Hyper-V Requirements: A hypervisor has been detected. Features required for

Hyper-V will not be displayed.
For more information on Hyper-V compatibility, you can see: https://aka.ms/AA5u9xd
Installation Methods
Lesson Introduction
Windows has several different methods of installation. Scenarios such as whether you are deploying for a
new or existing user, replacing a machine, or upgrading the OS are some of the factors that can deter-
mine installation method.
In this lesson, you will also learn about the different methods for installing Windows 10 and describe the
process of installing Windows 10.
Lesson Objectives
●● Describe the options available for installing and deploying Windows 10.
●● Understand the process of installing Windows 10
●● Describe the methods of activation for Windows 10.
●● Describe the factors to consider in a new machine deployment.
Overview of Windows 10 Installation Methods

Deploying a new version of Windows requires proper planning for organizations. Using a traditional wipe
and load process requires creating a custom Windows image for the organization, identifying and
obtaining all the needed drivers and apps for reinstallation, and significant engineering effort to imple-
ment the process. The good news is that if you have a process that works for Windows 7, Windows 8, or
Windows 8.1, upgrading the process to support Windows 10 is straight forward.
From a compatibility perspective, our testing has shown that virtually all devices running Windows 7,
Windows 8, or Windows 8.1 can run Windows 10.
With new capabilities in Windows 10 to help with the configuration of new computers, in-place upgrades
have become the recommended method for upgrading from a previous version, avoiding the need for
wiping or reimaging. Tools for determining application compatibility were updated, such as Microsoft
Deployment Toolkit (MDT), and the User State Migration Tool (USMT). Windows 10 also introduces new
methods of achieving a “clean install” without having to wipe and reload.
For desktop apps, compatibility is also very good, with greater than ninety percent of apps that “just
work” on the new OS. For existing Windows Store apps, including modern line-of-business apps, these
should also just work.
Many customers identify web application compatibility as a significant cost to upgrading, as web apps
may have to be tested and upgraded before adopting a new browser. Enterprise Mode for Internet
Explorer 11 and Microsoft Edge provides improved Internet Explorer 8 compatibility for all editions of
Windows 7 and Windows 8.1, and can be helpful for customers that want to upgrade to the latest version
of Internet Explorer but have experienced compatibility issues. Internet Explorer 11 and the new Microsoft
Edge browser are both included in Windows 10.
Enterprise Mode is available as an update to all Internet Explorer 11 customers, but is turned off by
default. Consumers and commercial customers won’t see Enterprise Mode unless it is turned on by using
Group Policy or registry keys.
Note: To learn more about Enterprise Mode for Internet Explorer 11, go to the Internet Explorer TechNet
site https://aka.ms/O5vyk5
Installation Methods 23
Installation Methods for Windows 10

You can install Windows 10 in a number of different ways, including the following:
In-place upgrade
Perform an upgrade, which also is known as an in-place upgrade, when you want to replace an existing
version of Windows 7 or Windows 8.1 with Windows 10, and you wish to retain all user applications, files,
and settings. For the home or small business user, you can run Setup.exe from a product media or from a
network share. During an in-place upgrade, the Windows 10 installation program automatically retains all
user settings, data, hardware device settings, apps, and other configuration information. We recommend
this method for existing Windows 7 and 8.1 devices. An in-place upgrade has four phases:
●● Checking the system
●● Installing Windows 10 with the Windows Preinstallation Environment (PE)
●● The first startup
●● Installing the Windows operating system and the second startup
You can stop and roll back an installation during any of these four phases. However, we recommend that
you always back up any important data, whether performing an upgrade, or as a periodic maintenance
function.
New deployments
A new deployment of Windows 10 involves performing a clean installation. With Windows 10, there are a
few different approaches to this.
●● Install Media. To perform a clean installation on a computer without an operating system (also
known as a “bare-metal” installation), start the computer directly from the media. If the computer
already has an operating system, run Setup.exe to start the installation. You can run Setup.exe from
either a DVD, USB, or network share.
●● System Image. This is typically a file that contains a “snapshot” of a generic computer with the OS
installed, including configurations and even apps already installed, that is essentially copied to the
target system’s hard drive. There are various tools available for creating and deploying images and
has traditionally been the preferred method used in medium and large organizations, as deployment
is faster than installing with media, and typically automated.
●● Windows Autopilot. If the computer already has Windows 10, Windows Autopilot can be used to
achieve the same state as a new deployment. It leverages the existing Windows 10 installation to
restore the machine to a “first-run” experience, but allows administrators to apply organization-specif-
ic configurations and even some types of apps. As most new computers come with Windows pre-in-
stalled, this enables organizations to achieve the same result as re-imaging for some scenarios,
without the need to deploy an entire image over a network and reduce the number of custom images.
Note: If you perform a clean installation on a hard disk partition that contains a Windows operating
system, existing Windows files are moved to a \Windows.old directory. This includes files in the Users and
Program Files folders and the Windows directory.
Migration
You perform a migration when you have a computer that is running Windows 7, Windows 8, or Windows
8.1, and you need to move files and settings from that operating system (the source computer) to the
Windows 10 computer (the destination computer). Perform a migration by doing the following:
●● Back up user settings and data.
●● Perform a clean installation.
●● Reinstall the apps.
●● Restore user settings and data.
There are two migration scenarios, side-by-side and wipe-and-load. In side-by-side migration, the source
computer and the destination computer are two different computers. In wipe-and-load migration, the
target computer and the source computer are the same. In a wipe and load migration, migration data is
captured and moved to a location off the computer, usually a network shared folder. After this, the
source operating system is wiped from the host. The destination operating system replaces the source
operating system and the migration data then is restored from the safe location.
Provisioning
Using the Windows Configuration Designer tool, you can create provisioning packages with specific
configurations and settings. This package can be applied to a target Windows 10 device quickly, without
the need for installing a new image. Provisioning can be useful in small to mid-size organizations and
BYOD scenarios.
Refresh
When a Windows 10 device begins having problems such as not responding, frequent errors, or just runs
slow, refreshing the OS can often be easier than spending significant time trying to troubleshoot the root
cause. Windows 10 offers two different methods of easily refreshing to OS:
●● Reset the PC. This method essentially reverts the machine back to it's original state of the image that
was used to install Windows, which can included third-party software if it was included in the image.
While technically not a deployment, as the PC uses the existing Windows installation, this option can
be an alternative to the traditional method of wiping and reloading the OS.
●● Fresh Start. This option installs a clean version of Windows 10. This removes any pre-installed
manufacturer apps, Microsoft apps such as Office, support apps, and third-party drivers, leaving only
what is included with a standard installation of Windows 10 and any Microsoft Store apps that the
manufacturer may have installed. Apps removed must be re-installed. This may also cause the loss of
digital licenses and and entitlements associated with the PC. Fresh start is only available on Windows
10 Home and Pro.
Both options allow the option to keep user data. However, the Reset PC option also offers the option to
wipe all data, making this an effective option for retiring the device or transferring ownership.
You can perform an automated installation when you use any of the above installation methods in
combination with an automation tool to make the installation more seamless or to remove repetitive
tasks from the installation process. Automated installations can take many forms, including pushing
pre-made images to computers by using an enterprise-level tool such as the Microsoft Deployment
Toolkit (MDT), Windows Deployment Services (DS), and System Center Configuration Manager, or even by
creating an answer file manually to provide information directly to the installation process.
The Process of Installing Windows 10

The process of deploying a Windows operating system is simpler today than it has been in the past. The
person who performs the deployment has fewer decisions to make. However, those decisions are critical
to the success of the deployment.
A typical manual installation of Windows 10 involves performing the following procedure:

1. Connect to the installation source. Options for this include:
●● Insert a DVD or USB Media containing the Windows 10 installation files, and boot from the DVD.
●● Perform a PXE boot, and connect to a Windows Deployment Services server.

2. On the first page of the Windows Setup Wizard, select the following:
●● Language to install
●● Time and currency format
●● Keyboard or input method
3. On the second page of the Windows Setup Wizard, select Install now. You also can use this page to
select Repair Your Computer. You use this option in the event that an installation has become
corrupt, and you are no longer able to boot into Windows 10.
4. On the License Terms page, review the terms of the operating system license. You must choose to
accept the license terms before you can proceed with the installation process.
5. On the Which Type Of Installation Do You Want page, you have the following options:
●● Upgrade. Select this option if you have an existing installation of Windows that you want to
upgrade to Windows 10. You should launch upgrades from within the previous version of Win-
dows rather than booting from the installation source.
●● Custom. Select this option if you want to perform a new installation.
6. On the Where do you want to install Windows page, choose an available disk on which to install
Windows 10. You can also choose to repartition and reformat disks from this page. If you want to do
this from the command line, you can press Shift+F10 to access a command prompt. When you select
Next, the installation process will copy files and reboot the computer several times.
7. On the Set up for you, so you can get going fast page, select Use Express settings.
8. If the computer does not have Internet access, you might see a page telling you something went
wrong. Select Skip to continue the installation. The installation will then skip to number 12 in this list,
Create an account for this PC.
9. On the Who owns this PC? page, select This device belongs to my company, and then select Next.
Depending on your choice in this step, the installation will take two different directions. If you indicate
that this is a private computer, the setup program asks you to sign in with your Microsoft account or
create a new one or a local account. If you indicate that this is a company computer, the setup
program asks you to sign in with your Microsoft 365 account or create a local account. Depending on
which edition of Windows 10 you install, you may or may not see this page.
10. On the Heads up page, select Continue.
11. On the Let’s get you signed in page, select Skip this step.
12. On the Create an account for this PC page, type the username you want to use together with a pass-
word and a password hint, and then select Next.
13. This concludes the installation of Windows 10. You have signed in and you have installed the built-in
universal apps. It will take a few minutes before you see the desktop.
Activating Windows 10
All editions of Windows 10 require activation. Activation confirms the licensing status of a Windows
product and ensures that the product key has not been compromised. The activation process links the
software’s product key to a particular installation of that software on a device. If the device hardware
changes considerably, you need to activate the software again. Activation assures software integrity and
provides you with access to Microsoft support and a full range of updates. Activation is also necessary if
you want to comply with licensing requirements. Depending on the license type, you may find that the
license is locked to that particular hardware. In this case, you may not install Windows 10 on another
computer with the same license.
Unlike Windows 7, Windows 10 does not have a grace period. You must activate Windows 10 immediate-
ly upon installation. Failure to activate a Windows operating system will prevent users from completing
customization. In older versions of the Windows operating system, activation and validation with the
Windows Genuine Advantage tool occurred separately. This caused confusion for users who thought the
terms were interchangeable. In Windows 10, activation and validation occur at the same time. If you wish
to evaluate Windows 10, Microsoft provides a separate evaluation edition that is available as an .iso
image file to Microsoft Developer Network (MSDN) subscribers and Microsoft partners.
Activation methods
There are three main methods for activation:
●● Retail. Any Windows 10 product purchased at a retail store comes with one unique product key that
you type in during product installation. Use the product key to complete activation after installing the
operating system.
●● OEM. OEM system builders typically sell computer systems that include a customized build of Win-
dows 10. You can perform OEM activation by associating the operating system to the computer
system.
●● Microsoft Volume Licensing (volume activation). Microsoft Volume Licensing is a series of software
licensing programs that are tailored to the size and purchasing methods of your organization. Volume
customers set up volume licensing agreements with Microsoft. These agreements include Windows
upgrade benefits and other benefits related to value-added software and services. Microsoft Volume
Licensing customers use Volume Activation Services to assist in activation tasks, which consist of
Active Directory–based activation, Key Management Service (KMS), and multiple activation key (MAK)
models.
You can view the Windows 10 activation status on the System properties page or by running the
following command:
cscript C:\windows\system32\slmgr.vbs -dli
Activation troubleshooter
You can use the Activation troubleshooter in the Settings app to fix problems related to licensing and
version conflicts, and hardware changes that can affect your device’s activation status. To open the
Activation troubleshooter, perform the following steps:
1. Select Start, and then select Settings.
2. In the Settings app, select Updates and Security, and then select Activation.
3. On the Activation page, select Troubleshoot to begin.
Note: You must have Administrator privileges to use the troubleshooter.
Key Management Service (KMS) Overview

KMS is a client – server model. It is conceptually similar to DHCP. Instead of handing out IP addresses to
clients on their request, KMS enables product activation. KMS is also a renewal model, with the clients
attempting to reactivate on a regular interval. There are two roles: the KMS host and the KMS client.
●● The KMS host runs the activation service and enables activation in the environment. The KMS host is
the system where you will need to install a key (the KMS key from the Volume License Service Center
(VLSC)) and then activate the service. The service is supported on Windows Server 2003, Windows
Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2.
●● The KMS client is the Windows operating system that is deployed in the environment and needs to
activate. KMS clients can be running any edition of Windows that uses Volume Activation. These
include the editions of Windows available to our volume license customers: Windows 7, Windows
Vista, Windows Server 2008 R2, and Windows Server 2008. The KMS clients come with a key pre-in-
stalled, called the Generic Volume License Key (GVLK) or KMS Client Setup Key. The presence of the
GVLK is what makes a system a KMS client. The KMS clients find the KMS host via a DNS SRV record
(_vlmcs._tcp) and then automatically attempt to discover and use this service to activate themselves.
When in the 30 day Out of Box grace period, they will try to activate every 2 hours. Once activated,
the KMS clients will attempt a renewal every 7days.
Considerations for New Deployments

You can use different strategies to deploy an operating system on a new computer. The strategy that best
fits your needs depends on different factors, such as the number of devices to which you must deploy the
operating system, deployment scenarios, user needs, and deployment tools that are available in your
organization.
You can follow the guidelines below to identify the best strategy for your needs, including that you
should:
●● Identify the deployment scenario or scenarios. The scenario that you face determines the need for
restoring user state data. Most organizations face two basic deployment scenarios:
●● New device. You need to install an operating system on a new device that your organization has
not used. In this scenario, if you deploy a device for a new user, there might be no user state data
to migrate. This also can include existing devices that you treat as new, where you do not need to
retain any of the device’s data.
●● Replacement device. You use a new device as a replacement for an existing device. Therefore, you
have to transfer the existing device’s user state data to the new device.
●● Identify the operating system architectures to use. Your environment might still contain 32-bit and
64-bit devices. By identifying the available architectures, you can determine the minimum number of
images that you must create.
●● Identify the necessary device drivers. Different hardware requires different drivers. Make sure that you
identify and secure the necessary drivers for each hardware device that you use from a particular
manufacturer. Do this for all applicable manufacturers.
●● Identify storage and network resources that you can use during deployment. You must store images,
installation files, device drivers, and user state data, and then copy this data to the device that is
undergoing deployment. Ensure that you identify available file servers, and estimate the amount of
space that you need for each item that you must store and copy.
●● Identify operating system features and settings that each deployment requires. You can automate
most settings to apply during deployment. Most organizations enable BitLocker Drive Encryption on
their Windows-based mobile devices. You can customize your deployment process to enable BitLock-
er after deployment.
●● Identify how you will handle licensing and activation. Smaller organizations usually have an individual
product key per user, while larger organizations might use Active Directory activation, Key Manage-
ment Service (KMS), or multiple activation keys (MAKs).
●● Identify critical apps that you must maintain post-deployment. You need to ensure that apps are
compatible with new operating systems or that you can mitigate any incompatibilities. You will learn
how to handle application compatibility issues in a later module.
●● Document your environment and choose the appropriate strategy based on the identified informa-
tion.
Upgrading and Migrating to Windows 10

Lesson Introduction
The decision to upgrade or migrate from a previous Windows version can involve several factors. You
must also decide how to perform the upgrade or migration. A large number of parameters can contribute
to the upgrade decision. However, at the end of the process, the goal is always the same. You want to
have your computer running the newest operating system, while retaining settings or data that existed in
the Windows operating system prior to installing Windows 10.
This lesson examines the upgrade and migration processes, identifies different methods that you can use
for upgrading and migrating your operating system, and considerations when choosing which method
best suits the scenario.
Lesson Objectives
●● Describe the process of upgrading Windows 10.
●● Describe the factors to consider when deciding to upgrade to Windows 10.
●● Describe the process of migrating to Windows 10.
●● Understand the considerations when choosing between the upgrade and migration processes.
●● Upgrade a device to Windows 10.
The Process of Upgrading to Windows 10

An in-place upgrade replaces the operating system on your computer while retaining all programs,
program settings, user-related settings, and user data. Performing an in-place upgrade from Windows 7
with Service Pack 1 (SP1) or Windows 8.1 Update is the easiest way to upgrade to Windows 10. The
process for upgrading to Windows 10 includes the following steps:
Upgrading and Migrating to Windows 10 31
Evaluate
Before starting the upgrade, you must evaluate whether your computer meets the requirements needed
to run Windows 10. If you are upgrading more than one computer, you should consider using the
Application Compatibility Toolkit (ACT) and Microsoft Assessment and Planning Toolkit (MAP) to assess
your organization’s readiness. You must determine whether any installed applications will have compati-
bility problems while running on Windows 10. ACT, which is a part of the Windows ADK for Windows 10,
provides several tools that can assist with evaluating potential compatibility problems.
Back up
To prevent data loss during the upgrade process, back up any data and personal settings before starting
the upgrade. You can back up data to any appropriate media, such as tape, removable storage, writable
disc media, or a network shared folder.
Upgrade
After evaluating your computer requirements, and backing up your data and personal settings, you are
ready to perform the actual upgrade. To perform the upgrade, run the Windows 10 installation program
(setup.exe) from the product DVD, removable media, or a network share. If your computer supports an
in-place upgrade to Windows 10, you can select Upgrade during the installation process. The installation
program prevents you from selecting the upgrade option if an in-place upgrade is not possible. This
might occur for several reasons, such as your computer lacking sufficient disk space, or your current
Windows edition not supporting a direct upgrade to the Windows 10 edition that you want to install. In
this case, stop the upgrade process and resolve the indicated problem before attempting the upgrade
again.
Note: We recommend that you disable antivirus programs before attempting an upgrade.
Verify
When the upgrade completes, sign in to your computer, and verify that all of the applications and
hardware devices function correctly.
Update
Finally, determine whether there are any relevant updates to the Windows 10 operating system, and
apply them to your computer. It is important to keep the operating system up to date to protect against
security threats. You also can check for updates during the upgrade process. Dynamic Update is a feature
of Windows 10 Setup that downloads any critical fixes and drivers that the setup process requires. With
Windows as a Service, it is more important than ever to make sure your Windows-based computer is up
to date, because you m also receive new functionality via Windows Update.
Supported Upgrade Paths

Performing an in-place upgrade to Windows 10 can save time and enable you to retain user settings and
computer settings from a previous Windows version. However, the Windows version from which you are
upgrading will dictate the options that are available for the upgrade process.
Upgrade paths for Windows editions

You cannot upgrade previous Windows versions that do not have the same feature set as the edition of
Windows 10 that you are installing. The following table lists upgrade possibilities based on Windows
editions.
Previous Windows edi- Windows 10 Home Windows 10 Pro Windows 10 Enter-

tion prise
Windows 8/8.1 X
Windows 8/8.1 Pro X
Windows 8/8.1 Enter- X
prise
Windows RT
Windows 7 Starter X
Windows 7 Home Basic X
Windows 7 Home X
Premium
Windows 7 Professional X
Windows 7 Ultimate X
Windows 7 Enterprise X
If your computer has the latest updates and service packs and you are running Windows 8.1 Pro, Win-
dows 7 Home Basic, Windows 7 Home Premium, or Windows 7 Professional, you will receive the update
to Windows 10 from Windows Update. If you do not have the latest updates, you can still upgrade to
Windows 10, but you will have to perform the upgrade from media, such as a DVD.
Previous Windows edition Media (.iso file) Windows Update

Windows 8.1 Update X X
Windows 8.1 RTM X
Windows 8 X
Previous Windows edition Media (.iso file) Windows Update

Windows RT
Windows 7 SP1 X X
Windows 7 RTM X
Deprecated features
When you upgrade to Windows 10, there may be some features in your old operating system that will no
longer be available. The following list details the deprecated features that are not a part of Windows 10:
●● If you are running Windows 8.1 Pro with Media Center, Windows 8 Pro with Media Center, Windows 7
Home Premium, Windows 7 Professional, or Windows 7 Ultimate, Windows Media Center will no
longer be available.
●● You require separate software to play DVDs.
●● Windows 7 desktop gadgets will no longer be available when you install Windows 10.
●● Windows 10 Home users will have updates from Windows Update automatically available.
●● Solitaire, Minesweeper, and Hearts Games that come preinstalled on Windows 7 will no longer be
available when you upgrade to Windows 10. Microsoft has released universal apps called the Micro-
soft Solitaire Collection and Microsoft Minesweeper.
●● If you have a USB floppy drive, you can download the latest driver from Windows Update or the
manufacturer's website.
●● If you have Windows Live Essentials installed, the installation of Windows 10 will replace the Microsoft
OneDrive application with the inbox version of OneDrive.
The Process of Migrating to Windows 10

If you cannot, or prefer not to, perform an in-place upgrade, you can perform a clean installation of
Windows 10, and then migrate the user-related files and settings. The process for migrating to Windows
10 includes the following steps:
1. Back up
2. Install Windows 10
3. Update
4. Install applications
5. Restore
Back up
Before installing the new operating system, you must back up all user-related settings and program
settings with USMT. Additionally, you should consider backing up the user data. Although the Windows
10 installation will not erase user data by default, it is a good practice to back up your data to protect
against accidental loss or damage during installation.
Note: Before the installation begins, you can choose to repartition or reformat the hard disk. If you
choose one of these actions, all user data will be deleted from the hard disk.
Note: When you do a clean installation of Windows 10 without reformatting the hard disk, the existing
Windows installation will be moved to a windows.old directory containing the Windows, Program Files,
and Users directories. All remaining directories and files stay in place.
Install Windows 10
Run the Windows 10 installation program (setup.exe) from the product DVD, removable media, or a
network share, and perform a clean installation by selecting Custom (advanced) during the installation
process. Then follow the on-screen instructions to complete the installation.
Update
If you chose not to check for updates during the installation process, it is important to do so after
verifying the installation. Keep your computer protected by ensuring that you have the most current
updates installed.
Install applications
Performing an upgrade by using a clean installation and migration process does not migrate the installed
applications. When you complete the Windows 10 installation, you must reinstall all applications. Win-
dows 10 may block the installation of any incompatible programs. To install any of these programs,
contact the software vendor for an updated version that is compatible with Windows 10.
Restore
After installing your applications, application settings and user-related settings must be migrated to the
new device.
●● The User State Migration Tool (USMT) can be used to migrate application and user settings from one
Windows 10 device to another. USMT is covered in more detail later in this course.
●● OneDrive can be used to synchronize user files and settings between devices. OneDrive is also
covered later in this course.
Considerations for Choosing Between Upgrade

and Migration
When you decide to upgrade to Windows 10, you can use two different methods. You can do an in-place
upgrade if you want to keep all applications, settings, and files. This is the preferred method of upgrading
to Windows 10. The other method is to migrate. You use this method primarily when the users receive a
new computer with Windows 10 and you want to preserve the users’ files and settings.
In-place upgrade
The in-place upgrade is now the recommended way to move from an existing Windows operating system
to Windows 10. You perform an in-place upgrade when you want to replace an existing Windows version
with Windows 10, and you need to retain all user applications, files, and settings. To perform an in-place
upgrade to Windows 10, run the Windows 10 installation program (setup.exe), and select Upgrade. You
can run setup.exe from the product media or from a shared folder on the network. During an in-place
upgrade, the Windows 10 installation program retains all user settings, data, hardware device settings,
applications, and other configuration information automatically.
Best Practice: Always back up all of your important data before performing an upgrade.
Migration
You perform a migration when you have a computer already running the Windows operating system, and
you need to move files and settings from your old operating system (source computer) to the Windows
10–based computer (destination computer). Perform a migration by doing the following:
●● Back up the user’s settings and data
●● Perform a clean installation
●● Reinstall the applications
●● Restore the user’s settings and data
There are two migration scenarios: side-by-side, and wipe-and-load. In side-by-side migration, the source
computer and the destination computer are two different computers. In wipe-and-load migration, the
destination computer and the source computer are the same. To perform wipe-and-load migration, you
perform a clean installation of Windows 10 on a computer that already has an operating system, by
running the Windows 10 installation program, and then selecting Custom (advanced).
Note: Previously, migration was the recommended way to do upgrades, but now the in-place upgrade is
preferable.
In the previous topic, you learned about the difference between an in-place upgrade and a migration.
Each upgrade project is different, with circumstances that might support one over the other.
Considering in-place upgrade
In any potential upgrade scenario, there may be certain circumstances that favor an in-place upgrade.
However, there are also disadvantages to this process. The following table outlines the advantages and
disadvantages of in-place upgrades.
Advantages Disadvantages
Retains user settings, application settings, and files Does not take advantage of the opportunity to
with no additional effort. start fresh with standardized reference configura-
tions.
Preserves installed applications, and typically does Preserved applications may not work correctly
not require reinstallation of applications after upgrading from an older Windows version
Does not require additional storage space for Remnant files or settings from in-place upgrade
migration files may contribute to performance and security issues
Affects user productivity minimally, and preserves Does not allow for edition changes
user settings and data just as in the source
computer
Provides a simpler setup process Is only available on supported operating systems
Rollback is available in case of a problem Computer has to meet the minimum hardware
requirements
Considering migration
As an alternative, you might consider using the migration process. The following table outlines the
advantages and disadvantages of migrations.
Offers a fresh start with the opportunity to clean Requires the use of migration tools, such as USMT,
up existing computers and create more stable and to capture and restore user settings and data
secure desktop environments, a significant
advantage when creating a managed environment
Allows for installation of any edition regardless of Requires reinstallation of applications
what edition was running previously on the
computers
Provides the opportunity to reconfigure hard- Requires storage space for user settings and files
ware-level settings, such as disk partitioning, to be migrated
before installation
Viruses, spyware, and other malicious software do May have an impact on user productivity because
not migrate to the new installation of Windows of the reconfiguration of applications and settings
Common Upgrade and Migration Scenarios

Because in-place upgrades are the preferred upgrade method, you should select the migration scenario
only when an in-place upgrade would not work. You need to look for any deciding factor that would
cause you to choose one over the other. Read the scenarios and choose between:
●● In-place upgrade
●● Side-by-side migration
●● Wipe and load migration
Scenario 1
Contoso Pharmaceuticals owns 100 workstations on which Windows 7 was manually installed. They want
to upgrade these workstations to Windows 10, and switch to a more standardized and managed deploy-
ment. What is the best upgrade method for Contoso?
Scenario 2
Litware, Inc. has only 25 computers of different models. They do not employ any IT staff. Their users are
all local administrators who are skilled in managing their own computers. All their computers run Win-
dows 7 or Windows 8.1. They want to upgrade to Windows 10. What is the best upgrade method for
Litware?
Scenario 3
A. Datum Corporation has 5000 client computers running Windows 8.1 in a managed environment. All
computers have the same set of applications installed. They want to upgrade to Windows 10. What is the
best upgrade method for A. Datum?
Scenario 4
Contoso Pharmaceuticals discovers that not all computers will have hardware drivers for Windows 10.
They will need to purchase 50 new computers. What is the best upgrade method for the 50 users who are
getting new computers?
Deployment Methods 39
Deployment Methods
Lesson Introduction
While a manual installation might be suitable for a small organization with a few devices to support, this
quickly becomes tedious with many devices, not to mention, difficult to maintain.
Fortunately, Windows supports several different methods of automating the deployment process and
managing a large number of devices at scale. There are also various different tools for performing these
tasks.
Given the breadth of methods and tools for automating and performing large scale deployments, training
for these skills goes beyond the scope of this course. They are covered in further detail in the Managing
Modern Desktops course, MD-101. However, this lesson will provide an overview of what those tools and
processes are, as it's important for any IT professional supporting Windows 10 to be aware of these
methods and tools.
Lesson Objectives
●● Describe the different methods of automated desktop deployments.
●● Describe common tools used to perform automated steps.
●● Describe how to leverage virtualization in Windows 10.
●● Configure a Hyper-V virtual machine.
Deployment Options for Windows

When deploying Windows 10, there are several different tools and methods that can be used, depending
on the existing infrastructure and desired future state. These can be essentially grouped into three
categories.
Modern
Modern refers to the recommended method of deploying Windows 10. What's notable about modern
methods, is that upgrades, migrations, and new deployments can occur without necessarily the need to
reinstall the OS or reimage the device. These methods include:
●● Windows Autopilot. Re-configure a Windows 10 device, effectively achieving a customized new
install with apps and settings already configured.
●● In-place upgrade. Use Windows Setup to update your OS and migrate apps and settings.
These methods are supported with existing tools (like Microsoft Deployment Toolkit (MDT) or Configura-
tion Manager.
Dynamic
Like modern, these methods also achieve certain deployment scenarios that historically required a
reinstallation of Windows, that is no longer necessary. Dynamic deployment methods enable you to
configure applications and settings for specific use cases. Some examples are:
●● Subscription activation. Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.
Organizations upgrading from Pro to Enterprise can instantly step up without having to reinstall
Windows.
●● Azure Active Directory (AAD), and mobile device management (MDM). You can automatically
join a device to AAD and enroll it in your management solution with no additional user interaction.
●● Provisioning packages. Using the Windows Imaging and Configuration Designer tool, create provi-
sioning packages, the collection of apps and settings customized for your deployment, to apply to
devices.
Traditional
Sometimes, deployment cannot be achieved through modern or dynamic methods. An organization
existing infrastructure or configuration requirements may require the need to deploy using operating
system images. You'll employ one of these methods:
●● Bare metal - Deploy to a new device with no operating system or wipe the existing device and deploy
with a fresh image.
●● Refresh - Also called wipe and load, redeploy a device by saving the user state, wiping the disk, then
restoring the user state.
●● Replace - Replace an existing device with a new one by moving the user state from the old device
and to the new device.
Client Virtualization
Most modern computers now include hardware to support virtualization. Virtualization (in the desktop
context) is the ability to install an OS and applications into a logical device (as opposed to a physical
machine). The most common use of this technology is to run multiple “instances” of computers on a
single computer and it is extensively used in server deployments. However, Windows 10 includes features
that allow clients to take advantage of virtualization as well.
Client Hyper-V
Client Hyper-V is the virtualization technology built into Windows 10 and Windows 8.x. It is the same
virtualization technology previously available only in Windows Server. Client Hyper-V enables you to run
one or more 32-bit or 64-bit x86 operating systems at the same time on the same host computer.
Instead of working directly with the computer’s hardware, the guest operating systems run inside a virtual
machine (VM). A virtual machine is a computing environment that is implemented in software and that
abstracts the hardware resources of the physical computer so that multiple operating systems can run
simultaneously on a single computer. Each operating system runs in its own virtual machine and is
allocated logical instances of the computer’s processors, hard disks, network cards, and other hardware
resources. An operating system that is running in a virtual machine is unaware that it is executing in a
virtual environment and behaves as if it exclusively controls the underlying physical computer’s hardware.
When discussing virtualization, the term Hypervisors is often used. A hypervisor is a virtualization platform
(like Hyper-V) that enables you to run multiple operating systems on a single physical computer called
the host computer. The main function of the hypervisor is to provide isolated execution environments for
each virtual machine and to manage access between the guest operating systems running in virtual
machines and the underlying hardware resources on the physical computer.
Windows 10 and Applications can be deployed to virtual machines running a hypervisor host just like a
traditional installation. Client Hyper-V is useful for scenarios such as running an app that may require a
different OS or version than the primary OS must be used or scenarios that require an isolated environ-
ment, such as driver testing or application compatibility.
Windows Sandbox
Windows Sandbox is a new feature introduced in v1903 allows Windows clients to setup an isolated
environment without the need to configure Hyper-V or create a Windows 10 VM or setup a VHD. This
enables the user to quickly start an isolated, pristine Windows 10 environment for temporary use scenari-
os such as launching a downloaded executable that you may not fully trust.
Windows Sandbox features the following:
●● Included with Windows 10 Pro and Enterprise.
●● Pristine. Every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
●● Disposable. Nothing persists on the device. When Sandbox is closed, everything is discarded.
●● Secure. uses hardware-based virtualization for kernel isolation, which relies on the Microsoft’s hypervi-
sor to run a separate kernel which isolates Windows Sandbox from the host.
●● Efficient. Eses integrated kernel scheduler, smart memory management, and virtual GPU
To use Windows Sandbox, virtualization must be enabled on physical hardware. If using a virtual machine,
nested virtualization must be enabled. Windows Sandbox must also be enabled in Windows Features.
Deployment Strategies
You can use a number of different methods to install Windows 10. However, regardless of the method,
the image-based nature of the installation process and the desired result—a properly functioning
Windows 10 device—remain consistent. Determining which method to use and how to best implement
that method are important parts of the planning process for a Windows 10 installation.
In this topic, you will learn to analyze the reasons for using certain installation methods and implement
those methods. You will also learn about the new provisioning method in Windows 10 that you can use
to customize an existing Windows 10 installation with a provisioning package.
High-touch Deployment
The high-touch with retail media deployment strategy is suitable for small organizations that do not have
information technology (IT) staff, or have IT staff members without deployment experience. Such organi-
zations typically have fewer than 100 client computers. This strategy is the simplest way to deploy
Windows 10. Insert the Windows 10 media and run the setup program. It is a manual installation that
requires you to answer each prompt in the setup program.
Organizations with 100-200 client computers should consider high-touch with a standard image. This
strategy involves the creation of a standard image, by using the available tools in the Windows ADK,
which you can customize. It requires an IT professional with imaging knowledge and is ideal for small or
distributed networks with minimal configuration requirements.
Lite-touch Deployment
The Lite-touch Installation (LTI) deployment strategy is suitable for medium-sized organizations with
200–500 client computers. This strategy uses management tools such as Microsoft Deployment Toolkit
(MDT) or Microsoft Intune. It is an easier deployment strategy, because Administrators use a centrally
managed console to automate the delivery of the OS, configurations, and applications. MDT also requires
minimal infrastructure and Intune is a cloud-based solution.
Zero-touch Deployment
The Zero-touch Installation (ZTI) deployment strategy is suitable for large organizations that typically
have more than 500 client computers. This deployment strategy uses MDT and/or Intune together with
Microsoft System Center Configuration Manager to deliver a more streamlined, fully automated deploy-
ment that does not require user interaction.
Bring Your Own Device

The Bring Your Own Device (BYOD) deployment refers to deploying configurations and applications to
devices that are not owned by the organization, typically a user-owned device. Using a smartphone to
access work e-mail is the most common example. With the concept of a mobile workforce becoming
more common, employees using their home computer to work on, or students using their personal
laptops at school has increased the need for IT to support BYOD on a variety of devices.
Mobile Device Managers (MDM) such as Microsoft Intune can be used to manage personally owned
devices such as phones, tablets, and computers. Intune offers the ability for users to enroll their devices,
access applications and meet compliance requirements, without giving up administrative control of their
own device. Like Configuration Manager, Intune can also manage organization owned devices and the
two can be leveraged together to create a unified endpoint management solution.
Imaging and Autopilot

When deploying an operating system in any organization with more than 100 computers, manual
deployment of operating systems becomes impractical. Organizations employ methods such as Imaging
and Autopilot to automate and streamline this process.
What is Imaging?
Imaging is the process of creating a “snapshot” of a reference computer with the desired OS, configura-
tions, and apps pre-installed, and then deploying that snapshot to multiple computers. When the image
is deployed, it essentially copying the reference computer configuration to the target computer. This has
been the preferred method used in medium and large organizations for years.
Benefits of Imaging
●● Eliminates the manual process of installing the OS and configuring the device (and included apps) on
each target device.
●● Ensures devices have a consistent configuration. The reduces the chance for human error during the
deployment and helps ensure devices are compliant and secure.
●● Imaging, along with a management tool such as MDT or Configuration Manager can make the
deployment process completely automated, with little to no action needed by IT or the end user, once
the device is plugged in.
Disadvantages of Imaging
●● Creating and managing images takes effort. Scenarios such as different requirements within the
organization, updates to apps and the operating system, and hardware architecture, can be contribut-
ing factors to the number of images needed. More images increase the overhead needed to maintain
the images.
●● Creating and deploying images is more complex and requires advanced tools to manage the process
than manual deployment.
●● Deploying images can consume considerable bandwidth during the process, and additional consider-
ations are required when target clients have limited bandwidth and connectivity.
Autopilot
Autopilot is a new feature in Windows 10. The concept behind autopilot was to reduce the need to
reimage machines. Typically, when a new device is purchased, Windows is pre-installed on it by the
hardware vendor, with the vendors preferred configuration. Autopilot reconfigures the device to a clean
Windows install, providing an out-of-box experience while applying the organizations desired configura-
tion and applications. Configuring a device using Autopilot is typically easier than creating and managing
images.
In addition to deployments, Autopilot can also help with refreshing and troubleshooting scenarios.
Support staff dealing with a troublesome device with frequently opt to wipe and reimage the device.
Autopilot Reset enables a similar result, reverting to a clean install of Windows 10 with configurations
applied and applications reinstalled.
Beginning with Windows 10 version 1809, customers can use System Center Configuration Manager
version 1806 or later to convert existing Windows 7 and Windows 8.1 devices to Windows 10 devices
using Windows Autopilot.
Deployment Tools
Microsoft provides several tools for facilitating deployments
and managing devices when using imaging to deploy an OS.
To successfully deploy the Windows 10 operating system and
applications for your organization, it is essential that you
know about the available tools to help with the process. In
this topic, you will learn about the most commonly used
tools for Windows 10 deployment.
Windows Assessment and Deployment Kit

Windows Assessment and Deployment Kit (ADK) for Windows 10 is a collection of tools that you can use
to automate the deployment of Windows operating systems and mitigate application compatibility
issues. Previously, Windows ADK was called the Windows Automated Installation Kit (for Windows 7). SQL
Server 2012 Express is also included here for the tools that require a connection to a SQL Server.
Windows ADK contains core assessment and deployment tools and technologies, including Deployment
Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD),
Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation
Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment
Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL
Server 2012 Express.
Deployment Image Servicing and Management (DISM)

DISM is a command-line tool that enables you to create and manage images. You can use it to capture a
“reference” device, with a desired configuration, The desired configuration might be the choice of OS
edition, Windows configurations, pre-installed drivers, appliations, and files. Once the image is captures,
you can use the image to deploy the pre-configured OS install to multiple devices. Once images are
created, you can also DISM to change the image or keep it up to date. This can include applying updates,
drivers, and language packs to the Windows image, offline or online.
For example, to capture a Windows partition to a USB storage drive, the command line might look like
this:
Dism /Capture-Image /ImageFile:"D:\Images\Fabrikam.wim" /CaptureDir:C:\ /
Name:Fabrikam
DISM Offline Servicing

DISM can be used to modify images while they are not in use. To edit an existing image, mount the
image, make the desired changes, and then dismount the image.
For example, if you need to add a driver to an existing image, you first mount the image, then
DISM /Mount-Image /ImageFile:C:\test\images\install.wim /MountDir:C:\test\
offline
DISM /Image:C:\test\offline /Add-Driver /Driver:C:\drivers\mydriver.inf
DISM /Unmount-Image /MountDir:C:\test\offline /Commit
Application Compatibility Toolkit (ACT)

The ACT is a graphical tool that can evaluate and mitigate application compatibility issues before deploy-
ing a new version of Windows. ACT requires access to a database. The database must be Microsoft SQL
Server 2008 (or SQL Server 2008 Express Edition) or a newer version. You can install SQL Server or use an
existing installation. Generally, all modern applications are compatible with Windows 10, and this is
primarily used for legacy applications that might still be in use.
Windows Imaging and Configuration Designer
Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the
creation of provisioning packages that can be used to dynamically configure a Windows device (PCs,
tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imag-
ing the device with a custom image.
The WICD Start Page.
Windows System Image Manager (Windows SIM)

Windows System Image Manager (Windows SIM) is a graphical tool that you can use to create unattend-
ed installation answer files (Unattend.xml) and distribution shares, or modify the files that a configuration
set contains. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often
because those systems automatically update the Unattend.xml file during the deployment, greatly
simplifying the process overall.
Windows answer file opened in Windows SIM.

Volume Activation Management Tool (VAMT)

VAMT is a graphical tool that you can use to automate and manage activation of Windows, Windows
Server, and Microsoft Office. If you don’t use KMS, you can still manage your MAKs centrally with the
Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys
throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting
as a MAK proxy.
The Volume Activation Management Tool.
VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based
activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell
(instead of the old command-line tool). For example, if you want to get information from the VAMT
database, you can type:
Get-VamtProduct
Windows Preinstallation Environment (Windows PE)
Windows PEis a minimal 32 bit or 64-bit operating system with limited services, built on the Windows 10
kernel. Windows PE replaces the DOS or Linux boot disks that were once used. Use Windows PE during
Windows installation and deployment to boot the computer and start the setup program. Windows PE
provides read and write access to Windows file systems, and supports a range of hardware drivers,
including network connectivity, which makes it useful for troubleshooting and system recovery. You can
run Windows PE from the CD/DVD, USB flash drive, or a network, by using the Pre-Boot Execution
Environment (PXE). The Windows ADK includes the tools to build and configure Windows PE. The key
thing to know about Windows PE is that, like the operating system, it needs drivers for at least network
and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10
operating system, which means much of your hardware will work out of the box.
The Windows PE is no longer part of the ADK install, and is now a separate download that can be found
at https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/download-winpe–
windows-pe1.
A machine booted with the Windows ADK default Windows PE boot image.
Microsoft Assessment and Planning Toolkit

The Microsoft Assessment and Planning Toolkit (MAP) is an agentless, automated, multi-product planning
and assessment tool for quicker and easier desktop, server and cloud migrations. MAP provides detailed
readiness assessment reports with extensive hardware and software information, and actionable recom-
mendations to help organizations accelerate their IT infrastructure planning process. It can be download-
ed separately, as it is not part of the ADK tools.
The MAP Toolkit is no longer being updated, in favor of Azure Migrate, which is used to plan server
workloads to the clouse. However, MAP can still be used to gather Windows client configurations when
an agentless solution is desired. Windows Deployment Services
Windows Deployment Services (WDS)

WDS enables the deployment of Windows operating systems. You can use WDS to set up new clients
with a network-based installation without requiring that administrators visit each computer or install
directly from CD or DVD media. Images are added to a server running WDS, and transmit the image to
clients using multicast funcationality.
1 https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/download-winpe--windows-pe
Windows Deployment Services using multicast to deploy three machines.
WDS requires AD DS, DHCP, and DNS. WDS can be managed using the WDSUTIL command-line tool,
Windows PowerShell, or an MMC snap-in. WDS also has the capability to manage drivers; however, driver
management through MDT and Configuration Manager is more suitable for deployment due to the
flexibility offered by both solutions, so you will use them instead.
Microsoft Deployment Toolkit

MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and
tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core
deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical
features for an enterprise-ready deployment solution.
MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is
Zero Touch, which is an extension to System Center 2012 R2 Configuration Manager.
Note: Lite Touch and Zero Touch are names for the two solutions that MDT supports, and the naming has
nothing to do with automation. You can fully automate the stand-alone MDT solution (Lite Touch), and
you can configure the solution integration with Configuration Manager to prompt for information.
The Deployment Workbench in, showing a task sequence.
Desktop Deployment Center
The Desktop Deployment Center is a consolidated collection of resources for deploying Windows 10 and
Microsoft 365 Apps. It provides step-by-step planning guidance, videos tutorials on processes and
concepts, links to deployment tools, best-practices and more.
The Desktop Deployment Center is located at https://docs.microsoft.com/en-us/microsoft-365/
enterprise/desktop-deployment-center-home
User State Migration Tool

The User State Migration Tool (USMT) is a command-line tool used to streamline and simplify user state
migration during large deployments of Windows operating systems. USMT captures user accounts, user
files, operating system settings, and application settings of an existing machine. It stores and then
migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh
migrations.
USMT enables you to do the following:
●● Configure your migration according to your business needs by using the migration rule (.xml) files to
control exactly which files and settings are migrated and how they are migrated.
●● Fit your customized migration into your automated deployment process by using the ScanState and
LoadState tools, which control collecting and restoring the user files and settings.
●● Perform offline migrations. You can run migrations offline by using the ScanState command in
Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installa-
tions of Windows contained in Windows.old directories.
Identifying which components to migrate

When planning your migration, it is important to identify which components you need to migrate to the
new operating system platform. These components may include:
●● User accounts. Workstations may have settings related to both domain and local user accounts. You
must determine if you need to migrate local user accounts.
●● Application settings. You must determine and locate the application settings that you want to migrate.
You can acquire this information when you are testing the new applications for compatibility with the
new operating system.
●● Operating-system settings. Operating-system settings include appearance, mouse actions such as
select or double-click, keyboard settings, internet settings, email-account settings, VPN connections,
accessibility settings, and fonts.
●● File types, files, folders, and settings. When you plan your migration, identify the file types, files,
folders, and settings to migrate. For example, you need to determine and locate the standard file
locations on each computer, such as the My Documents folder and company-specified locations. You
also must determine and locate the non-standard file locations.
Using USMT
The components of USMT include:
●● ScanState.exe. The ScanState tool scans the source computer, collects the files and settings, and then
creates a store.
●● LoadState.exe. The LoadState tool migrates the files and settings, one at a time, from the store to a
temporary location on the destination computer.
Specifying MigApp.xml, MigUser.xml, and MigDocs.xml with both the ScanState and LoadState com-
mands to migrate application settings, user profile data, and user folder/files respectively, to computers
that are running Windows 10.
Practice Labs and Module Review

Module 1 Practice Labs
Lab 0101: Deploying Windows using Windows ADK tools
Summary
In this lab, you will identify the tools included in the Windows ADK, create bootable Windows PE media,
prepare a Windows 10 computer to be imaged, capture a reference Windows 10 image, and deploy a
captured Windows 10 image.
Scenario
As part of the Desktop Administration team at Contoso, you have been tasked with creating and testing a
Windows 10 image to be used for a future Windows 10 desktop deployment project. You have already
used Hyper-V to create a virtual machine named GoldImage1 and installed Windows 10 to be used as the
reference image. You now need to capture GoldImage1 and validate that the image can be deployed to a
new computer.
Lab 0102: Migrating user state using USMT
Summary
In this lab you will learn how to migrate user state from one computer to another using the User State
Migration Tool (USMT).
Scenario
You have deployed a new Windows 10 computer named Computer1. You need to migrate the user state
from a source computer named Win81Source to Computer1. The best way to do so is using the User
State Migration Tool (USMT). The USMT install files are located at \\SEA-SVR2\Labfiles\Install\USMT. A
location to store migration data has been provided at \\SEA-SVR2\Labfiles\Install\MigrationStore. For this
lab, you will use the IP address 10.10.0.10 to reference SEA-SVR2.
Module Review
Check Your Knowledge
1. You are the IT Support professional for your organization. Your organization needs to deploy a set of
computers for an isolated office that will not be managed for at least six months. Which edition would
be best to deploy?
A. Windows 10 Pro
B. Windows 10 Enterprise
C. Windows 10 Home
D. Windows 10 Enterprise LTSB
Practice Labs and Module Review 55
E. Windows 10 Education
F. Windows 10 Mobile
2. The process for upgrading to Windows 10 includes which steps?
A. Evaluate, Back up, Upgrade, Verify, Update
B. Back up, Upgrade, Verify, Update
C. Back up, Upgrade, Update
D. Evaluate, Back up, Upgrade, Update
3. You support a group of software developers in your organization. The developers need to be able to
run Linux and Windows virtual machines on their client computers. Which Windows 10 editions will
allow them to do this?
A. Windows 10 Home
B. Windows 10 Pro
C. Windows 10 Enterprise
D. Windows 10 Education edition
E. Windows 10 IoT
F. Windows 10 Hyper-V edition
4. Your organization is in the process of migrating users to Office 365 E3. You have a mix of Windows 10
editions deployed. You are required to provide conditional access and SSO from anywhere for the
Office 365 E3 users using Domain Join with Azure Active Directory. Which of the following will support
this?
A. Windows 10 Home
B. Windows 10 Pro
C. Windows 10 Enterprise
D. None mentioned
5. D 2) A 3) B,C,D 4) B,C
Module 2 Configuring Authorization and Au-
thentication
Authentication
Lesson Introduction
In this lesson you will learn about the differences between authentication and authorization. You will learn
about the different logon and service accounts and how to configure these accounts. You will also learn
how Credential Manager can be used to manage and store credentials for users. Lastly, you will be
introduced to Windows Hello used to simply the user logon process.
Lesson Objectives
●● Configure a service account.
●● Set up a local account.

●● Use Credential Manager to manage credentials.
●● Describe and configure Windows Hello.
What Are Authentication and Authorization

Windows 10 provides several security technologies for devices, including authentication and authoriza-
tion. Authentication is a process that confirms a user’s identity when he or she accesses a computer
system or a system resource. In private and public computer networks, including the Internet, the most
common authentication method that controls access to resources is the verification of a user’s creden-
tials, which typically is their user name and password.
58 Module 2 Configuring Authorization and Authentication
However, password authentication is inherently weak when you use it for certain critical transactions, such
as payment processing, and user name and password authentication. Passwords can be stolen or re-
vealed inadvertently. Therefore, most Internet businesses implement digital certificates that a certification
authority (CA) issues and verifies. Logically, authentication comes before authorization, through which an
operating system can determine if an authenticated user has the required permissions to access and
update secured system resources. Authorized permissions include access to files and folders, hours of
access, amount of allocated storage space, and other specifications. Authorization has two facets:
●● A system administrator defines permissions for system resources initially.
●● A system or application verifies users’ permission values when users attempt to access or update a
system resource.
You can provide authorization and access without implementing authentication, such as when granting
permissions for anonymous users that have not been authenticated. However, these permissions typically
are limited.
Windows authentication methods

Users must authenticate to verify their identity when they access files over a network, and authentication
occurs during the network logon process. The Windows 10 operating system supports the following
authentication methods for network logons:
●● Kerberos version 5 protocol. Windows-based clients and servers use this as the main sign-in authenti-
cation method. It provides authentication for user and computer accounts.
Authentication 59
●● NTLM. This method provides backward compatibility with pre-Windows 2000 operating systems and
some applications. However, it is less flexible, less efficient, and not as secure as the Kerberos proto-
col.
●● Certificate mapping. Typically, users utilize this method in conjunction with smart cards. The certificate
that a smart card stores can link to a user account. Users utilize a smart card reader, which scans the
card’s chip to authenticate a user.
User Account Types

There are three primary types of accounts used to logon to a Windows 10 PC which include:
●● Local Account
●● Microsoft Account
●● Domain Account
When installing or starting up Windows 10 for the first time, you will make a choice between the use of a
domain, local or Microsoft Account.
Local accounts
A local user account resides on the local device only. It does not allow a user to access resources on other
Windows 10 computers. Typically, you use local user accounts for workgroup environments in which you
have networked only a few computers, and in which users typically work with resources attached to their
own devices.
Microsoft accounts
A Microsoft Account (formerly Windows Live ID) will enable you to have easier access to Microsoft’s
services. If you have ever used services such as Xbox Live, Hotmail, Outlook.com, OneDrive or Windows
Messenger, you already have a Microsoft Account. Microsoft has simply combined all of their services
together allowing you to access them with a single account. Just one email address and password is used
for all these purposes.
Domain accounts
Domains are used in organizations. Domain accounts enable users to access resources to other resources
that are also in the domain, such as other clients, servers, printers, etc, using a service called Active
Directory. One major benefit of Domain accounts, is that they are centrally managed. Instead of creating
accounts and setting passwords and persmissions for each user on each device, a single user (or comput-
er) domain account is created and used to grant access.
Which Account Type Should You Choose?
Organizations typically use Active Directory, and thus, Active Directory or Azure AD accounts would used.
For home or personal use, a Microsoft Account offers a lot of features that a local account does not.
However, If you don’t need Windows Store apps, or only have one computer and don’t need access to
your data anywhere else, then a local account will be sufficient. A local account will login to Windows and
provide the user with their own space on the PC. If you’re interested in the new features that Windows 10
have to offer though, then users need a Microsoft Account to take full advantage of them.
Managing local users

Local user accounts are stored locally on the client. Choose a local account if you are not connecting to a
network domain. You will be able to login, change your settings, install software, and keep your user area
separate from others on the system. However, local users will not be able to access features made
possible by Microsoft Accounts. Typically each user has it's own account, which governs what permissions
they have, but also defines which user profile is loaded, which contains various settings and personaliza-
tion choices.
Local users accounts are typically only for used in scenarios such as home use, and only when a there are
specific reasons not to use a Microsoft Account. However, it's important to understand the fundamentals
of local accounts and the default local user accounts that are part of Windows 10.
Default local user accounts

Default local user accounts are used to manage access to the local client's resources based on the rights
and permissions that are assigned to the account. The default local user accounts are built-in accounts
that are created automatically when you install Windows. The default local user accounts cannot be
removed or deleted. In addition, default local user accounts do not provide access to network resources.
Administrator account
The default local Administrator account is a user account for the system administrator. The Administrator
account has full control of the files, directories, services, and other resources on the local computer. The
Administrator account can create other local users, assign user rights, and assign permissions. The
Administrator account can take control of local resources at any time simply by changing the user rights
and permissions.
The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.
Because the Administrator account is known to exist on many versions of the Windows operating system,
it is a best practice to disable the Administrator account when possible to make it more difficult for
malicious users to gain access to the server or client computer.
In a typical install, Windows disables the built-in Administrator account and creates another local account
that is a member of the Administrators group. Members of the Administrators groups can run apps with
elevated permissions without using the Run as Administrator option. As a security best practice, use a
non-administrator account to sign in and then use Run as administrator to accomplish tasks that require
Authentication 61
a higher level of rights than a standard user account. Do not use the Administrator account to sign in to
your computer unless it is entirely necessary.
Guest account
The Guest account is disabled by default on installation. The Guest account lets occasional or one-time
users, who do not have an account on the computer, temporarily sign in to the local server or client
computer with limited user rights. By default, the Guest account has a blank password. Because the Guest
account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave
the Guest account disabled, unless its use is entirely necessary.
Default Account
The DefaultAccount is a built-in account. It is a user neutral account that can be used to run processes
that are either multi-user aware or user-agnostic, such as apps that launch, but have the option to
sign-in. This account should be left at it's default disabled state (which does not prevent the account from
serving it's purpose).
Default local system accounts

There are many services and processes in the Windows operating system that need the capability to sign
in internally, such as during a Windows installation. The SYSTEM account was designed to be used by the
operating system and by services that run under Windows. It is an internal account that does not show up
in User Manager, and it cannot be added to any groups.
The NETWORK SERVICE and LOCAL SERVICE accounts are also predefined local accounts. Unlike the
SYSTEM account, these accounts have minimum privileges, and are used by Windows to perform services
that do not need full permissions. Using least privilege accounts is part of defense-in-depth security
strategy that helps limit malicious damage, in the event a particular service is compromised.
Manging users and using account groups

Local accounts can be managed in the Accounts option of the Settings app. Here, users can be created or
removed, as well as changed between a Standard user, which has limited permissions, and an Administra-
tor with full permissions.
To create a local account, on Windows 10 Home and Windows 10 Professional editions:
1. Select the Start button, then select Settings > Accounts > Family & other people > Add someone
else to this PC.
2. Enter a user name, password, password hint, and then select Next.
On Windows 10 Enterprise edition:
1. Select the Start button, then select Settings > Accounts > Other people > Add someone else to
this PC.
2. At the bottom of the page, select I don’t have this person’s sign-in information, and at the bottom
of the next page, select Add a user without a Microsoft account.
3. Enter a user name, password, password hint, and then select Next.
The Settings app does not display default accounts or account groups. To manage these, use the local
Computer Management Microsoft Management Console (MMC).
1. Right-click on Start and select Computer Management.
2. Under System Tools, expand the Local Users and Groups option and select either Users or Groups to
show the respective accounts objects.
You can also manage local users in a command prompt using NET.EXE, or by using a variety of PowerShell
cmdlets.
Using Groups
Within the settings app, you can switch an account type between Standard User and Administrator, which
adds or removes the user from the Administrators group.
Alternatively, you can use Local Users and Groups to assign rights and permissions on a more granular
level. Windows comes with several built-in groups that grant various permissions to resources and
services. Some examples of these built-in groups include:
●● Administrators
●● Users
●● Guests
●● Device Owners
●● Event Log Readers
●● Hyper-V Administrators
●● Network Configuration Operators
●● Remote Desktop Users
By using these groups, administrators are able to grant privileges to what the user needs access to,
without granting privileges to services they don't need. One of the main reasons for doing this, is to limit
the damage in the event a device is compromised by a threat such as malware. The malware, which
typically might run at the user level, is not capable of leveraging services the user doesn't have permis-
sion to use.
For example, Elyssa works for a company that has a policy where users do not have administrative
privileges to their computer. In her position, however, she needs to frequently change the network
settings on here device. As a standard user, she would not be able to do this. By making her a member of
the Network Configuration Operators group, she now has the ability to change her network settings,
without IT having to grant her full administrative privileges to the device. If her account or device is
compromised, her credentials cannot be used to perform malicious attacks such as logging onto the
device remotely.
Domains and Workgroups

Domains and workgroups provide a method for sharing and accessing resources on a network, such as
access to files and printers on other devices in the network.
Authentication 63
What is a Workgroup?
Windows 10 creates a Workgroup by default when installed called “WORKGROUP”. A Workgroup can
share files, network storage, printers and any connected resource. There is no centralization of user
accounts and related security policies and settings. It is a peer-to-peer network, in which each device has
its own set of user and group accounts, its own security policy, and its own resources that you can share
with others.
The workgroup name can be changed by opening the Control Panel, selecting System and Security,
then System and selecting Change settings.
Workgroups include the following attributes:
●● All computers have equal rights.
●● Cannot be password protected.
●● Has a limit of 20 computers.
●● All computers must be on same local network.
●● Works on all windows versions.
●● works on both IP versions: IPv4 and IPv6.
●● Every computer must have the same workgroup name to communicate.
●● Requires security and sharing permissions to be set.
You must set up user accounts on each computer. This step is necessary because there is no centraliza-
tion of user accounts in a workgroup. When users map a network drive to a folder that you have shared
on your computer, they must provide credentials to connect to the resource; the sharing computer stores
these credentials.
What is a Domain?
Active Directory and Azure Active Directory Domain Services domains are also a collection of re-
source-sharing computers with the following characteristics:
●● A domain is an administrative boundary. All domains host an Administrator user account that has full
administrative capabilities over all objects within the domain. Although the administrator can delegate
administration on objects within the domain, the account retains full administrative control of all
objects within the domain.
●● A domain is a replication boundary. In the case of AD DS, it consists of three elements, or partitions:
the schema, the configuration partition, and the domain partition. Generally, it is only the domain
partition that changes frequently. The domain partition contains objects that are likely to be updated
often; these include users, computers, groups, and organizational units (OUs). AD DS replication
updates objects and synchronizes information between domain controllers.
In the case of Azure AD, it is hosted in the cloud. Replicas of the Azure AD architecture are synchro-
nized between Microsoft Datacenters, which is transparent to the customer. When using AD DS and
Azure AD together, Azure AD Connect synchronizes information between the two environments.
●● A domain is an authentication boundary. Domain controllers from each domain or the Azure AD
service can authenticate each user account in that domain. Domains in an AD DS forest trust one
another, and it is these trusts that enable a user from one domain to access resources held in another
domain.
You can add a computer by joining it to a domain. The computer can belong to one domain only. A
computer can belong to a domain or a workgroup, but not both.
The most significant benefit of adding a computer to an AD DS domain is that users can enjoy access to
resources throughout the AD DS forest, assuming that they have the necessary permissions. They can do
this without needing to remember multiple user accounts and passwords. The major benefit for the
administrator is that the domain provides a single store for user and group accounts, a domain-wide
security policy, and the ability to configure and manage domain-joined computers from a single point.
Note: Before you can add a computer to a domain, the computer must be able to locate a domain
controller or be connected to the internet to access the Azure AD service. This requires proper configura-
tion of the computer’s name resolution settings.
Credential Manager
Windows 10 includes Credential Manager which helps manage and maintain passwords. The Credential
Manager utility is built into Windows 10 Control Panel. Credential Manager saves credentials users enter
when accessing other computers and resources on local networks, and it can also be used to backup and
restore these credentials.
Consider a scenario where you access another computer in a workgroup everyday. It would be time
consuming to continually enter in your credentials when you access that other computer. Credential
Manager can save those credentials so that you are not prompted each time you access other computers
or websites. Credential Manager is enabled by default on non-domain computers. Web Credentials is the
web component of Credential Manager and it remembers web login passwords.
How to use Credential Manager

1. Open the Windows 10 Control Panel. Select User Accounts
2. Choose to manage either Web Credentials or Windows Credentials.
3. Select the expansion next to a credential.
4. You can Edit or Remove the credential
You can select Back up Credentials to backup your saved credentials to another file. Restore is just the
opposite of that process. You can add Windows Credentials as you see here by typing in an internet or
Authentication 65
network address, username and password. You can also add generic credentials such as this Microsoft
user account.
Windows Hello
Windows Hello is a more personal way to sign in to your Windows 10 devices with just a look or a touch.
You will get enterprise-grade security without having to type in a password.
Windows Hello introduces system support for biometric authentication – using your face, iris, or finger-
print to unlock your devices – with technology that is much safer than traditional passwords. You–
uniquely you– plus your device are the keys to your Windows experience, apps, data and even websites
and services – not a random assortment of letters and numbers that are easily forgotten, hacked, or
written down and pinned to a bulletin board. Modern sensors recognize your unique personal character-
istics to sign-you-in on a supporting Windows 10 device.
Using Windows Hello

In order to use Windows Hello you must have a PIN for your login already setup. On you PC select the
Start button, then select Settings > Accounts > Sign-in options to set up Windows Hello. Under
Windows Hello, you’ll see options for face, fingerprint, or iris if your PC has a fingerprint reader or a
camera that supports it. Once you’re set up, you will be able to sign in with a quick swipe on your
fingerprint reader or glance at your camera.
Windows Hello addresses the following problems with passwords:
●● Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
●● Server breaches can expose symmetric network credentials (passwords).
●● Passwords are subject to replay attacks1.
●● Users can inadvertently expose their passwords due to phishing attacks2.
NOTE: Windows Hello features will only appear if your computer includes hardware to support it.
1 https://go.microsoft.com/fwlink/p/?LinkId=615673
2 https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing
Windows Hello for Business

In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on
PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a
device and uses a biometric or PIN.
Unlike Windows Hello, Windows Hello for Business Windows Hello for Business is configured by Group
Policy or mobile device management (MDM) policy and uses key-based or certificate-based authentica-
tion. As an administrator in an enterprise or educational organization, you can create policies to manage
Windows Hello for Business use on Windows 10-based devices that connect to your organization.
Windows Hello for Business lets users authenticate to:
●● a Microsoft account
●● an Active Directory account
●● a Microsoft Azure Active Directory (Azure AD) account
●● Identity Provider Services or Relying Party Services that support Fast ID Online (FIDO) v2.0 authentica-
tion (in progress)
After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's
device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a
PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenti-
cate users.
Unlike Windows Hello, Windows Hello for Business Windows Hello for Business is configured by Group
Policy or mobile device management (MDM) policy and uses key-based or certificate-based authentica-
tion. As an administrator in an enterprise or educational organization, you can create policies to manage
Windows Hello for Business use on Windows 10-based devices that connect to your organization.
Note: When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked
together to provide multi-factor authentication. Windows Hello for Business combines these technolo-
gies.
Configuring Password Policies and User Proper-

ties
In a corporate environment, password policies define the configuration of user passwords. AD DS stores
user accounts, which are managed by network administrators or other support staff, such as help-desk
employees.
Authentication 67
Using Group Policy to configure password policies

Although domain administrators configure password policies, you should know the available pass-
word-policy options so that you recognize when they affect the user’s ability to sign in. You configure
password policies by using Group Policy, which contains settings for account lockout. When you enable
account lockout, a user who attempts to sign in by using an incorrect password is locked out after the
number of attempts that you configure. Remember that account lockouts can occur based on sign-in
attempts to any system that authenticates users to AD DS. The most common scenario is users signing in
at workstations, but account lockout also applies to applications such as Microsoft Outlook Web App.
The following table lists important Group Policy settings that can affect the user sign-in process. These
settings are located at Computer Configuration\Windows Settings\Security Settings\Account Policies.
Setting Description Default setting

Password Policy\Enforce pass- When you turn on enforce By default, Group Policy remem-
word history password history, users cannot bers 24 passwords.
reuse passwords.
Password Policy\Maximum Maximum password age is the By default, users must change
password age longest span of time that a their password every 42 days.
password can exist before a user
must change it.
Password Policy\Minimum Minimum password age is the By default, a user must keep a
password age minimum amount of time that a password for one day. This
user must keep a password. prevents users from cycling
quickly through a list of pass-
words and defeating the pass-
word history requirement.
Setting Description Default setting

Password Policy\Minimum Minimum password length is By default, a minimum length of
password length the minimum number of charac- seven characters is required.
ters required for a password that
domain users create.
Password Policy\Passwords must If you turn on this setting, Three of the four complexity
meet complexity requirements passwords must meet specific elements must be present. This is
complexity requirements. Users enabled by default.
must create complex passwords
by using specific elements,
including uppercase and lower-
case characters, numbers, and
symbols.
Account Lockout Policy\Account This defines the number of The default value is 0, which
lockout threshold invalid sign-in attempts that means accounts never lock.
users can make before Windows
locks their account. When you
enable Account Lockout
threshold, you can define the
period within which the invalid
attempts must occur, and how
long the account remains locked.
User account settings that can affect the sign-in process
Each user account has settings that are relevant to the sign-in process. You need to be aware of these
settings so that you can identify them as potential sources of sign-in issues, and then escalate the issue
to the appropriate group in your organization.
Setting Description
User logon name This is the user name that users should use when
signing in.
Unlock account If a user locks an account because of invalid
sign-in attempts, use this check box to unlock the
account.
User must change password at next logon When you enable on this setting, the user must
change their password during the next sign in. If
the user does not change their password, he or
she might not be able to sign in.
User cannot change password If you enable this setting, the user cannot change
their password. This setting overrides any require-
ments to change a password in the domain
password policy. You typically use this setting only
for service accounts.
Password never expires When you enable this setting, users are not
required to change their password. This setting
overrides any requirements to change a password
in the domain password policy. You typically use
this setting for service accounts, and you also
might use it for users who are exempt from chang-
ing passwords.
Authentication 69
Setting Description
Account is disabled Enabling this setting prevents users from signing
in and using this account. You typically use this
setting when an employee is out of the office for a
long period, or when your organization terminates
an employee.
Smart card is required for interactive logon When you enable this setting, a user is required to
use a smart card to perform sign ins. Requiring a
smart card enhances security in environments with
infrastructure to support smart card-based sign
ins.
Account expires This setting allows configuration of a date after
which an account is disabled. You typically use this
setting only for contract employees or other
temporary staff.
User Profiles and Their Contents

A user profile is a collection of user-specific settings in Windows 10. Each user has a folder in C:\Users
that contains the user’s profile. Windows names the profile folders in C:\Users to align with the user
account. For example, if the user account is Adam, the profile folder is C:\Users\Adam. In some cases, you
can append the domain’s name to the profile, if the account name conflicts with an existing local user. An
example of this is C:\Users\Administrator.Adatum.
A user profile contains:

●● The user part of the registry. User profiles contain a file called NTuser.dat. This file is the user part of
the registry. When the user signs in, the Windows operating system loads it, and maps it to the
HKEY_CURRENT_USER registry subtree. NTuser.dat contains user settings, such as desktop-back-
ground and screen-saver settings.
●● A set of folders. For each user who signs in, Windows creates a separate subfolder with the user’s
name in the Users folder. This folder is a container for applications, user settings, and data that are
organized into several subfolders, including:
●● Application configuration files, which are in the AppData folder
●● Desktop
●● Favorites
●● Documents
●● Downloads
●● Music, Pictures, Videos
●● Other folders that specific applications create
Windows 10 also has a public profile that it stores in C:\Users\Public. All user profiles include this public
profile’s contents when a user logs on. For example, if you create a file in C:\Users\Public\Public Desktop,
it displays on the desktop of all users who sign in to that computer. For this reason, some applications
store system-wide configuration information in the public profile.
Note: Although the C:\Users\Public folder is visible, by default Windows hides the Public Desktop
subfolder.
Managing Users and Groups 71
Managing Users and Groups

Active Directory Overview
Active Directory (AD) is a group of services responsible for identity-related management. It uses a
structured data store as the basis for a logical, hierarchical organization of directory information, repre-
sented as objects. Active Directory stores information about objects on the network and makes this
information easy to find and use. AD services also facilitate authorization and managing permissions to
the services and data those objects represent.
Active Directory Domain Services

Active Directory Domain Services (AD DS) is the service responsible for storing directory data and making
this data available to network users and administrators. These objects typically include shared resources
such as servers, volumes, printers, and the network user and computer accounts. AD DS stores informa-
tion about user accounts, such as names, passwords, phone numbers, or information about a computer,
such as the device name or the last user logged on.
AD DS is installed on or more Windows Servers with the domain controller role. Administrators manage
AD DS objects using a console app, such as Active Directory Administrative Center on Windows Server.
The information can be viewed or changed on an object’s properties, such as a user’s phone number. But
the objects can also be used to apply configurations or policies using Group Policy Objects. The immedi-
ate benefit of this is to be able to manage devices at scale.
Computers that are managed by Active Directory are commonly referred to as domain-joined. Users
accounts that managed by AD are often referred to as their domain username or LDAP username.
Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service.
Like AD DS, it’s used to provide the same functions as AD DS. However, unlike AD DS, there is no physical
infrastructure to setup. Administrators can sign-up for Azure AD and immediately begin configuring the
directory and joining devices to the domain.
One significant benefit of Azure AD is the ability to easier facilitate identity and authentication services to
external resources, such as Microsoft 365, Microsoft Azure, Microsoft Dynamics CRM Online, other
non-Microsoft cloud services, and BYOD scenarios.
Many organizations will have both AD DS and Azure AD environments. Administrators can (and often do)
synchronize these services together using the AD Connect tool. The enables IT to take advantage of the
benefits each service has to offer.
Using Active Directory Users and Groups

There are two forms of common security principals in Active Directory: user accounts and computer
accounts. These accounts represent a physical entity (a person or a computer).
As with local accounts, domain user accounts are created for each user in most cases. This account
contains their username and password, as well as information about the user, such as their name, loca-
tion, department, etc. However, unlike a local account, domain accounts can be used to sign in using
other devices on the network (with the correct permissions). The obvious benefit to this is administrators
can centrally manage user accounts across an organization instead of each individual device.
Like local accounts, domain user accounts can also be used as dedicated service accounts for applications
or services..
Active Directory groups

Groups are used to collect user accounts, computer accounts, and other groups into manageable units.
Using groups allows administrators to manage activities like permissions at scale. With users entering,
leaving, or changing positions within the company, it's best to define groups - which could represent a
role as well as a group - and assign permissions to the group. Users can be added and removed from
groups, instead of having to determine permissions every time a personnel change occurs.
There are two types of groups in Active Directory:
●● Distribution groups Used to create email distribution lists. Distribution groups can be used only with
email applications (such as Exchange Server) to send email to collections of users. Distribution groups
are not security enabled, which means that they cannot be listed in discretionary access control lists
(DACLs).
●● Security groups Used to assign rights and permissions.
●● User rights are assigned to a security group to determine what members of that group can do
within the scope of a domain or forest. User rights define a person’s administrative role in the
domain. For example, a user who is added to the Backup Operators group in Active Directory has
the ability to back up and restore files and directories that are located on each domain controller
in the domain. This is possible because, by default, the user rights Backup files and directories
andRestore files and directories are automatically assigned to the Backup Operators group. There-
fore, members of this group inherit the user rights that are assigned to that group. You can use
Group Policy to assign user rights to security groups to delegate specific tasks.
●● Permissions are different than user rights. Permissions are assigned to the security group for the
shared resource. Permissions determine who can access the resource and the level of access, such
as Full Control. Security groups are listed in DACLs that define permissions on resources and
objects such as file shares or printers.
Note: Both distribution groups and security groups can be used as an email entity.
Active Directory default security groups
There are several built-in groups that are created by default when Active Directory is installed. The follow-
ing list is some of the commonly used groups:
●● DnsAdmins - Members of this group have administrative access to the DNS Server service.
●● Domain Admins - Designated administrators of the domain; Domain Admins is a member of every
domain-joined computer's local Administrators group and receives rights and permissions granted to
the local Administrators group, in addition to the domain's Administrators group.
●● Domain Computers - All workstations and servers that are joined to the domain are by default
members of this group.
●● Domain Users - All users in the domain
●● Enterprise Admins - Enterprise Admins are like Domain Admins, but have permissions to change
forest-wide configuration settings; Enterprise Admins is a member of every domain's Administrators
group and receives rights and permissions granted to that group.
●● IIS_IUSRS - Built-in group used by Internet Information Services.
●● Print Operators - Members of this group can administer domain printers.
●● Remote Desktop Users - Members of this group are granted the right to log on remotely using RDP.
Using Azure Active Directory

You could view Azure AD simply as the cloud-based counterpart of AD DS; however, while Azure AD and
AD DS share some common characteristics, there are several significant differences between them.
Characteristics of AD DS
AD DS is the traditional deployment of Windows Server-based Active Directory on a physical or virtual
server. Although AD DS is commonly considered to be primarily a directory service, it’s only one compo-
nent of the Windows Active Directory suite of technologies, which also includes Active Directory Certifi-
cate Services (AD CS), Active Directory Lightweight Directory Services (AD LDS), Active Directory Federa-
tion Services (AD FS), and Active Directory Rights Management Services (AD RMS).
When comparing AD DS with Azure AD, it’s important to note the following characteristics of AD DS:
●● AD DS is a true directory service, with a hierarchical X.500-based structure.
●● AD DS uses Domain Name System (DNS) for locating resources such as domain controllers.
●● You can query and manage AD DS by using Lightweight Directory Access Protocol (LDAP) calls.
●● AD DS primarily uses the Kerberos protocol for authentication.
●● AD DS uses OUs and GPOs for management.
●● AD DS includes computer objects, representing computers that join an Active Directory domain.
●● AD DS uses trusts between domains for delegated management.
You can deploy AD DS on an Azure virtual machine to enable scalability and availability for an on-premis-
es AD DS. However, deploying AD DS on an Azure virtual machine does not make any use of Azure AD.
Note that deploying AD DS on an Azure virtual machine requires one or more additional Azure data
disks, because you should not use drive C for AD DS storage. These disks are needed to store the AD DS
database, logs, and SYSVOL. The Host Cache Preference setting for these disks must be set to None.
Characteristics of Azure AD
Although Azure AD has many similarities to AD DS, there are also many differences. It’s important to
realize that using Azure AD isn’t the same as deploying an Active Directory domain controller on an
Azure virtual machine and adding it to your on-premises domain.
When comparing Azure AD with AD DS, it’s important to note the following characteristics of Azure AD:
●● Azure AD is primarily an identity solution, and it’s designed for internet-based applications by using
HTTP (port 80) and HTTPS (port 443) communications.
●● Azure AD is a multi-tenant directory service.
●● Azure AD users and groups are created in a flat structure, and there are no OUs or GPOs.
●● You cannot query Azure AD by using LDAP; instead, Azure AD uses the REST API over HTTP and
HTTPS.
●● Azure AD does not use Kerberos authentication; instead, it uses HTTP and HTTPS protocols such as
SAML, WS-Federation, and OpenID Connect for authentication, and uses OAuth for authorization.
●● Azure AD includes federation services, and many third-party services such as Facebook are federated
with and trust Azure AD.
Signing in to a Domain
When a user signs in with a domain account, they are typically authenticating to either an Active Directo-
ry Domain Service (AD DS) or Azure Active Directory (Azure AD).
Active Directory Domain Services (AD DS) Authentication

The sign-in process authenticates both the computer and user accounts. In an AD DS environment,
domain controllers perform authentication for computer accounts during the startup process and for user
accounts when the user signs in.
At startup, a computer queries the configured Domain Name System (DNS) server to discover domain
controllers that are available to perform authentication. If you configure your AD DS sites properly, a
computer performs authentication by using domain controllers that are in the local physical location. This
authentication process is much faster than authenticating to a domain controller that is in a different
location.
If you do not configure the list of DNS servers on a Windows 10 computer appropriately, it cannot obtain
a list of domain controllers. This could result in the following issues:
●● Authentication fails. The user is unable to access the local computer or network resources.
●● Windows 10 uses cached credentials. The user is able to access the local computer and might be able
to access some network resources.
●● Authentication is very slow but successful. This occurs when a suitable domain controller is on the
local subnet, and the client computer can locate it only by using NetBIOS broadcasts.
Note: NetBIOS is a legacy session-management protocol that Windows 10 does not require.
During the sign-in process, Windows assigns a security token to both the computer and user accounts.
The security token contains a list of groups of which the computer or user account is a member. Windows
uses this list of groups to identify permissions when the computer or user attempts to access resources. If
you add a computer or user account to a group, you must ensure that you reauthenticate the account to
update the security token with group membership.
Note: To reauthenticate a computer, you must restart the computer. To reauthenticate the user account,
the user must sign out and then sign in again. Typical reasons why AD DS authentication might fail are:
●● Domain controller unreachable. Due to a service failure, there is no available domain controller.
●● Name resolution issues. The Windows 10 computer cannot locate a domain controller in DNS, either
because of configuration issues, or because of DNS unavailability.
●● Physical network issues. If the client cannot connect to the network, then authentication fails.
Azure AD Authentication
When users try to access cloud-based services, such as Microsoft 365, authentication must occur as it
does in an on-premises AD DS environment. However, the process is different because the services that
provide the authentication are not located locally. Therefore, the client computer must locate where the
authentication services reside by using DNS.
Once the client computer locates the authentication services, the user typically receives a prompt to sign
in by providing a user name and password that the client computer securely exchanges with the authen-
tication service.
Obviously, if users provide incorrect sign-in information, authentication fails. Other reasons for failure
include:
●● Name-resolution issues. These issues occur if Windows 10 cannot determine where the authentication
service resides. This can occur because of a configuration error or local DNS service failure on your
site, or with the Internet service provider (ISP) that provides your Internet service.
●● Internet connectivity is not available. Without an Internet connection, your computer cannot locate
the authentication services, and it cannot connect to Microsoft 365 or any other cloud-based applica-
tions.
●● Synchronization issues between on-premises AD DS and Azure AD. In environments that use both
cloud-based and on-premises directories, it is necessary to synchronize accounts between both
platforms. Occasionally, it is possible for the two directories to be out of synchronization, which can
lead to sign-in issues.
Configuring User Account Control

Lesson Introduction
Many users sign in to their computers with a user account that has more rights than are necessary to run
their applications and access their data files. Using an administrative user account for day-to-day user
tasks poses significant security risks. In older versions of the Windows operating system, administrators
were encouraged to use an ordinary user account for most tasks, and to use the Run As account to enact
tasks that required additional rights.
Windows 10 provides UAC to simplify and help secure the process of elevating your account rights.
However, unless you know how UAC works, and how it can affect your users, you might have problems
when you attempt to carry out typical end-user support tasks. This lesson introduces how UAC works and
how you can use UAC-related desktop features.
Lesson Objectives
●● Describe User Account Control (UAC).
●● Explain how UAC works.
●● Explain how to configure UAC notification settings.
What is UAC
UAC is a security feature that provides a way for users to elevate their status from a standard user
account to an administrator account, without having to sign out or switch user profiles. UAC is a collec-
tion of features rather than just a prompt. These features, which include File and Registry Redirection,
Installer Detection, the UAC prompt, the ActiveX Installer Service, and more, allow Windows users to
operate with user accounts that are not members of the Administrators group. These accounts, typically
referred to as standard users, are broadly described as operating with least privilege. The most important
fact is that when users sign in with standard user accounts, the experience typically is much more secure
and reliable.
In Windows 10, the number of operating system applications and tasks that require elevation is fewer
when compared to older operating systems. This allows standard users to do more while experiencing
fewer elevation prompts, and this improves interaction with UAC while upholding high security standards.
When you need to make changes to your computer that require administrator-level permissions, UAC
notifies you as follows:
●● If you are an administrator, select Yes to continue.
●● If you are not an administrator, someone with an administrator account on the computer will have to
enter his or her password for you to continue.
If you are a standard user, providing administrative credentials gives you administrator rights to complete
the task. When you complete the task, permissions will revert to those that a standard user has. This
ensures that even if you are using an administrator account, no one can make changes to your computer
without your knowledge. This helps prevent malicious users from installing malware and spyware on, or
making changes to, your computer.
Configuring User Account Control 77
How UAC works

There are two general types of user groups in Windows 10: standard users and administrative users. UAC
simplifies users’ ability to operate as standard users and perform all necessary daily tasks. Administrative
users also benefit from UAC, because administrative permissions are available only after UAC requests
permission from the user for that instance.
Standard users
In previous versions of the Windows operating system, many users were configured to use administrative
permissions rather than standard user permissions. This was because previous Windows versions required
that users have administrator permissions to perform basic system tasks, such as adding a printer or
configuring a time zone. In Windows 10, many of these tasks no longer require administrative permis-
sions.
When users have administrative permissions on their computers, they can install additional software.
Despite organizational policies against installing unauthorized software, many users still do it, which can
make their systems less stable and drive up support costs. When you enable UAC, and a user needs to
perform a task that requires administrative permissions, UAC prompts the user for administrative creden-
tials. In an enterprise environment, the help desk can give a user temporary credentials that have local
administrative permissions to complete a task. The default UAC setting allows a standard user to perform
the following tasks without receiving a UAC prompt:
●● Install updates from Windows Update.
●● Install drivers from Windows Update or those that are included with the operating system.
●● View Windows settings. However, a standard user is prompted for elevated permissions when chang-
ing Windows settings.
●● Pair Bluetooth devices with the computer.
●● Reset the network adapter and perform other network-diagnostic and repair tasks.
Administrative users
Administrative users automatically have:
●● Read/write/enact permissions for all resources.
●● All Windows permissions.
While it might seem clear that all users will not be able to read, alter, and delete any Windows resource,
many enterprise IT departments that run older versions of Windows operating systems had no other
option but to assign all of their users to the local Administrators group.
One of the benefits of UAC is that it allows users with administrative permissions to operate as standard
users most of the time. When users with administrative permissions perform a task that requires adminis-
trative permissions, UAC prompts the user for permission to complete the task. When the user grants
permission, the task is performed by using full administrative rights, and then the account reverts to a
lower level of permission.
UAC Elevation Prompts

Many applications require users to be administrators, by default, because they check Administrators
group membership before running an application.
The following list details some of the tasks that a standard user can perform:
●● Establish a local area network (LAN) connection.
●● Establish and configure a wireless connection.
●● Modify display settings.
●● Users cannot defragment the hard drive, but a service does this on their behalf.
●● Play CD/DVD media (configurable with Group Policy).
●● Burn CD/DVD media (configurable with Group Policy).
●● Change the desktop background for the current user.
●● Open Date and Time in Control Panel, and change the time zone.
●● Use Remote Desktop to connect to another computer.
●● Change a user’s own account password.
●● Configure battery power options.
●● Configure accessibility options.
●● Restore a user’s backup files.
●● Set up computer synchronization with a mobile device, including a smartphone, laptop, or personal
digital assistant (PDA).
●● Connect and configure a Bluetooth device.
The following list details some of the tasks that require elevation to an administrator account:
●● Install and uninstall applications.
●● Install a driver for a device, such as a digital camera driver.
●● Install Windows updates.
●● Configure Parental Controls.
●● Install an ActiveX control.
●● Open Windows Defender Firewall in Control Panel.
●● Change a user’s account type.
●● Modify UAC settings in the Security Policy Editor snap-in (Secpol.msc) to the Microsoft Management
Console (MMC).
●● Configure Remote Desktop access.
●● Add or remove a user account.
●● Copy or move files into the Program Files or Windows directory.
●● Schedule Automated Tasks.
●● Restore system backup files.
●● Configure Automatic Updates.
●● Browse to another user’s directory.
When you enable UAC, members of the local Administrators group run with the same access token as
standard users. A process can use an administrator’s full access token only when a member of the local
Administrators group gives approval.
This process is the basis of the Admin Approval Mode principle. Users elevate only to perform tasks that
require an administrator access token. When a standard user attempts to perform an administrative task,
UAC prompts the user to enter valid credentials for an administrator account. This is the default for
standard user-prompt behavior.
The elevation prompt displays contextual information about the executable that is requesting elevation.
The context is different, depending on whether the application is signed by Authenticode technology.
The elevation prompt has two variations that the following table describes: the consent prompt and the
credential prompt.
Elevation prompt Description

Consent prompt Displayed to administrators in Admin Approval
Mode when they attempt to perform an adminis-
trative task. It requests approval to continue from
the user.
Credential prompt Displayed to standard users when they attempt to
perform an administrative task.
Elevation entry points do not remember that elevation has occurred, such as when you return from a
shielded location or task. As a result, the user must reelevate to enter the task again.
The Windows 10 operating system reduces the number of UAC elevation prompts for a standard user
who performs everyday tasks. However, there are times when it is appropriate for an elevation prompt to
be returned. For example, viewing firewall settings does not require elevation. However, changing the
settings does require elevation because the changes have a system-wide impact.
Types of elevation prompts

When a permission or password is necessary to complete a task, UAC will notify you with one of three
different types of dialog boxes. The following table describes the different types of dialog boxes that
users will see, and provides guidance on how to respond to them.
Type of elevation prompt Description

A setting or feature that is part of Windows needs This item has a valid digital signature that verifies
your permission to start. that Microsoft is the publisher of this item. If this
type of dialog box displays, it usually is safe to
continue. If you are unsure, check the name of the
program or function to decide if it is something
that you want to run.
A program that is not part of Windows needs your This program has a valid digital signature, which
permission to start. helps to ensure that the program actually is what
it claims to be, and it verifies the identity of the
program’s publisher. If this type of dialog box
displays, make sure the program is the one that
you want to run and that you trust the publisher.
Type of elevation prompt Description

A program with an unknown publisher needs your This program does not have a valid digital signa-
permission to start. ture from its publisher. This does not necessarily
indicate danger, because many older, legitimate
apps lack signatures. However, use extra caution,
and only allow a program to run if you obtained it
from a trusted source, such as the product CD or a
publisher’s website. If you are unsure, search the
Internet for the program’s name to determine if it
is a known program or malware.
Most of the time, you should sign in to your computer with a standard user account. You can browse the
Internet, send email, and use a word processor, all without an administrator account. When you want to
perform an administrative task, such as installing a new program or changing a setting that will affect
other users, you do not have to switch to an administrator account. The Windows operating system will
prompt you for permission or an administrator password before performing the task. We also recom-
mend that you create standard user accounts for all of the people that use your computer.
Configuring UAC Notification Settings

In Windows 10, you can configure UAC to notify you when changes are made to your computer. To do
this, go to the Control Panel, select System and Maintenance, and then under Action Center, select
Change User Account Control settings. Use the slider to determine how Windows will prompt you. The
default is Notify me only when apps try to make changes to my computer.
The following table identifies the four settings that enable customization of the elevation-prompt
experience.
Prompt Description
Never notify me UAC is off.
Prompt Description
Notify me only when apps try to make changes to When a program makes a change, a prompt
my computer (do not dim my desktop) appears, but the desktop does not dim. Otherwise,
the user is not prompted.
Notify me only when apps try to make changes to When a program makes a change, a prompt
my computer (default) appears, and the desktop dims to provide a visual
cue that an installation is being attempted.
Otherwise, the user is not prompted.
Always notify me The user always is prompted when changes are
made to the computer.
You can configure varying user experiences by using different Group Policy settings. The configuration
choices that you make for your environment affect the prompts and dialog boxes that standard users,
administrators, or both can view.
For example, you might require administrative permissions to change the UAC setting to Always notify
me or Always notify me and wait for my response. When you configure this type of configuration, a
yellow notification appears at the bottom of the User Account Control Settings page, indicating the
requirement.
Implementing Device Registration

Lesson Introduction
When a device is joined to a domain, users can access company resources without having to enter their
credentials every time they access company resources. Users can have a similar experience from a device
that you enable for Device Registration, but without requiring the device to be a domain member. Device
Registration provides an Single Sign-On (SSO) experience when accessing internal company websites and
company apps. Users with domain accounts can implement Device Registration on their personal devices,
if their company has the appropriate infrastructure in place.
Lesson Objectives
●● Describe the challenges that BYOD introduces.
●● Describe Device Registration and its uses.
●● Describe how Device Registration works.
●● Describe the infrastructure requirements for Device Registration.
●● Describe how to register and enroll a device.
Challenges to data access for multiple device

types
In the past, companies allowed access to company apps and data only to users who logged on or signed
in with a domain account from company-owned and domain member devices. However, this is changing,
and companies are moving from a device-centric approach to a more user-friendly, people-centric
approach. Today, users expect to work from any location using their own devices, running company apps,
and accessing company data on those devices. This evolving user behavior brings new challenges to
company information technology (IT) departments.
Implementing Device Registration 83
Users more often no longer utilize traditional desktop computers, and instead rely on devices. Devices
come in various form factors such as smartphones and tablets, and they typically are not domain mem-
bers. Sometimes devices are not domain members because the company does not own them, and
sometimes because their operating system, such as iOS or Android, could not be joined to the domain.
However, users who are more familiar with their personal devices want to use them for work purposes.
This is known as the BYOD scenario.
Previously, only domain member computers and domain accounts could access apps and data. Today,
this is no longer the case. Users still have a domain account as proof of their identity, but they now
require access to the same company apps and data from various types of devices with different displays
and that are running on different hardware architecture. Furthermore, these users do not want to provide
credentials each time they need access. In summary, they want the same experience on their personal
devices as they have when working in a domain environment.
Companies typically store data on servers, and users expect to access the data securely from anywhere
and from any device. This presents new challenges for companies because users are accessing and
storing local copies of the data on their personal devices. Administrators must be able to control which
data users can access, and which data can be cached locally. In addition, administrators must know how
to wipe company data remotely if users leave the company or lose their devices. Furthermore, adminis-
trators must have the ability to wipe company data off users’ personal devices without affecting their
personal data.
New challenges to IT departments include:
●● Allowing users to work on devices of their choice, while providing consistent access to corporate
resources.
●● Allowing users to access resources remote locations, such as work-at-home.
●● Unifying the environment and providing unified applications and device management of the compa-
ny-owned and domain-owned devices along with BYOD devices.
●● Protecting company data, enforcing company policies and compliance requirements, and managing
risks regardless from where data is accessed, or from which device.
Microsoft Device Strategy Framework

Windows 8.1 introduced the Device Registration feature, which enables users to access internal company
websites and company apps from devices without having to enter user credentials each time. Device
Registration also enables administrators to have some control over the devices, such as controlling the
web apps that users can access from devices that are enabled for Device Registration.
Variations in both ownership and management of the devices that make it necessary to expand the BYOD
scenario to include the four core scenarios shown below. These scenarios comprise the Microsoft Device
Strategy Framework.
The scenarios shown above can be summarized as follows:

●● On your own In this model, employees provide their own devices. There are no security policies in
place, no organizational management of the device, and any device is acceptable. This is a very open
approach, but it presents the highest security risk.
●● Bring your own device This model includes two distinct variations on policy management:
●● Bring your own unmanaged device In this model, employees provide their own devices, but as
part of the company policy, the company does not manage those devices. The employees are
responsible for implementing and managing company policies on their devices. This is a flexible
policy but it presents security risks; some businesses might not have the resources to manage
these risks.
●● Bring your own managed device This is the most traditional format for BYOD. In this model,
employees provide their own devices and the company enforces its policy to allow the devices to
access company data. The device is fully managed by the company.
●● Choose your own device (also called CYOD) In this model, the company provides a mobile device to
employees so those employees can perform their jobs remotely. The company often allows employ-
ees to choose from a list of approved devices that are fully compatible with the company’s apps and
management infrastructure.
●● Here’s your own device In this model, the company has one device approved for the company’s
mobile platform and this device is provided to employees.
The landscape for enterprise mobility extends well beyond BYOD; you cannot assume enterprise mobility
means BYOD only. There are many more elements that must be covered to completely embrace mobility
and enable a mobile workforce. Each scenario has advantages and disadvantages that vary according to
company requirements and goals.
Mobile users today expect to move easily across devices, on their own terms, without having to learn new
tools or interrupt their familiar work practices. We have seen in our enterprise engagements that consum-
er and employee expectations are driving these changes and forcing businesses to rethink how they win,
serve, and retain customers and how they enable their mobile and work-at-home employees to stay
productive. Your customers spend a good deal of their time on mobile apps and devices, and they expect
you to meet them there in ways that accommodate their mobile lifestyle. This requires that you anticipate
their needs and engage them at key moments with the right content and services.
Your employees require mobile access to their team members, resources, and core business processes to
stay productive, and they expect you to make that a seamless experience. This requires that you enable
new work processes and understand the expectations that mobile employees bring to the workplace. The
commonality here is the concept of user-centric experiences. Mobile devices are already well-tuned to
personal preferences; the next step is to extend this personalization into business processes. Companies
today are redesigning their operations to accommodate the mobile mind set of both customers and
employees in order to achieve top line and bottom line business impact. The combination of engaging,
personalized apps on the front end and a scalable, secure cloud infrastructure on the back end makes
that a reality.
The result will be a transformed enterprise, with opportunities for cost containment, new revenue
streams, and potential new business models.
Overview of Device Registration

Device Registration (previously known as Workplace Join in Windows 8.1) is particularly useful when users
use their own devices to access company data. If you enable Device Registration, you can register and
enroll your devices in the company network. After you enroll a device, the device is associated with your
user account in the company directory, the device object is created in AD DS, and the user certificate is
installed on the device. The device object in AD DS establishes a link between the user and the device.
Further communication with company resources that support claims-based authentication (from a device
enabled for Device Registration) includes information about the device and the user. Once you properly
configure an app to support claim-based authentication, users are not required to enter credentials
again.
After you enable the device for Device Registration, the device is used as a second form of authentication.
If multiple users use the same device, each user can enable the device for Device Registration inde-
pendently. Administrators can configure which apps users then can access from the device without
entering credentials, and they can then ensure that company policies and security applies to those
devices by configuring a device policy. Be aware that a company Group Policy applies only to do-
main-joined devices and not to devices enabled for Device Registration. If a device enabled for Device
Registration is compromised, or if a device owner leaves the company, an administrator can remove the
device object from the domain, and by doing so, the administrator revokes the device’s ability to access
domain resources through SSO.
Scenarios for using Device Registration

Many devices that employees use to access company data are company-owned, and those devices
usually are domain-joined. Users also might access company data by using their own devices from inside
the company network and over the Internet. The company’s IT department can closely monitor and
manage domain-joined computers, but devices that are not domain members can be an issue. Users
typically use devices for accessing virtual desktops, for running company apps, and for accessing other
company resources.
Environments that adopt the BYOD scenario are particularly suitable for the Device Registration feature.
Using this feature, users can access company resources from devices enabled for Device Registration with
SSO, and administrators can control access to resources and control the compliance of local copies of
company data on such devices while a device is not domain-joined.
A device that is enabled for the Device Registration feature is used as a second authentication factor
when accessing claims-based company apps. For such apps, administrators can control who can access
them, from which devices they can be accessed, and whether they can be accessed only from the compa-
ny network or from the Internet as well. Devices enabled for Device Registration trust the company
certification authority (CA), which makes it easier to configure them for additional features such as Work
Folders.
How Does Device Registration Work

The main purposes of the Device Registration feature are to provide:
●● Registration in AD DS for non-domain joined devices.
●● SSO for selected application and resources in a company’s internal network.
Device Registration works by using Device Registration Service and Active Directory Federation Services
(AD FS) with Device Authentication enabled. When a user registers a device through the enrollment
process, Device Registration Service will provision a certificate for the device. This certificate is used to
authenticate the device when it accesses internal resources. In addition, the device becomes associated to
the specific user in AD DS, so administrators can configure access policies to apply to users and their
registered devices.
By implementing the Web Application Proxy component, you also can enable registered devices to access
company resources from external networks such as the Internet. A user can be in a coffee shop or at
home, and if their device is registered, it can access internal applications through Web Application Proxy
and AD FS. If the user is using their registered device in an internal network, it will communicate directly
to AD FS and AD DS to authenticate. For devices that are registered, you also can enable SSO for some
applications. By doing this, the user is not prompted for credentials each time they try to access the
resource.
Infrastructure Requirements to Support Device

Registration
Before using the Device Registration feature, you first must configure a company’s infrastructure to allow
Device Registration. Several prerequisites must be in place before you can enable Device Registration on
your devices:
●● Active Directory environment. Device Registration requires that you implement a domain environ-
ment. At least one domain controller must be running Windows Server 2012 or later, and the schema
must be extended to the Windows Server 2012 R2 level.
●● Public key infrastructure. The Device Registration feature requires that public key infrastructure (PKI) is
deployed and properly configured. Devices must trust the CA, which is true by default for do-
main-joined devices, but requires manual configuration on devices that are not domain members.
Certificates must include information on both the following:
●● Where the list of revoked certificates is available, such as the certificate revocation list (CRL), and
CRL distribution point (CDP)
●● Where up-to-date certificates for the CA are available, such as authority information access (AIA).
Devices must be able to access the CRL, delta CRL, and AIA before they can use Device Registration. Delta
CRL is published in a file, which by default includes the plus sign (+) in its name. The Internet Information
Services (IIS) Web server (also by default) does not allow access to files with special characters in their
names, and you must enable double escaping to allow it. You can verify that you can access CRL, delta
CRL, and AIA by running Pkiview.msc on the server where Active Directory Certificate Services (AD CS) is
installed.
●● AD FS. A company must set up AD FS before users can use the Device Registration feature on their
devices. You must configure AD FS with a Secure Sockets Layer (SSL) certificate from a trusted CA, and
the SSL certificate must have properly configured Subject Name and Subject Alternative Name
attributes.
●● Device Registration Service. When you perform Device Registration, Device Registration Service
registers the device in AD DS. It also provides the certificate to the user who enables their device for
Device Registration.
●● A DNS record for the host named Enterpriseregistration. The name Enterpriseregistration is mandato-
ry, and you cannot change it. The DNS server must resolve this name to the IP address of the AD FS
server, and the AD FS server must use it as one of its Subject Alternative Name attributes in the SSL
certificate.
●● Web Application Proxy. This is an optional component that is not required when you enable Device
Registration on devices that are connected to the company network. If you want to enable Device
Registration on devices that are not connected to the company network, but which are connected to
the Internet, you must set up Web Application Proxy.
●● A supported operating system on the device. The device that you want to enable for Device Registra-
tion must be running a supported operating system. Currently, you can enable Device Registration
only on devices that are running Windows 10, Windows RT 8.1, Windows 8.1, and iOS operating
systems.
When users enable Device Registration on their devices, they can access a company’s internal web
applications and company apps without entering credentials again. To use SSO, administrators must
configure claims-based web applications and create a relying party trust between the AD FS server and
the web server on which the web application is running.
Additional Reading: For additional information on Device Registration, visit: http://aka.ms/en89rh
Registering and Enrolling Devices

After all prerequisites are met, you can enable Device Registration on a device. Any user with domain
credentials can enroll a device, and each device can be enrolled multiple times, once per user who uses
that device. To enroll the device, perform the following procedure:
1. Open the Start menu, select the Settings option, and then select Accounts.
2. On the Accounts page, select Work access.
3. On the Work access page, select Connect.

4. Enter the user ID with which you want to register the device. The user ID looks the same as a user’s
email address and is composed of the user’s sign-in name, the at sign (@), and a domain suffix.
Domain administrators refer to user ID as the user principal name (UPN). When performing a device
registration, the computer tries to resolve the Enterprise registration. name, and verifies that the SSL
certificate is trusted and still valid.
5. Enter user domain credentials. The device can be a workgroup member, but the user must have a
domain account to enable Device Registration on the device.
6. Once the device is enabled for Device Registration, Device Registration Service creates a domain
object for the joined device in the Registered Devices AD DS container, and the user is provided with
a certificate for client authentication.
You must configure a device for which you want to enable Device Registration with network settings to
resolve company server names. You also must configure the device to trust the company CA. If your
company uses a publicly trusted certificate on the server with the Enterprise registration address, you
need not configure the device. If your company uses certificates issued by a private CA, you must export
a certificate from your root CA, and then import it in the trusted root store on your device.

Lab 0201: Managing Local User and Microsoft Account
Authentication
Summary
In this lab you will configure and manage local accounts and assign a Microsoft account to a Windows 10
device.
Scenario
You need to create two new local user accounts on SEA-WS1. User1 will be a local administrator and
User2 will be a standard user. User1 will also assign a Microsoft account to SEA-WS1 and configure
Windows Hello with a PIN.
Lab 0202: Managing Domain Authentication
Summary
In this lab you will join a device to a Windows Active Directory domain.
Scenario
You need to join SEA-WS1 to the Contoso.com domain. This will enable central management of the
device and enable users to sign in using their domain credentials.
Lab 0203: Managing password and account options
Summary
In this lab you will learn how to create and manage domain password policies, account options, and User
Account Control.
Exercise 1: Managing Domain Password Policies
Scenario
You have been delegated the task to configure the domain password policy for Contoso.com. Part of your
task is to implement a new security requirement that specifies a longer password and a 20 minute
account lockout if a user incorrectly enters their password more than twice in succession.
Exercise 2: Testing Password Policy Settings
Scenario
After configuring a more strict set of password policies you will then ask Jane Dow to test the policy
settings.
Exercise 3: Configuring UAC
Scenario
You need to configure UAC so that when the UAC dialog box prompts a standard user, he or she can
enter the credentials of an administrator account to gain elevated privileges. You also need to restrict the
execution of unsigned applications.
Lab 0204: Managing Azure AD Authentication
Summary
In this lab you will create a new user and then join a Windows 10 device to an Azure AD tenant.
Scenario
You have a new Windows 10 device that you would like to join to your Azure AD tenant. You will create a
new Azure AD user account for User2 and then join SEA-WS3 to Azure AD.
Module Review
1. Your organization is going to start allowing employees to work remotely. Employees will also be able
to work from their own devices. The devices will have access to sensitive business information. As the
IT Support professional, which of the following must you be able to do? (select three)
A. Control which data users can access
B. Initiate a remote wipe of a lost or stolen device
C. Setup a VPN
D. Have the ability to wipe business data off users’ personal devices without affecting their personal
data
E. Enable Windows Remoate Management Server
F. Access Device Manager on the remote PCs
2. To prevent users from installing unauthorized software, you enabled UAC on all of your Windows 10
computers. However, some of the users are local Administrator on their computers. Which of the
following tasks will generate a UAC prompt for these users? (select three)
A. Configure accessibility options
B. Set up computer synchronization with a mobile device
C. Add or remove a user account
D. Install an application
E. Restore a user’s backup files
F. Install a driver for a device
3. Which variation of the UAC elevation prompt is displayed to standard users when they attempt to per-
form an administrative task?
A. Consent prompt
B. Credential prompt
C. Approval prompt
D. Admin prompt
4. Your organization requires control over the web apps that users can access from devices. You deploy
Device Registration. Which of the following will take place after you register and enroll a device?
(select three)
A. The device is associated with a user account in the company directory
B. A device object is created in AD DS
C. An email is sent to the user.
D. A user certificate is installed on the device
E. The user will be able to register any other devices on the network.
5. As an IT Support professional, you are helping to configure the company’s infrastructure to allow
Device Registration. Which of the following must be taken into account when configuring the environ-
ment? (select four)
A. A DNS record for the host named Enterpriseregistration.
B. At least one domain controller must be running Windows Server 2012 or later.
C. The machine must be using a 64-bit operatin system.
D. A Public key infrastructure trusted by the devices.
E. AD FS must be deployed.
F. A VPN will no longer be able to be used.
G. The type of IP configuration.
6. You are an IT Support professional setting up a new PC with Windows 10. Which of the following is
not a type of account you can use when signing in the first time?
A. Domain Account
B. Local Account
C. Microsoft Account
D. Administrator Account
7. You need to set up an account that will be used to logon to a Windows 10 PC. This account needs to
be able to synchronize files with OneDrive. What type of account do you need to create?
A. Domain Account
B. Local Account
C. Microsoft Account
D. Online Service Account
E. None mentioned
8. A 2) A,B,D 3) B,C,E 4) B 5) A,B,D 6) A,B,D,E 7) D 8) C
Module 3 Post-Installation Configuration and
Personalization
Configure and Customize the Windows Start

Menu
Lesson Introduction
In this lesson you will learn how to customize the Windows 10 desktop and configure startup options. We
will also discuss Cortana setup as well.
Lesson Objectives
●● Use advanced startup options.
●● Customize desktop settings.
●● Configure Cortana in Windows 10.
Customizing the User Interface

You can configure the desktop settings in Windows 10 just as you do in Windows 7, including adding and
removing your own shortcuts, and customizing your color scheme. However, you have the most control
over customization from the Start screen, from where you can:
●● Add tiles. When you add a tile, you are pinning an app to Start. To do this, tap All apps, which is an
icon that appears in Start beneath the Power icon on the left. A list of all installed apps appears. Tap
and hold (or right-click) the desired app, and then tap Pin to Start. The app appears as a tile in Start
in its own unnamed tile group.
●● Remove tiles. When you remove a tile, you are not uninstalling the app. Tap and hold the tile that you
wish to remove from Start, and then tap Unpin from Start.
94 Module 3 Post-Installation Configuration and Personalization
●● Pin to the taskbar. You also can pin apps to the taskbar, in addition to (or rather than) pinning them to
Start. To do this, tap All apps. When a list of all installed apps appears, tap and hold (or right-click) the
desired app, and then tap Pin to taskbar. The app appears as an icon on the taskbar. Administrators
also can pin apps to a user’s taskbar when configuring the user environment.
Note:- The taskbar is visible only in desktop mode.
●● Resize tiles. To resize a tile, tap and hold the tile, tap Resize, and then tap the desired size. You can
resize most tiles as Small, Medium, Wide, and Large.
●● Live tiles. You can make many tiles, such as News and Weather, update automatically. Live tiles display
content relevant to the app, such as continuously updated news in the News tile or weather informa-
tion in the Weather tile. To enable live tiles, tap and hold the relevant tile, and then tap Turn live tile
on. To disable a live tile, tap and hold the tile, and then tap Turn live tile off.
●● Grouping tiles. You can group tiles into specific categories. Windows creates two default groups
during installation: Life at a glance, and Play and explore. You can rename groups by tapping the title
bar of the group and entering a new name. To create new groups, drag tiles to a new area on the Start
screen. Windows creates a new, unnamed group for the moved tile. You then can add tiles to the
group, and rename it as applicable.
Note:- In Windows 10 Enterprise and Windows 10 Education, a network administrator can use Group
Policy Objects (GPOs) to configure and control the Start screen and other aspects of the user interface.
Synchronizing settings
For those that use more than one Windows device, Windows 10 has the ability to synchronize common
settings across multiple devices. This provides a consistent experience for the user, without having to
re-apply personalization settings when they use another device. For example, if a user bookmarks a
website in Microsoft Edge, that bookmark will persist in the Favorites list when moving to another device.
Settings are persistent using a Microsoft Account. This facilitates a common identity across devices.
Settings are maintained as part of the Microsoft Account's profile data and are applied when signing into
a device.
Settings that can be synchronized across devices include:
●● Theme: desktop background, user tile, taskbar position, etc.
●● Passwords: Windows credential manager, including Wi-Fi profiles
●● Language Preferences: spelling dictionary, system language settings
●● Ease of Access: narrator, on-screen keyboard, magnifier
●● Microsoft Edge browser setting: Microsoft Edge favorites, reading list, and other settings
●● Internet Explorer Settings: browsing history, typed URLs, favorites, etc.
For a complete list of setting, see https://aka.ms/AA65f81.
Settings can also be synchronized using Enterprise Sate roaming and Azure Active Directory. This pro-
vides additional features such as separation of personal and corporate data, enhanced security, and
monitoring capabilities. Azure AD is covered later in this course.
Action Center
The Action Center consolidates notifications from the operating system with shortcut tiles that enable
you to perform common or frequently accessed tasks. You can find the action center by selecting the
Configure and Customize the Windows Start Menu 95
dialogue box at the bottom right corner of your screen, by using the keyboard shortcut Windows key +
A, by swiping left from the screen edge on touch devices or by tapping four fingers on the track pad.
There you will see the new, fully customizable quick actions – settings you can change quickly, without
going through the settings panel.
The action center is also your one-stop shop for notifications to see what’s going on with apps and other
programs from across your device. Plus, now you can also get web notifications in your action center via
Microsoft Edge sites. As always, the action center is fully customizable – check out the Settings App, then
System, then Notifications and actions. There, you can enable and disable what notifications you see in
the action center, as well as select which quick actions are available.
On the Notifications & actions tab, you can:
●● Configure Quick actions. This enables you to configure which tiles appear in the Action Center. Select
Add or remove quick actions to configure a particular tile.
●● Get notifications from apps and other senders.
●● Show notifications on the lock screen.
●● Show reminders and incoming VoIP calls on the lock screen.
●● Hide notifications when I’m duplicating my screen.
●● Show me the Windows welcome experience after updates and occasionally when I sign in to highlight
what’s new and suggested.
●● Get tips, tricks, and suggestions as you use Windows.
You can also configure individual apps and how they will notify you. Under the Get notifications from
these senders heading, enable or disable notifications for each listed app.
Focus Assist
While notifications can be helpful in managing the users day, they can be distracting in scenarios such as
focusing on a particular task or giving a presentation. Focus Asset allows users to suppress these notifica-
tions. Focus Assist can be enabled as needed using the Action center, or can be configured to automati-
cally enable during certain times. It can also be configured to activate during certain scenarios, such as
activating automatically when the display is duplicated, for presentation scenarios.
You can also configure priority notifications. These notifications will still occur, even if Focus Asset is
enabled. Examples include communications from specific people in your contact list, telephone calls, and
notifications from specific apps.
Configure Cortana
Cortana is a digital agent, which is designed to use natural language voice commands to interact with
Windows 10 to accomplish task faster. You can use Cortana to find out information, such as the weather,
or complete tasks such as setting a reminder.
The buttons from the image above:

1. Home
2. Notebook
3. Devices
4. Settings
5. Feedback
Here are some things Cortana can do for you:
●● Give you reminders based on time, places, or people.
●● Track teams, interests, and flights.
●● Send emails and texts.
●● Manage your calendar and keep you up to date.
●● Create and manage lists.
●● Play music, podcasts, and radio stations.
●● Chit chat and play games.
●● Find facts, files, places, and info.
●● Open any app on your system.
To get started, select the Cortana app in the task bar and begin speaking, or optionally, say “Hey, Cor-
tana” for Cortana to start listening. If you’re not sure what to say, try asking, "What can you do?”. The
more you use Cortana, the more personalized your experience will be.
Manage Cortana Settings

To access Cortana’s settings, select the Settings icon in the Cortana UI. The settings options will allow to
configure options such as how Cortana activates, what information Cortana has access to, lock screen
behavior, and language settings. Cortana is part of the Windows 10 experience in the locales where she is
available. For Cortana to work well, she needs to be integrated into the operating system. This means
Cortana can't be entirely turned off. If you wish to hide Cortana, right-click the taskbar and uncheck the
Show Cortana button. Note: Cortana is removed from the Windows 10 Education and Windows 10 Pro
Education editions. See Windows 10 editions for education customers for more info. Note: As of Windows
10 version 1903, Cortana is no longer coupled with search box in the taskbar.
Common Configuration Options 97
Common Configuration Options

Lesson Introduction
Setting a device’s display capabilities and screen effects is an important part of getting the most from
your computing environment. Many users find it important to have a crisp, sharp display that is capable
of vibrant colors and fast movement. However, such displays often result in high power consumption,
which is a disadvantage, especially for those using mobile devices on battery power. As a result, it is
equally important to be able to configure the power consumption options.
Lesson Objectives
●● Describe the various display settings in Windows 10.
●● Configure display options.
●● Describe how to manage mobile-device settings in Windows 10.
●● Describe power plans.
●● Configure power options.
Using the Settings App

Windows 10 continues to use many of the same computer controls that previous Windows versions have
included, such as the Control Panel. However, in Windows 10, many of the Control Panel functions are
available in the Settings app. The Settings app contains several settings that you can use to configure
your device. These settings appear in nine different categories: System, Devices, Network & Internet,
Personalization, Accounts, Time & Language, Ease of Access, Privacy, and Update & Security. In Windows
8.1, you used the Charms feature to access Settings. Windows 10 does not include the Charms feature.
However, you can use the Start menu or the taskbar to access the Settings app and other features that
were accessible through the Charms feature in Windows 8.1.
Note: One of the key differences between Windows 8.1 and Windows 10 is that the latter features the
return of the Start menu. However, you can retain or reapply the Start screen functionality if you want to.
You can access the Settings app in any of the following ways:
●● Open the Action Center, and in the lower portion, select the All Settings tile.
●● Select the Start menu icon, and then select Settings on the menu.
●● Type Settings in the search box located on the taskbar, and then press the Enter key.
The Settings app page has nine separate icons that represent the main categories that you can configure.
When you select any of these icons, you will access a page with subcategories that appear in a console
tree on the left of the page. Depending on the subcategory that you select, more items and configurable
settings appear in the details pane.
Desktop Administrators may wish to restrict users from accessing certain settings within the settings app.
This can be controlled by group policy as either a user or computer policy in the Administrative Tem-
plates > Control Panel > Settings Page Visibility path. Policies can either specify settings pages that
are only shown, or alternatively, specify a list of settings pages that are hidden.
Note: Group Policy is covered in more depth in the next lesson.
Using Control Panel

The Control Panel lets you adjust your computer’s settings. Much of the functionality in the new Settings
app also is present in the Control Panel. The Control Panel has been part of every Windows version since
Windows 2.0. However, in Windows 10, there are significant changes in the Control Panel. The Settings
app replaces many possible configurable actions that were in the Control Panel previously, and it is the
quickest way to make configuration changes. However, the Control Panel allows you to make more
advanced changes that may not be available in the Settings app.
The Control Panel appears as a File Explorer folder. You also can open Control Panel by selecting Start
typing “Control Panel”. By default, items in the Control Panel appear in the Category view. However, you
also can display items in the Large or Small icon views.
Display Options
Most of the display settings in Windows 10 are new, but some of the settings still use the same configu-
ration options available in older Windows versions. For many people, changing the display options starts
with right-clicking the desktop, and then selecting the Display settings menu item. This procedure
remains the same in Windows 10. However, by doing so, you open the new Display item in the System
category of the Settings app. Here, you can configure a wide variety of settings. The Display item
contains the following configurable items:
●● Large Display icon. A large rectangle or multiple large rectangles at the top of the Display area
represent your displays. When you have more than one display, you can change the placement of
these display rectangles. For example, you can move one rectangle to the left and the other to the
right. However, if you extend these displays, the mouse cursor will not necessarily move from left to
right across the gap between displays as expected. To fix this issue, you can switch the two display
rectangles–or more if you have them–so that the mouse’s cursor moves between them.
●● Identify. If you have more than one display, each display rectangle will have a number on it, starting
with the number 1. Even if you only have one display, you will see the rectangle with the number 1 on
it. If you select the Identify hyperlink under the rectangle, a large number will appear in a pop-up
window on your screen, corresponding to the displays you have. Therefore, if you have one display,
you will see a pop-up window with a large number 1 on your only display. If you have two displays,
one display will have a large number 1 in a pop-up window, while the other display will have a large
number 2 in a pop-up window.
●● Detect. When you select this hyperlink, it detects other displays that are connected, but which have
not come up in the Display settings. However, any connected displays should show automatically.
●● Change the size of text, apps, and other items. You can use this slider bar to edit the size from 100
percent, on the far left, to 125 percent on the far right.
●● Orientation. Not all Windows 10 devices will have this drop down option. Virtual machines and
desktops normally do not, because this is primarily a mobility function. Tablets and certain laptops will
change automatically from landscape to portrait view based on how users hold them, due to a
gyroscopic sensor in the device. Not every device has such sensors, and the Display settings provide
the orientation drop down to manage this manually.
●● Brightness level. You can move the toggle on this slider bar from left to right to set the brightness
level from 0 at 100 percent. A corresponding number will appear right above the slider toggle as you
move it, to show the brightness percentage.
●● Multiple displays. This drop-down list box is unavailable if you only have one display. The choices
you can make include Duplicate these displays, Extend these displays, Show only on 1, Show only on
2, and more if you have more than two connected displays.
●● Make this my main display. This check box is only available when you have two or more displays.
You must select one of the large rectangular Display icons to make the change. Otherwise, the main
display will be the monitor you are on, and because that is already the main display, it will be grayed
out. The display that you select will be the display on which you sign in and get the first items on the
desktop.
●● Apply. Some of the changes will not take place until you select Apply. When you do so, the changed
display appears with an overlay screen with a Keep these display settings? Reverting to previous
display in x seconds message. The overlay screen also includes two options: Keep changes and Revert.
If you select Keep changes, you will return to the Display Settings page with the new settings applied.
If you select Revert—or wait for the seconds to elapse—the display reverts back to the way it was
before you selected Apply. The Display Settings page appears again.
●● Cancel. Removes any changes you may have made previously.
●● Advanced Display Settings. This hyperlink takes you to another page that is virtually identical to the
Display page but with the Resolution check box described below. The page also has an Apply option
and a Cancel option at the bottom.
●● Resolution. This drop-down box contains all the resolution sizes that are available to the graphics
device and monitor that make up your display(s). Sizes will vary, but the drop down box normally has
several choices, including the recommended choice for a particular display and that setting, such as
1366X768 (Recommended).
Other display settings
At the bottom of the console tree of the Advanced Display Settings page there is an Advanced sizing of
text and other items hyperlink, which you can select to access the Display area in the Control Panel’s
Appearance and Personalization area. The Display area has several more advanced display settings that
you can modify, which are either duplicates of the Windows 10 Settings app or are not available there.
Many of these settings take you back to the appropriate Settings app page for that functionality.
The Personalization category of the Settings app contains several configurable items that affect the
display, such as background, colors, and other functions such as Themes, Lock screen, and Start menu.
Options for Mobile Devices

Computers play an important part in people’s daily lives. The ability to carry out computing tasks at any
time and in any place has become a necessity for many users.
When Windows 10 is installed on a mobile device such as a laptop or tablet, there are several additional
options unique to the mobile user.
You can access and configure mobile computer settings by using the various Settings app category pages
of configuration settings. You can access various settings such as System, including Display, which the
previous topic detailed, and Power, which the next topic covers. The System setting also includes the
tablet mode settings, which allows you to use tablet devices with full touch capabilities and reverts the
Start menu to a Start screen similar to that in Windows 8.
The Action Center can help you manage many of the mobile-device settings with simple tiles referred to
as Quick Actions. To open the Action Center, select the Notifications balloon icon on the taskbar’s
notification area. You can select the Quick Actions tiles, or touch them on a touch capable device. The
Quick Actions tiles let you edit different settings quickly. These tiles are:
●● Tablet mode. Enables you to go into tablet mode with one select, and back to normal mode by
selecting or touching it again. When tablet mode is in effect, this tile is live.
●● Connect. Connects searches for wireless display and audio device by using Bluetooth, wireless,
Miracast, or WiGig capable components. In the computing industry, WiGig refers to Wireless Gigabyte
Alliance, Institute of Electrical and Electronics Engineers (IEEE) standard 802.11ah.
●● Note. Brings up Microsoft OneNote for Windows 10.
●● All Settings. Takes you to the Settings app.
●● VPN. Connects a VPN connection, if you have one.
●● Quiet hours. Turns off all Windows notifications during the time that you configure. This means that a
new email or friend’s Skype status will not trigger an audio alarm and a pop-up notification. The
benefit of this Quick Action is that you do not have to turn off all notifications manually, and when
you disable Quiet hours, you then see all your notifications.
●● Location. Turn on or off the location based settings that many apps use.
●● Battery saver. Switches the Battery saver mode on and off, which lowers the screen brightness and
limits background tasks, and adjusts other settings to reduce your device’s power consumption.
●● Airplane mode. Turns airplane mode on or off. Airplane mode turns off wireless, cellular, and Blue-
tooth transmissions while keeping the device running for local tasks.
●● WiFi. Turns your wireless adapter on or off.
●● Bluetooth. Turns your Bluetooth adapter on or off.
Note: Not all Quick Actions tiles will be available on your device. Some of these tiles require that your
device has specific hardware or software installed.
Power Plans
Computing devices need electrical power, regardless of whether they are stationary or mobile. One of the
main concerns with mobile devices that use stored electrical power is that the power in the battery is
limited and depletes over time. Another issue for many organizations is the power consumption by all of
the different devices that they may own. Conserving power helps to reduce business expenses and
benefits the environment.
Power plans
You can create power plans in Windows 10 that govern power consumption and operations. By default,
there are three preconfigured power plans: Balanced, Power saver, and High performance. You can adjust
and save any of these power plans, or create your own power plan. The following table provides details
about each plan.
Power plan Energy usage Screen brightness System activity

Balanced Medium Can turn off display Measures ongoing
after a specified amount activity, and, when in
of time. use, continues to
provide full power to all
system components..
Power saver Least By default, after five Saves energy by
minutes of inactivity, the reducing system
display will power off. performance whenever
possible.
Power plan Energy usage Screen brightness System activity

High performance Highest Sets the screen at its Keeps the system’s disk
highest brightness. drive, memory, and
processor continuously
supplied with power.
If the computer is a portable device, such as a tablet or laptop, you can use separate settings within each
plan for when the device is on battery or plugged in. Because you can adjust and save each plan, there is
also an option in the plan to restore default settings. You can use this option to return the plan to where
you started.
You can access the power plans by performing the following procedure:
1. Open the Settings app, select System Category, and then select Power & Sleep.
2. Select the Additional power settings hyperlink, or alternatively, type Power Plans in the Ask me
anything text box on the taskbar. This will open up the Control Panel Power Options page.
Note: By default, you will see only the Balanced and Power saver plans in the Preferred plans section. If
you select the down arrow by the Show additional plans section, the High performance plan appears. The
three plans are the Windows 10 default plans. However, any new plans that you create will appear on this
page as well.
Configuration options
There are different options available in the Setting app’s System Category section, on the Power & Sleep
page. The options that are available on your device depend on its hardware configuration. For example,
on a laptop or other mobile device, you will have the following configurable options, with a drop down
list box for various minutes, hours, and never:
●● Screen
●● On battery power, turn off after
●● When plugged in, turn off after
●● Sleep
●● On battery power, PC goes to sleep after
●● When plugged in, PC goes to sleep after
The Additional power settings hyperlink appears below the settings discussed above, and you can select
it to access the Power Options configuration page in the Hardware and Sound section of the Control
Panel. The Power Options configuration page includes many options.
Note: Not all devices will have all of the settings that the following section lists. Several of these settings
apply to particular hardware that may not be present on all devices.
On the left side is a list of settings, including:
●● Require a password on wakeup. Use this setting to access the Define power buttons and turn on
password protection page. On this page, there is a Password protection on wakeup section that allows
you to ensure that when a computer resumes from a hibernated state, the screen is locked until the
user presents credentials. This setting is turned on, by default.
●● Choose what the power buttons do. Use this setting to access the Define power buttons and turn
on password protection page. Most devices have a power button, and additionally, many have a sleep
button. For mobile devices with both power and sleep buttons, both buttons include the On battery
and Plugged in columns with four choices: Do nothing, Hibernate, Sleep, and Shut down. Some
devices do not have a Sleep or Hibernate option. Certain devices also have a Shutdown settings
section on the Define Power buttons and turn on password protection page, which includes check
boxes for
●● Turn on fast startup. Allows the Windows operating system to save system information into a file
that it uses to start up when you reapply power.
●● Sleep. Suspends power to the hard drive and display, but continues supplying power to the
processor and memory.
●● Hibernate. Writes all activity in memory to a file and shuts down all power, but allows the file to
reanimate memory with the same values once you supply power.
●● Lock. Locks the screen, and requires the user to reenter credentials before resuming operations.
●● Choose what closing the lid does. Use this setting to access the Define power buttons and turn on
password protection page, and drop-down list boxes for On Battery and Plugged in. You also can
select an option for Choose what closing the lid does, including Do nothing, Sleep, Hibernate, and
Shut down.
●● Create a power plan. When you select this setting, the Create a Power Plan Wizard appears, in which
you can select one of the three default power-plan options: Turn off the display, Put the computer to
sleep, and Adjust plan brightness. You can save one of these options to a custom name, and then
change the default plan settings on the wizard’s Edit Plan Settings page. If you select the Turn off the
display and Put the computer to sleep values from a drop-down menu that has options from 1 minute
to five hours, or never. You also can configure the Adjust plan brightness setting from fully dim to the
highest brightness setting by using its slider bar.
●● Choose when to turn off the display. Use this setting to access the Edit Plan Settings page, which is
identical to the one in the Create a Power Plan Wizard.
●● Change when the computer sleeps. This setting is identical to the Choose when to turn off the
display setting.
The Power Options screen also lists the default and custom power plans. When you select the Change
plan settings setting and access a particular power plan, the Change advanced power settings setting
becomes available. This setting opens the Power Options window, with a list of options that you can
expand and individually select. These options include settings for the battery, hard disk, graphics settings,
multimedia settings, and USB, which refers to universal serial bus.
Windows 10 Privacy
Windows 10 introduces a new set up experience for you to choose the settings that are right for you. This
experience, which replaces previous Express Settings, will look slightly different depending on the version
of Windows you are using. If you are moving from Windows 7 or Windows 8, or doing a fresh install of
Windows 10, the new set up experience will clearly show you simple but important settings and you will
need to choose your settings before you can move forward with setup.
Privacy settings allow to you control personal information that is used by the OS, apps, or shared with
Microsoft. It also allows the users to control which settings and apps have access to certain hardware on
the device such as the devices camera.
Privacy controls allow you to configure Windows and apps permission to access:
●● The location of the device
●● The device camera or microphone
●● Access to your account information
●● Access to e-mail, contacts, calendar
●● Phone calls, messages, and history

●● Which apps are allowed to continue running in the background
●● Access to document, pictures, and video libraries.
You can adjust privacy settings at any time by going to Start select Settings then select Privacy.
Advanced Configuration Methods

Lesson Introduction
When configuring options in Windows for an organization, the ability to configure options at scale
becomes a necessity. The most common methods of configuring devices at scale is applying settings
using a centralized management console or scripting.
Group Policy allow an administrator to create configuration policies that can be applied to a group of
devices using a management console. Windows PowerShell is a powerful tool that you can use to
configure a Windows 10 device using a command line interface and create reusable scripts.
Lesson Objectives
●● Describe Active Directory
●● Describe the benefits of using Group Policy
●● Configure and apply a Group Policy Object
●● Describe Windows PowerShell
●● Explain how to use Windows PowerShell cmdlets
Activation Overview
All Windows 10 editions require activation. Activation confirms the status of a Windows product and
ensures that the product key has not been compromised. The activation process links the software’s
product key to a particular installation of that software on a device. Unlike Windows 7, Windows 10 does
not have a grace period. You must activate Windows 10 immediately upon installation. Failure to activate
a Windows operating system prevents users from completing customization. If you want to evaluate
Windows 10, Microsoft provides a separate evaluation edition that is available as an .iso image file.
Windows 10 has three main methods for activation:
●● Retail. Any Windows 10 product purchased at a retail store comes with one unique product key that
you type in during product installation. You use the product key to complete activation after installing
the Windows 10 operating system.
●● OEM. OEM system builders typically sell computer systems that include a customized build of Win-
dows 10. You can perform OEM activation by associating the Windows operating system to the
computer system BIOS, which means that you cannot transfer this license to another computer.
●● Microsoft Volume Licensing (volume activation). Microsoft Volume Licensing is a series of software
licensing programs that are tailored to the size and purchasing methods of your organization. Volume
customers set up volume licensing agreements with Microsoft. These agreements include Windows
upgrade benefits and other benefits related to value-added software and services. Microsoft Volume
Licensing customers use Volume Activation Services to assist in activation tasks, which consist of
Active Directory–based activation, KMS, and multiple activation key (MAK) models.
You can view the Windows 10 activation status either on the System properties page, or by running the
following command at a command prompt:
cscript C:\windows\system32\slmgr.vbs –dli
Advanced Configuration Methods 107
When you activate your Windows 10 Home and Pro editions, Windows 10 generates a unique ID based
on the hardware present in your computer. This ensures that you cannot use your Windows 10 license on
another computer. If you change a significant amount of hardware, you could have to reactivate Windows
10.
If you plan to implement KMS, MAK, or Active Directory–based activation, you must consider certain
aspects, limitations, and requirements. The following factors are applicable for each of these three
volume activation methods.
MAK activation considerations

A MAK also allows permanent activation of computers that are isolated from the KMS or are part of an
isolated network that does not have enough computers to use the KMS. Activating using MAK is similar
to activation with a retail key, except that a MAK is valid for activating multiple computers. Each MAK can
be used a specific number of times. The VAMT can assist in tracking the number of activations that have
been performed with each key and how many remain.
When selecting MAK activation, keep in mind the following considerations:
●● MAK activation is for computers that rarely or never connect to the corporate network, and for
environments where the number of computers that need activation does not meet the KMS activation
threshold.
●● You can use MAK to activate computers in one of two ways:
●● MAK Independent. This activation method requires that each computer connect independently
and activate with Microsoft over the Internet or by telephone. This method is best suited for
computers within an organization that do not have a connection to the corporate network.
●● MAK Proxy. This activation method enables a centralized activation request on behalf of multiple
computers with one connection to Microsoft. This method is suitable for environments where
security concerns restrict direct access to the Internet or to the corporate network.
KMS activation considerations
Installing a KMS host key on a computer running Windows 10 allows you to activate other computers
running Windows clients against this KMS host. Clients locate the KMS server by using resource records
in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organiza-
tion uses volume activation for clients and MAK-based activation for a smaller number of servers. To
enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the
Internet or by phone using Microsoft activation service
When working to implement KMS activation, keep in mind the following considerations:
●● Client computers that are not activated attempt to connect with the KMS host every two hours.
●● To stay activated, client computers must renew their activation by connecting to the KMS host at least
once every 180 days.
●● After activation, client computers attempt to renew their activation every seven days. After each
successful connection, the expiration extends to the full 180 days.
●● KMS activation requires at least 25 computers to run Windows 10 for activation to be successful.
●● Client computers connect to the KMS host for activation by using anonymous remote procedure calls
(RPCs) over TCP/IP and by using default port 1688. You can configure this port information. The
connection is anonymous, enabling workgroup computers to communicate with the KMS host. You
might need to configure the firewall and the router network to pass communications for the Transmis-
sion Control Protocol (TCP) port that you have configured.
Active Directory–based activation considerations

Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connec-
tion to their domain. Many companies have computers at offsite locations that use products that are
registered to the company. Previously these computers needed to either use a retail key or a Multiple
Activation Key (MAK), or physically connect to the network in order to activate their products by using
Key Management Services (KMS). ADBA provides a way to activate these products if the computers can
join the company’s domain. When the user joins their computer to the domain, the ADBA object auto-
matically activates Windows installed on their computer, as long as the computer has a Generic Volume
License Key (GVLK) installed. No single physical computer is required to act as the activation object,
because it is distributed throughout the domain.
When working with Active Directory–based activation, keep in mind the following considerations:
●● You do not need an additional host server with Active Directory–based activation. Your existing
domain controllers can support activation clients with the following limitations:
●● You cannot configure Active Directory–based activation on read-only domain controllers.
●● You cannot use Active Directory–based activation with non-Microsoft directory services.
●● To store activation objects, the Active Directory schema must be at a Windows Server 2012 or new-
er version.
●● Domain controllers that run previous versions of Windows Server can activate clients after the
Active Directory schema has been extended to a Windows Server 2012 or newer version.
●● Active Directory–based activation is forest wide, and you only need to implement it once, even if the
forest contains multiple domains.
●● There are no threshold limits that must be met before computers can be activated by using Active
Directory–based activation.
Group Policy
Group Policy is a system that you can use to apply configuration settings to Windows clients and servers.
You create Group Policy Objects (GPOs) that contain Group Policy settings. The settings can be applied to
the local client individually. With domain-joined clients, Windows-based computers download and apply
the settings in GPOs.
Group Policy Objects

A GPO is an object that contains one or more policy settings that apply configuration settings for users,
computers, or both. GPOs can be managed using Group Policy Management Console (GPMC). Within the
GPMC, you can open and edit a GPO by using the Group Policy Management Editor window. GPOs
logically link to AD DS containers to apply settings to the objects in those containers.
Note: GPOs can be applied, referred to as linking, to AD DS sites, domains, and organizational units
(OUs). GPOs cannot link to the default Computers or Users containers in AD DS.
Note: GPOs can be used regardless of whether the machine is joined to a domain. This is covered in
more detail in the next topic.
Group Policy settings

A Group Policy setting is the most specific component of Group Policy. It defines a specific configuration
change to apply to an object (a computer, a user, or both) within AD DS. Group Policy has thousands of
configurable settings. These settings can affect nearly every area of the computing environment. Not all
settings can be applied to all older versions of Windows Server and Windows operating systems. Each
new version introduces new settings and capabilities that only apply to that specific version. If a comput-
er has a Group Policy setting applied that it cannot process, it simply ignores it.
For example, in Windows 7 you do not use Group Policy to configure a Start menu layout, so Windows 7
computers ignore the Start menu layout. However, Windows 10 devices will process the setting.
Most Group Policy settings have three states:
●● Not Configured. The GPO does not modify the existing configuration of the setting for the user or
computer.
●● Enabled. The GPO applies the policy setting.
●● Disabled. The GPO reverses the policy setting.
Note: By default, most Group Policy settings are set to Not Configured.
Note: Some settings are multivalued or have text string values. These typically provide specific configura-
tion details to applications or operating system components. For example, a setting might provide the
URL of the home page for internet Explorer or for blocked applications.
The effect of the configuration change depends on the Group Policy setting. For example, if you enable
the Prohibit Access to Control Panel Group Policy setting, users will be unable to open Control Panel. If
you disable the Group Policy setting, you ensure that users can open Control Panel. Notice the double
negative in this Group Policy setting: you disable a policy setting that prevents an action, thereby allow-
ing the action.
Group Policy settings structure

There are two distinct types of Group Policy settings:
●● User settings. These settings modify the HKEY_CURRENT_USER hive of the registry.
●● Computer settings. These settings modify the HKEY_LOCAL_MACHINE hive of the registry.
User settings and computer settings each have three areas of configuration, as described in the following
table.
Section Description
Software settings Contains software settings that can deploy to
either the user or the computer. Software that
deploys or publishes to a user is specific to that
user. Software that deploys to a computer is
available to all users of that computer.
Windows operating system settings Contains script settings and security settings for
both user and computer, and Internet Explorer
maintenance for the user configuration.
Administrative templates Contains hundreds of settings that modify the
registry to control various aspects of the user and
computer environment. Microsoft or other
vendors might create new administrative tem-
plates. You can add these new templates to the
GPMC. For example, Microsoft has Microsoft
Office 2013 templates that are available for
download that you can add to the GPMC.
Group Policy Management Editor

The Group Policy Management Editor window displays the individual Group Policy settings that are
available in a GPO. These display in an organized hierarchy that begins with the division between com-
puter settings and user settings, and then expands to show the Computer Configuration node and the
User Configuration node. You configure all Group Policy settings and preferences in the Group Policy
Management Editor window.
Note: In Windows 10, some Group Policy settings such as disabling the lock screen, disabling Windows
tips in the UI, and turning off the Microsoft Consumer Experience are available only in the Enterprise
edition of the Windows 10 operating system.
Group Policy Preferences

In addition to the Group Policy sections shown in the preceding table, there is a Preferences node under
both the Computer Configuration and User Configuration nodes in the Group Policy Management
Editor window. Preferences provide even more capabilities with which to configure the environment. The
key difference between a GPO setting and Group Policy Preference is that the GPO setting is enforced,
and cannot be modified outside of the GPO. For example, you cannot change an item whose setting was
configured in a GPO by changing it in the Settings app or Control Panel. A Group Policy Preference, on
the other hand, is not enforced. Users can change it if they have the necessary permissions and rights on
the computer.
Applying Group Policy Objects

GPOs apply in a consistent order that allows you to predict which settings are effective when there are
conflicting settings in GPOs that apply to a user or computer. GPOs that apply later in the process
overwrite any conflicting policy settings that applied earlier.
GPOs apply in the following order:

1. Local GPOs. Each operating system that is running Windows Vista or newer potentially has a local
GPO configured already.
2. Site GPOs. Policies that link to sites process next.
3. Domain GPOs. Policies that link to the domain process next. There often are multiple policies at the
domain level. These policies process in order of preference.
4. OU GPOs. Policies linked to OUs process next. These policies contain settings that are unique to the
objects in that OU. For example, Sales users might have special required settings. You can link a policy
to the Sales OU to deliver those settings.
5. Child OU policies. Any policies that link to child OUs process last.
AD DS objects in the containers receive the cumulative effect of all policies in their processing order. In
the case of a conflict between settings, the last policy applied takes effect. For example, a domain-level
policy might restrict access to registry editing tools, but you could configure an OU-level policy and link it
to the Information Technology (IT) OU to reverse that policy. Because the OU-level policy applies later in
the process, access to registry tools would be available to users in the IT OU.
If multiple policies apply at the same level, an administrator can assign a preference value to control the
order of processing. The default preference order is the order in which the policies were linked. You also
can disable the user or computer configuration of a GPO.
Local GPOs
Each Windows 10–based computer has one local GPO that contains default computer and user settings,
regardless of whether the computer is part of an AD DS environment. In addition to this default local
GPO, you can create custom local user GPOs.
A local GPO is the least influential object in an AD DS environment because its settings can be overwrit-
ten by GPOs that are associated with sites, domains, and OUs. In a non-networked environment, or in a
networked environment that does not have a domain controller, local GPO settings are important
because other GPOs do not overwrite them. Stand-alone computers only use local GPOs to control the
environment.
Windows Vista and newer Windows client operating systems, and Windows Server 2008 and newer
Windows Server operating systems, have an added feature: multiple local GPOs. Since Windows 8 and
Windows Server 2012, you also can have different user settings for different local users, but this is only
available for users’ configurations that are in Group Policy. In fact, there is only one set of computer
configurations available that affects all users of the computer.
Computers that run Windows 7 and newer versions provide this ability with the following three layers of
local GPOs:
●● Local Group Policy (contains the computer configuration settings)
●● Administrators and Non‑Administrators Local Group Policy
●● User‑specific Local Group Policy
Domain GPOs
You can use Group Policy in an AD DS environment to provide centralized configuration management.
Domain GPOs are created and linked to objects within an AD DS infrastructure. The settings in the GPO
then affect the computers and users that are within those objects, depending on how you configure the
application of the GPO.
Options for modifying Group Policy processing

You can modify the default processing of GPOs by using:
●● Security filtering. You can use security filtering to specify users, computers, or groups that are able or
not able to process a GPO. For example, you could specify that members of the Technical Support
group have special security settings.
●● Enforcement. You can use enforcement to ensure that settings in a specific GPO apply regardless of
any lower-level GPOs that would normally override this GPO. For example, you could specify stand-
ardized security settings at the domain level.
●● Block inheritance. You can use block inheritance to prevent a lower-level OU from inheriting settings
from a higher-level OU. For example, you could block settings applied at the domain level from affect-
ing users in the IT OU.
Note: When a link is enforced and a lower-level OU blocks inheritance, the settings in the enforced GPO
apply.
Windows PowerShell Overview

Windows PowerShell is an integrated shell environment that enables scriptable, flexible, and comprehen-
sive management of Windows 10.
Windows PowerShell has several characteristics that make it ideal for local and remote management of
one or more Windows 10 devices, including:
●● Windows operating-system integration. Microsoft introduced Windows PowerShell 1.0 was as an
installable option for Windows Vista and as a feature for Windows Server 2008. Every Windows
operating-system version since Windows 7 and Windows Server 2008 R2 has included native support
for Windows PowerShell. Windows PowerShell 2.0 was part of Windows 7 and Windows Server 2008
R2. Windows PowerShell 3.0 is part of Windows 8 and Windows Server 2012. Windows PowerShell 4.0
is part of Windows 8.1 and Windows Server 2012 R2, and Windows PowerShell 5.0, the most recent
version, is part of Windows 10.
●● Remote management capability. You can use Windows PowerShell to manage remote computers,
provided remote management is enabled and the user who is performing the remote management
has the proper authorization.
●● Script-based execution. You can use Windows PowerShell scripts to build automation and complex
logic into management tasks.
Using the command-line interface

Commands provide Windows PowerShell’s main functionality. There are different types of commands,
including cmdlets (pronounced “command-lets”), functions, and workflows. These commands are build-
ing blocks, designed for piecing together and implementing complex and customized processes and
procedures. Windows PowerShell provides a command-line interface (CLI) that you can use to enter
cmdlets interactively.
Using the GUI

Windows PowerShell is not restricted to the command line. For example, the Active Directory Administra-
tive Center in Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 is a graphical
user interface (GUI) that uses Windows PowerShell to perform all of its tasks.
Using the CLI or GUI

The architecture of Windows PowerShell and the ability to use it directly as a CLI, or to use it through a
GUI that embeds the shell, increases the consistency and coverage of administrative capabilities. For
example, an administrator might rely completely on a GUI app to perform tasks. However, if the adminis-
trator must perform some task or implement some process that the GUI does not explicitly support, the
administrator instead can use the shell directly. When you implement it correctly, this architecture helps
ensure that anything that you can do in the GUI, you can do in the CLI, with the CLI further allowing you
to customize processes and procedures.
Windows PowerShell ISE

The Windows PowerShell app is available in both 32-bit and 64-bit versions of Windows 10. The 32 bit
version displays as Windows PowerShell (x86) in the All apps area in the Start menu. The 64 bit version
displays as Windows PowerShell.
Note: The 32-bit version of Windows 10 does not contain the 64-bit version of Windows PowerShell.
There is another Windows PowerShell app in the same app area called Windows PowerShell Integrated
Scripting Environment (ISE) that provides command-completion functionality, and enables you to see all
available commands and the parameters that you can use with those commands. You also can use a
scripting window within Windows PowerShell ISE to construct and save Windows PowerShell scripts. The
ability to view cmdlet parameters ensures that you are aware of the full functionality of each cmdlet, and
can create syntactically correct Windows PowerShell commands. Windows PowerShell ISE provides
color‑coded cmdlets to assist with troubleshooting. Windows PowerShell Integrated Scripting Environ-
ment also provides debugging tools that you can use to debug simple and complex Windows PowerShell
scripts. You can use the Windows PowerShell ISE to view available cmdlets by module.
Using Windows PowerShell

You can use Windows PowerShell to run individual cmdlets that perform actions, or to run scripts that use
cmdlets. Using Windows PowerShell is much simpler than other scripting languages such as VBScript.
Windows PowerShell uses Windows PowerShell drives to provide access to data stores. These drives
present data in a format similar to a file system. Some common Windows PowerShell drives are:
●● The C drive is the local file system’s C drive.
●● The cert drive is the local certificate store.
●● The Env drive contains environmental variables that are stored in memory.
●● The HKCU drive is the HKEY_CURRENT_USER portion of the registry.
●● The HKLM drive is the HKEY_LOCAL_MACHINE portion of the registry.
●● The Variable drive contains the variables that are stored in memory.
Cmdlets
Cmdlets use a naming convention of a verb or action, followed by a noun or a subject. For example, to
retrieve a list of services, you would use the Get-Service cmdlet. This standardization makes it easier to
learn how to accomplish administrative tasks. Some common cmdlet verbs are:
●● Get. Retrieves data.
●● Set. Establishes or modifies data.
●● New. Creates a new object.
Each cmdlet has options called parameters. Some parameters are required and some are optional. The
parameters vary for each cmdlet. The following example shows how to start the Application Identity
service by using the –Name parameter:
Start-Service –Name “Application Identity”
Note: The cmdlets that are available for use on a computer system vary depending on its Windows
PowerShell version and the snap-ins with cmdlets that are installed.
Compatibility with command-line tools

You can run batch files and executable files at a Windows PowerShell command prompt. For example, you
can run ipconfig.exe at a Windows PowerShell command prompt, and it behaves exactly as if you ran it
from a command prompt. This allows you to start using Windows PowerShell as your default com-
mand-line environment for administration. Note that there are also equivalent cmdlets that return similar
values as older executables. For example, the cmdlet alternative to ipconfig.exe /all is Get-NetIPAd-
dress, which returns a somewhat similar data set.
In some cases, commands or options for commands contain reserved words or characters for Windows
PowerShell. In such a case, you can enclose the command in single quotation marks to prevent Windows
PowerShell from evaluating the reserved word or combination of words. You also can use the grave
accent (`) character to prevent the evaluation of a single character.
In rare cases, an executable file does not run correctly at a Windows PowerShell command prompt. You
should test batch files to ensure that they work properly at a Windows PowerShell command prompt.
Using Windows PowerShell for bulk operations

Windows PowerShell helps you manage multiple computers or perform bulk operations in the Windows
environment. You can leverage Windows PowerShell features, such as variables, scripts, and system
interoperability, to encapsulate tedious and time-consuming management tasks into scripts or cmdlets
that only take seconds to run.
Getting help with using Windows PowerShell

You can use a number of cmdlets to get help with using Windows PowerShell. One of the key cmdlets for
help is the Get-Help cmdlet. Get-Help followed by the name of the cmdlet will give you a brief but
detailed guide on that particular cmdlet, including the parameters that you can use.
For example, the Get-Help Set-Item returns the following result:
NAME
Set-Item
SYNOPSIS
Changes the value of an item to the value specified in the command.
SYNTAX
Set-Item [-Path] <String[]> [[-Value] <Object>] [-Credential <PSCre-
dential>] [-Exclude <String[]>] [-Filter
<String>] [-Force] [-Include <String[]>] [-PassThru] [-Confirm] [-Wha-
tIf] [-UseTransaction [<SwitchParameter>]]
[<CommonParameters>]
Set-Item [[-Value] <Object>] [-Credential <PSCredential>] [-Exclude
<String[]>] [-Filter <String>] [-Force]
[-Include <String[]>] [-PassThru] -LiteralPath <String[]> [-Confirm]
[-WhatIf]
[-UseTransaction
[<SwitchParameter>]] [<CommonParameters>]
DESCRIPTION
The Set-Item cmdlet changes the value of an item, such as a variable or
registry key, to the value specified in the command.
RELATED LINKS
Online Version: http://aka.ms/J6rrhw
Clear-Item
Copy-Item
Get-Item
Invoke-Item
Move-Item
New-Item
Remove-Item
Rename-Item
about_Providers
REMARKS
To see the examples, type: "get-help Set-Item -examples".
For more information, type: "get-help Set-Item -detailed".
For technical information, type: "get-help Set-Item -full".
For online help, type: "get-help Set-Item -online"
Another useful cmdlet is Get-Command. This cmdlet shows a list of all cmdlets, aliases, functions,
workflows, filters, scripts, and applications installed on your version of Windows PowerShell.
There are numerous websites that can help you learn Windows PowerShell. Microsoft TechNet has the
Microsoft Script Center, where you can search for Windows PowerShell scripts based on what you want
the script to do. Examples include deleting files older than X number of days, controlling Windows
Update on your computer, and a wide variety of other functions.
Microsoft Script Center for PowerShell: http://aka.ms/ipge1q
Managing Drivers and Device Peripherals 117
Managing Drivers and Device Peripherals

Lesson Introduction
In this lesson, you will learn about device drivers, what function they serve, and how you can install them
in Windows 10. You will also learn more about tools for managing device peripherals. This lesson will also
focus on configuring printer drivers and understanding the printing components in a Windows 10
environment.
Lesson Objectives
●● Explain the use and importance of device drivers.
●● Explain how to manage device peripherals.
●● Describe Windows 10 printer features.
●● Describe printing components.
●● Describe benefits of Type 4 printer drivers.
●● Describe how to manage client-side printing.
●● Describe how to manage print server properties.
●● Install and share a printer.
What Is a Device Driver

Windows 10 uses device drivers to control and communicate with a variety of hardware devices. A device
driver is a program that communicates with a hardware device on one side and the operating system on
the other. Device drivers are a critical part of the operating system. The operating system cannot use a
device if its driver is unavailable.
Windows 10 is capable of detecting most hardware and automatically downloading and installing the
correct driver. This occurs when Windows is first installed, or when new hardware is installed in the
device. Manufactures provide and certify their driver with Microsoft, making the process seamless to the
end user.
Device drivers execute in the operating system kernel and have access to all system resources. Thorough
testing of device drivers is very important to ensure that they do not include malicious code. A digital
signature from a trusted authority is proof that you can safely use a device driver. The 64-bit versions of
Windows 10 enforce this requirement, and do not permit the use of drivers that a trusted authority has
not digitally signed. The 32-bit versions of Windows 10 warn users about unsigned drivers but permit
their use. Microsoft digitally signs all devices device drivers that are included in Windows 10.
Installing Drivers Manually

Occasionally, there may be the need to manually install the driver. This may be due to reasons such as:
●● The hardware is older and not available from Windows Update.
●● The hardware driver is only provided by the manufacturer.
●● The scenario may call for a different driver from the manufacturer other than the one provided to
Microsoft.
In cases such as these, most manufacturers make their drivers available for download on their website.
These are typically referred to as driver packages. A driver package is a set of files that make up a device
driver. A driver package is device-specific and enables Windows 10 to communicate with the device. A
driver package includes:
A driver package is a set of files that make up a driver. A driver package includes:
●● The .inf file.
●● Any files that the .inf file references.
●● The catalog (.cat) file that contains the digital signature of the device driver.
How the driver is installed depends on how the driver was packaged. Some are provided with an executa-
ble, while allows the driver to be installed in the driver store, just like installing an app. When the respec-
tive hardware is detected, Windows uses that driver to communicate with the hardware. If the driver
package isn't self-installed, when the hardware is connected, Windows will search several locations for
the matching driver or the user may specify the location of the driver package.
Once the driver is installed, it's located in the driver store at %SystemRoot%\System32\DriverStore. When
managing drivers at scale, Administrators can include driver packages in the OS image or deploy then
separately using methods such as Group Policy or management tools like MDT or Configuration Manag-
er. Once drivers are in the driver store, the end user experience is still seamless when they attach the
hardware.
32-bit and 64-bit drivers

Windows 10 is available in 32-bit and 64-bit versions. Drivers developed for the 32-bit versions do not
work with the 64-bit versions, and vice versa. To avoid problems, ensure that you obtain the appropriate
device drivers for your version of Windows 10.
Note: The device drivers that Windows 10 includes have a Microsoft digital signature that indicates
whether a particular driver or file is stable and reliable, has met a certain level of testing, and has not
been altered since it was digitally signed. The 32-bit versions of Windows 10 check for a driver's digital
signature during driver installation and prompt the user if the driver is unsigned. The 64-bit versions of
Windows 10 require that all drivers have a digital signature, and do not allow you to install unsigned
device drivers.
Driver store
The driver store is the Windows 10 driver package repository. Because the driver store is a trusted
location, when you connect compatible hardware, Windows 10 installs the driver for the appropriate
device automatically from the driver store. Standard users can install any device driver from the driver
store. Therefore, users can attach and use new devices without help from the IT helpdesk, if their driver
package is in the driver store. Information technology (IT) administrators can preload the driver store with
the necessary driver packages for commonly used devices. The driver store is located at %SystemRoot%\
System32\DriverStore.
Managing Device Peripherals

Devices that are installed can be found in either the Control Panel or Settings App. Device Manager is
used for manging the device driver itself.
Devices in the Settings app

You can perform common device management by using the Devices section in the Settings app in
Windows 10. The interface is optimized for touch, and includes links to Device Manager and to Devices
and Printers for advanced management. You can add and remove printers, wireless, and other devices
here, as well as configure settings on devices such as a mouse or keyboard. You can also configure what
happens when removable devices are plugged in and removed, such as USB media.
Devices and Printers

After you connect an external device, it appears in Devices and Printers in Control Panel. You can also add
and remove devices here as well, however Devices and Printers may display additional devices and
provide advance configuration options. For example, if wireless headphones are connected with a
wireless usb transmitter, the Settings app may show only the headphones, where the Control Panel may
show the headphones and the USB wireless transmitter.
Device Manager
You can use Device Manager to install and update device drivers; disable or enable devices; use the Driver
Roll Back feature; change resources that devices use, such as interrupt requests (IRQs); and troubleshoot
device problems. You also can use Device Manager to view devices that are connected currently to your
network, and the resources that they are using. You can sort these items by device type or connection.
The Device Manager view updates dynamically when the status of a connected device changes, or you
can update it manually, by selecting the option to scan for hardware changes.
Setting Up Printers
Like most modern peripherals for a computer, when you attach a printer directly to the device, Windows
10 will automatically discover and download the appropriate driver needed. However, there are several
unique factors related to managing printers that require additional discussion on the topic.
The most significant factor is that most printers used are not intended for use by a single device. In
organizations, most printers are attached directly to the network or a printer server, and not directly to
the end user computer. Even in the home with a printer connected to one computer, there is often a
desire to enable other devices to print to it.
When you install and share a printer in Windows 10, you must define the relationship between the
printing device, which is the physical printer, and the Windows 10–based computer. You can do this by
adding a printer in Windows 10, and then specifying which driver will be used for communicating with
the printing device and processing print jobs, and which port will be used for connecting with the
physical printing device. Typically, locally attached Plug and Play printing devices install automatically.
However, when you add a wireless printing device or a network-printing device in Devices and Printers by
using the Add printers button, Windows 10 must be able to communicate with the printing device or the
print server to which the printing device is connected.
Printing device
A printing device is a physical device that is available locally, connected to the network, or connected to
the print server. You use it to produce the print job output, which is typically a printed document. By
default, Windows 10 supports many printing devices and includes drivers for communicating with those
devices. You can add support for additional devices if needed.
Printer port
Windows 10 can automatically detect printers when you connect them to your computer, and it installs
the printer driver without interaction if the driver is available in the driver store. However, a Windows
operating system might not detect printers that you connect by using older ports, such as serial (COM) or
parallel (LPT) ports, or network printers. In these cases, you must configure a printer port manually.
Printer and printer driver

A printer is a Windows 10 representation of a physical printing device. Like other devices, it is associated
with a driver, which is used for communicating with a print device and rendering print jobs. Without a
printer driver, the printing device that connects to a computer will not work properly.
Another consideration for printers is that there is often third-party software installed for managing the
printer. While the driver is usually all that’s required for basic printer capabilities, additional software is
often needed to take advantage of the printers advanced functions, such as selecting a paper tray, or
viewing ink or toner status. While the manufacturer may bundle the management software and driver as
one app, there is typically an option for installing just the driver.
Note: The Add Printer Wizard presents you with some basic drivers. You can select the Windows Update
button to download a more exhaustive list. However, if your printer is not on the list, you must obtain
and install the necessary driver.
Methods for installing a printer

Note: The Add Printer Wizard presents you with an extensive list of currently installed printer types.
However, if your printer is not listed, you must obtain and install the necessary driver. You can preinstall
printer drivers in the driver store, and then make them available in the printer list by using the Pnputil.exe
command-line tool.
Note: Some USB printers require that you install the printer driver before you attach it. Failure to follow
this procedure can result in the printer not functioning correctly. Check the product documentation
before attaching the printer to your computer.
The installation of printers on client computers is one of the most important tasks to perform when you
configure network printing. There are several ways to install printers on Windows 10 client computers:
●● Add a locally attached printing device automatically. Windows 10 automatically detects locally
attached printers and installs them if their driver is available. If Windows 10 does not find an appropri-
ate driver in the driver store, standard users are unable to install the printer. To allow a standard user
to install the printer, you could add an appropriate printer driver to the driver store by using the
Pnputil.exe command-line tool. Alternatively, you can edit the local security policy to allow standard
users to load and unload device drivers.
●● Manually browse for a shared network printer. Users can install network printers on a Windows 10
client computer by browsing to a print server, and then double-clicking the icon for the shared
printer. The drawback to this method is that it relies on users knowing which print server is sharing the
printer, which is not the case in most companies.
●● Find a printer in the directory. When a printer is shared in an AD DS environment, the print adminis-
trator has the option to publish the printer in AD DS. Users can search the directory to locate the
printer based on the location or printer feature. That makes it easier to locate an appropriate printer,
as you can search only among printers that are available in the same location and support the
required features, such as support color printing.
●● Deploy printers by using Group Policy settings. When you deploy printers by using Group Policy,
you can deploy printers centrally to users and computers, and make them available when users sign
in. You can use Group Policies to deploy printers based on different criteria, such as group member-
ship, or the organizational unit of the user account or computer location. One of the ways to deploy
printers by using Group Policy is to right-click a printer in the Print Management console, and then
select the Deploy with Group Policy option.
●● Deploy printers by using Group Policy preferences. You can use Group Policy preferences to
distribute printers to users and computers. Group Policy preferences are more flexible than Group
Policy settings because you can deploy printers based on additional criteria, such as whether users are
using laptops, the IP address range of computers, time ranges, or Lightweight Directory Access
Protocol (LDAP) queries. You can use Group Policy preferences to create, update, replace, or delete a
printer.
Manual methods for printer installation generally are not scalable in mediums-sized organizations, as it is
too time-consuming to add and remove required printers manually to users’ computers.
Note: Ensure that you download and use the printer driver for the appropriate architecture. You should
use x86 driver for 32-bit versions of Windows 10 and x64 driver for 64-bit versions of Windows 10. Be
particularly careful when adding older printers. A 64-bit driver might not be available for some older
printers.
Understanding Type 3 and 4 Printer Drivers

Windows traditionally uses separate Type 3 printer drivers for each printer device model. Printer manu-
facturers created customized printer drivers for each specific device that they created, to ensure that
Windows could use all of the printer features. When printers are shared on the network, the administrator
must maintain drivers for each printing device in the environment, and the administrator must add
separate 32-bit and 64-bit drivers for a single printer to support both type of clients.
Microsoft introduced Type 4 printer drivers in Windows 8 and Windows Server 2012. By following the
Type 4 printer driver model, printer manufacturers can create a single Print Class Driver that supports
similar printing features and printing language that are common to a large number of printer models.
Common printing languages include PCL, and PostScript or XPS.
Type 4 printer drivers typically are delivered by using Windows Update or Windows Software Update
Services (WSUS). Unlike Type 3 drivers, Type 4 drivers do not download from a print server.
A Type 4 printer driver model provides the following benefits:
●● Sharing a printer does not require adding additional drivers that match the client architecture.
●● A single Type 4 driver can support multiple printer models.
●● Driver files are isolated on a per-driver basis, which prevents potential driver file-naming conflicts.
●● Driver packages are smaller and more streamlined than Type 3 drivers, and Type 4 drivers install faster
than Type 3 drivers.
●● Printer driver and the printer user interface can be deployed independently with Type 4 drivers.
Additional Reading: For more information about Type 4 printer drivers, refer to: “Print and Document
Services Architecture” at: http://aka.ms/vjupv8
Managing Client-Side Printing

Companies typically use print servers to provide centralized access to network printing devices. However,
Windows 10 allows you to connect to a network printing device directly by using a print server. Alternate-
ly, you can connect it locally by using a local printer, such as via USB, or by a wireless or Bluetooth
connection.
You can manage client-side printing by using various tools, such as Devices and Printers, Print Manage-
ment console, and Windows PowerShell cmdlets, from the Print Management module. Typical operations
include the following tasks:
●● Modifying printer properties, such as sharing, security, and advanced properties.
●● Selecting your default printer.
●● Viewing and managing your print queue.
●● Pausing or resuming a printer’s operation.
●● Pausing, resuming, restarting, or canceling print jobs.
●● Reordering print jobs in your print queue.
Modifying printer properties

You can modify printer behavior by configuring printer properties, such as the:
●● General printer properties.
●● Printer’s physical location.
●● Printer-sharing functionality.
●● Ports that the printer uses.
●● Times during which the printer is available.
●● Number of print jobs that can spool at one time.
●● Names of groups that are allowed to use the printer.
Selecting a default printer

You can add many printers to a Windows 10–based computer, but only one of them can be the default
printer. The default printer is marked with a green check mark in Devices and Printers, and it is used by
default for printing documents. You can print a document from any of the other available printers, but
you must manually select the specific printer that you want to use.
View and manage the print queue

After you initiate a print job, you can view, pause, or cancel it through the print queue, which displays
what is printing or waiting to print. It also displays information such as the job status, who is printing
what, and how many unprinted pages remain. From the print queue, you can view and maintain the print
jobs for each printer.
You can access the print queue from Devices and Printers by right-clicking a printer, and then selecting
the See what’s printing option or by running the Get-PrintJob cmdlet, as the following example shows
for the Printer1 queue: Get-PrintJob –PrinterName Printer1
You can view all printer-related cmdlets by running Get-Command –Module PrintManagement.
Pause or resume printer

If you pause a printer, it will still accept print jobs, but they will wait in the print queue and they will not
print. If you resume a printer, print jobs will be sent to the printing device. You can pause or resume a
printer from the printer queue window.
Pause, resume, restart, or cancel a print job

You can pause and resume a single print job or multiple jobs in the queue. To pause or resume an
individual print job, right-click the print job in print queue window, and then select Pause or Resume. To
pause all print jobs, select the Printer menu, and then select Pause Printing. To resume printing, select
Resume Printing.
If a print job is printing in the wrong color or the wrong size, you can start over. To restart a print job,
right-click the specific print job, and then select Restart.
If you start a print job by mistake, it is simple to cancel the print job, even if printing is underway. To
cancel an individual print job, right-click the print job that you want to remove, and then select Cancel. To
cancel all print jobs, select the Printer menu, and then select Cancel All Jobs. The item that is printing
currently might finish, but the remaining items will be cancelled.
Reorder the print queue

If you are printing multiple items, you can change the order in which they print. To reorder the jobs in the
print queue, right-click the print job to reorder, and then select Properties. Modify the print job priority
by using the Priority slider on the General tab of the print job properties page. Print jobs with higher
priority print first.
Managing Print Server Properties

Windows 10 can act as a print server, or you can connect to Windows-based print servers through the
Print Management Console and manage them remotely. Windows 10 includes the Print Management
Console in the Administrative Tools, and you can open it from there or by typing Printmanagement.msc
in the Search the web and Windows field on the taskbar. The Print Management Console provides a
single interface through which you can administer multiple printers and print servers and perform
management tasks, such as:
●● Add and remove print servers.
●● Add and delete printers.
●● Add and manage drivers.
●● Manage print queues.
●● View and modify status of printers.
●● Create custom filters to view printers that match certain criteria.
Add and remove print servers

When you open the Print Management Console for the first time, it is connected only to a local Windows
10–based print server. If you have appropriate permissions, and you want to manage other Windows–
based print servers, you must first add them to the Print Management Console by right-clicking the Print
Servers node, and then selecting Add/Remove Print Servers.
Add and delete printers

You can add or delete printers locally or remotely on any print server that is added to the Print Manage-
ment Console. You add printers by using Network Printer Installation Wizard, which is similar to the Add
Printer Wizard in Devices and Printers. The Network Printer Installation Wizard allows you to:
●● Search the network for printers.
●● Add a TCP/IP or Web Service Printer by IP address or host name.
●● Add a new printer by using an existing port.
●● Create a new port, and add a new printer.
Add and manage drivers

When you add a printer, Windows also installs a driver for the appropriate printing device. For example, if
you add a PostScript printing device on the 32-bit version of Windows 10, a 32-bit Windows 10 driver for
PostScript will be installed. However, when you share that printer, other users might connect to it and be
able to use a printer. Therefore, you should provide drivers for the operating systems that they are using.
For example, if someone is using a 64-bit version of Windows 7, you might want to add a 64-bit driver to
your Windows 10–based print server.
The Print Management Console allows you to add printer drivers by running the Add Printer Driver
Wizard. You should be aware that with Type 4 printer drivers, users no longer need multiple drivers for
different printers, and printer drivers cannot be downloaded from the print server, but from Windows
Update or from Windows Update for Business.
Managing print queues

You can view printers that are installed on a specific print server by selecting the Printers node under
that print server. You also can view all installed printers on all print servers that are added to the Print
Management Console by selecting the All Printers node. You can view the printer queue by right-clicking
the printer, and then selecting Open Printer Queue from the shortcut menu. From the print queue
window, you can pause, resume, restart, cancel, or reorder print jobs.
View and modify the status of printers

The All Printers node shows information about every printer that is connected to any print server that
you have added to the Print Management Console. There you can view the print queue status of the
printer, number of jobs in the queue, name and version of the printer driver, and the driver type.
Create custom filters to view printers that match certain cri-

teria
The Print Management Console includes four custom filters by default: All Printers, All Drivers, Printers
Not Ready, and Printers With Jobs. You can add new custom printers or driver filters by defining a
condition(s) that printers must match to appear when you select a filter. For example, you could create a
custom filter to show printers that are at a specific location, regardless of the print server to which they
are connected, or to show printers that have more than five print jobs in a print queue.
Note: You can use the Devices and Printers tool to manage printers only on local Windows 10–based
computers. When you use the Print Management Console, you can manage printers on local Windows
10–based computers, in addition to printers that are connected to other Windows–based printer servers.

Lab 0301: Managing Windows 10 Settings
Summary
In this lab you will learn how to configure computer settings using Windows Settings, the Control Panel,
and Windows PowerShell. You also learn how to customize and deploy a custom Windows 10 Start page
layout.
Exercise 1: Configuring Settings Using Windows Settings and

Control Panel
Scenario
You need to use Windows Settings to validate protection settings, device specifications, and Windows
specifications. You also need to determine which applications are slowing down the startup process for
Windows 10. Finally, you need to create a new power plan that minimizes power usage, but does not
impact multimedia presentations while the device is running on battery.
Exercise 2: Using PowerShell to Configure Windows
Scenario
You need to use Windows PowerShell to test the scripting environment. To become familiar with Power-
Shell you will run several commands and the use PowerShell ISE to create a script to list all running servic-
es on the device.
Exercise 3: Customizing the Start Layout in Windows 10
Scenario
You need to ensure that all Windows 10 devices contain the Contoso utilities apps on the Start menu. To
do this, you decide to create and export a custom Start layout that only locks down the specified groups
in the XML file. Users will still be able to customize other areas of the Start menu as needed.
Lab 0302: Synchronizing settings between devices
Summary
In this lab you will learn how to synchronize settings to support users working on multiple devices.
Scenario
You frequently use two devices, SEA-WS1 and SEA-WS2, and would like to ensure that Windows settings
and Microsoft Edge favorites are synchronized between the two devices. You need to add your Microsoft
account to both devices and configure synchronization settings between the devices.
Lab 0303: Managing local and network printers
Summary
In this exercise, you will perform basic printer configuration. You will add a local printer by using Devices
and Printers. You then will configure printer security, and use the Print Management tool to add a printer
on a remote computer. You also will connect to a remote printer, and then manage a print job.
Scenario
The Contoso Marketing department has purchased a new printer that uses a Microsoft PCL6 Class Driver
that’s attached to SEA-SVR1. Marketing wants to share the printer but restrict use to just the Managers
group. There is a another printer attached to SEA-SVR2 that uses the Microsoft PS Class Driver, which is
also to be shared with access for everyone to print. You need to configure these printers as requested.
After you configure the printers you will have a user named Terry test that she can only print to the
printer on SEA-SVR2, and that print jobs initiated from SEA-SVR2 can be seen in the queue on SEA-SVR1.
Module Review
1. To customize the available icons in the Action Center:
A. Right-click on the Action Center and select “Customize”
B. Select on the Action Center and select the "Customize" option
C. Select on the Action Center, and select the “All Settings” option
D. Open the Settings App and select "System" and then “Notifications and actions”
2. You have a Windows 10 computer and need to adjust the settings. You need to access advanced
settings that are not available in the Settings app. What could you do? (select two)
A. press CTRL + ALT + DEL
B. By selecting the Windows Start icon, and typing “Control Panel”
C. By opening the Settings App and selecting the "Advanced Options" icon
D. From the File Explorer folder navigate to Control Panel
E. Delete all users and start over
3. As an IT Support professional, you are working on becoming more proficient with Windows Power-
Shell. You are using the *Get-Command to look for commands and discover their purpose. Which of
the following command types can this cmdlet show? (select four)
A. Aliases
B. Functions
C. Cmdlets
D. Filters
E. Modules
F. Providers
4. Setting what happens when the lid closes in Windows 10 is a configuration option in:
A. Display options
B. Power plans
C. Ease of Access
D. USB Setting
5. You want to remove the “Gaming” option from the Windows Settings App. You would accomplish this
by:
A. Uninstalling Solitaire
B. Creating a group policy the hides the "Gaming" option.
C. Right-clicking on the “Gaming” option and selecting "Hide from view"
D. Removing the “Gaming” tile in the Notification and actions page
E. Login with a work or school account
6. D 2) B,D 3) A,B,C,D 4) B 5) B
Module 4 Updating Windows
Widows Servicing Model

Lesson Introduction
To keep computers that are running Windows 10 stable and protected, you must update them regularly
with the latest security updates and fixes. Windows Update enables you to download and install impor-
tant and recommended updates automatically.
Lesson Objectives
●● Describe the Windows 10 Service Model.
●● Describe the different Windows Service Channels.
●● Describe the available methods for applying updates to Windows 10.
The Windows Servicing Model

Traditionally, new versions of Windows have been released every few years. The deployment of those new
versions within an organization would then become a project, either by leveraging a “wipe and load”
process to deploy the new operating system version to existing computers, or by migrating to the new
operating system version as part of the hardware replacement cycle. Either way, a significant amount of
time and effort was required to complete these tasks. For Windows 10, a new model is being adopted.
This new model, referred to as "Windows as a service," requires organizations to rethink how they deploy
and upgrade Windows. It is no longer a project that happens every few years, it is a continual process.
Windows as a service
Instead of new features being added only in new releases that happen every few years, the goal of
Windows as a service is to continually provide new capabilities. New features are provided or updated
two to three times per year, while maintaining a high level of hardware and application compatibility. The
key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative
132 Module 4 Updating Windows
community-centric approach to testing that Microsoft has implemented for Windows 10. The community,
known as Windows Insiders, is comprised of millions of users around the world.
When Windows Insiders opt in to the community, they test many builds over the course of a product
cycle, and provide feedback to Microsoft through an iterative methodology called flighting. Builds
distributed as flights provide the Windows engineering team with significant data regarding how good
builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds
in much more diverse hardware, application, and networking environments than in the past, and to
identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will
enable both a faster pace of innovation delivery, and better public release quality than ever.
Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Win-
dows 10 releases broadly to the public on an ongoing basis:
●● Feature updates that install the latest new features, experiences, and capabilities on devices that are
already running Windows 10. Because feature upgrades contain an entire copy of Windows, they are
also what customers can use to install Windows 10 on existing devices running Windows 7 or Win-
dows 8.1, and on new devices where no operating system is installed.
●● Quality updates that focus on the installation of security fixes and other important updates. Microsoft
expects to publish an average of two to three new feature upgrades per year, and to publish servicing
updates as needed for any feature upgrades that are still in support. Microsoft will continue publish-
ing servicing updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally,
Microsoft may publish additional servicing updates for Windows 10 outside the Update Tuesday
process when required to address customer needs.
It is important to note that, to improve release quality and simplify deployments, all new releases that
Microsoft publishes for Windows 10 will be cumulative. This means new feature upgrades and servicing
updates will contain the payloads of all previous releases (in an optimized form to reduce storage and
networking requirements), and installing the release on a device will bring it completely up to date. Also,
unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 servicing
update. For example, if a servicing update contains fixes for three security vulnerabilities and one reliabili-
ty issue, deploying the update will result in the installation of all four fixes.
This new model uses simpler deployment methods, reducing the overall amount of effort required for
Windows servicing. By combining these simpler methods (such as in-place upgrade) with new techniques
to deploy upgrades in phases to existing devices, the effort that used to be performed as part of a
traditional deployment project is spread across a broad period.
The following terms are used when discussing the new Windows 10 servicing model:
Term Description
Feature updates A new Windows 10 release that contains addition-
al features and capabilities, released two to three
times per year.
Quality updates In Windows 10 rather than receiving several
updates each month and trying to figure out
which the organization needs, which ultimately
causes platform fragmentation, administrators will
see one cumulative monthly update that super-
sedes the previous month’s update, containing
both security and non-security fixes.
Widows Servicing Model 133
Term Description
Channel The windows servicing channel is one of three
choices: Windows Insider, Semi-Annual Channel,
or Long-Term Servicing Channel. Channels allow
customers to designate how frequently their
individual devices are updated.
Ring These are simply a method by which to separate
machines into a deployment timeline. The win-
dows servicing rings are Preview, Targeted, Broad,
and Critical.
For more information on Windows as a service, you can see: https://aka.ms/Eisrck
Windows 10 Servicing Channels

To align with the new method of delivering feature updates and quality updates in Windows 10, Micro-
soft introduced the concept of servicing channels to allow customers to designate how frequently their
individual devices are updated. For example, an organization may have test devices that the IT depart-
ment can update with new features as soon as possible, and then specialized devices that require a
longer feature update cycle to ensure continuity.
Microsoft has implemented the following new servicing options for Windows 10:
Servicing option Description

Windows Insider Program For many IT pros, gaining visibility into feature
updates early—before they’re available to the
Semi-Annual Channel — can be both intriguing
and valuable for future end user communications
as well as provide the means to test for any issues
on the next Semi-Annual Channel release. With
Windows 10, feature flighting enables Windows
Insiders to consume and deploy preproduction
code to their test machines, gaining early visibility
into the next build.
Semi-Annual Channel In the Semi-Annual servicing channel, feature
updates are available as soon as Microsoft releases
them. This servicing modal is ideal for pilot
deployments and testing of Windows 10 feature
updates and for users such as developers who
need to work with the latest features immediately.
Once the latest release went through pilot deploy-
ment and testing, you choose the timing at which
it goes into broad deployment.
Servicing option Description

Long Term Servicing Channel Specialized systems—such as PCs that control
medical equipment, point-of-sale systems, and
ATMs—often require a longer servicing option
because of their purpose. It’s more important that
these devices be kept as stable and secure as
possible than up to date with user interface
changes. The LTSC servicing model prevents
Windows 10 Enterprise LTSB devices from receiv-
ing the usual feature updates and provides only
quality updates to ensure that device security
stays up to date. The Long-term Servicing Channel
is available only in the Windows 10 Enterprise LTSB
edition.
Note: Windows 10 Enterprise LTSC is a separate Long Term Servicing Channel version. Long-term Servic-
ing channel is not intended for deployment on most or all the PCs in an organization; it should be used
only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a gener-
al-purpose device, typically used by an information worker, and therefore it is better suited for the
Semi-Annual servicing channel.
For more information, you can see Windows as a service: Simplified and Aligned: https://aka.ms/M3kr2d
For more information on the Windows semi-annual channel and targeted deployment: https://aka.ms/
Vt69tl
Windows Update Options

As with earlier releases of Windows, Windows 10 includes support for the deployment of new releases
using Windows Update, Windows Server Update Services, Configuration Manager, and third-party
configuration management tools. Because of the importance of the Windows as a Service (WaaS) ap-
proach to delivering innovations to businesses, and the proven ability of Windows Update to deploy
releases quickly and seamlessly to consumers and small businesses, several of the largest investments in
Windows 10 focus on enabling broader use of Windows Update within enterprises.
Although Windows Update greatly simplifies and accelerates update deployment, enterprises are not
using Windows Update as broadly as consumers and small businesses. This is largely because Windows
Update maintains control over which updates are installed and the timing of installation. This makes it
difficult for IT administrators to test updates before deployment in their specific environment.
To help address the concerns of IT administrators, Microsoft released Windows Server Update Services in
2005. Windows Server Update Services enables IT administrators to obtain the updates that Windows
Update determines are applicable to the devices in their enterprise, perform additional testing and
evaluation on the updates, and select the updates they want to install. Windows Server Update Services
also provides IT administrators with an all or nothing way to specify when they want an approved update
to be installed. Because IT administrators ultimately select and install most updates identified by Win-
dows Update, the role of Windows Server Update Services in many enterprises is to provide IT adminis-
trators with the additional time they need to gain confidence in the quality of updates prior to deploy-
ment.
Widows Servicing Model 135
Servicing Tools
There are many tools with which IT pros can service Windows as a service. Each option has its pros and
cons, ranging from capabilities and control to simplicity and low administrative requirements. The
following are examples of the servicing tools available to manage Windows as a service updates:
●● Windows Update is a service that provides software updates that keep your computer up to date and
protected. In the Settings app, in Update & security, on the Windows Update tab, you can view the
updates that are available for your Windows 10 device. Under Advanced options, you can configure
how Windows Update downloads and installs updates for your computer. Generally, you must
configure computers that are running Windows 10 to download and install updates automatically to
ensure that the computer has the most up-to-date and protected configuration possible. Windows
Update also can update non-Microsoft software components including drivers. Note: By default,
Windows 10 will download and install updates automatically.
●● Windows Server Update Services (WSUS) provides extensive control over Windows 10 updates and
is natively available in the Windows Server operating system. In addition to the ability to defer
updates, organizations can add an approval layer for updates and choose to deploy them to specific
computers or groups of computers whenever ready.
●● Windows Update for Business is the second option for servicing Windows as a service. This servicing
tool includes control over update deferment and provides centralized management using either
Group Policy or Microsoft Intune. Windows Update for Business can be used to defer updates by up
to 365 days, depending on the version. These deployment options are available to clients in the
Semi-Annual Channel.
●● Configuration Manager provides the greatest control over servicing Windows as a service. IT pros
can defer updates, approve them, and have multiple options for targeting deployments and manag-
ing bandwidth usage and deployment times.
With all these options, which an organization chooses depends on the resources, staff, and expertise its IT
organization already has. For example, if IT already uses Configuration Manager to manage Windows
updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that.
For a consolidated look at the benefits of each tool see the following table:
Servicing Tool Can updates be Ability to ap- Peer-to-peer Additional

deferred? prove updates option features
Windows Update Yes (manual) No Delivery Optimiza- None
tion
Windows Update Yes No Delivery Optimiza- Other Group Policy
for Business tion objects
WSUS Yes Yes BranchCache or Upstream/down-
Delivery Optimiza- stream server
tion scalability
Configuration Yes Yes BranchCache, Distribution points,
Manager Client Peer Cache multiple deploy-
ment options
For more information on deploying Windows Updates, you can see this link: https://aka.ms/AA60cod
Rolling Back Upgrades
With Windows 10, you can roll back an upgrade to the previous Windows operating system version. This
can be helpful if unforeseen circumstances occur after updating. There is a default 10-day grace period to
rollback to the previous version, however this can be changed with the DISM image tool. When rolling
back, any changes will be lost, including installed apps, and it’s recommended that user data be backed
up prior to a rollback.
To roll back to the previous version, open the Settings app, select the Update & security category, and
then select Recovery. Here, you have the option to go to the previous version.
Updating Windows 137
Updating Windows
Lesson Introduction
To utilize Windows Update effectively, you must be aware of the configuration options that it provides,
and you must be able to guide users on how to configure these options.
Lesson Objectives
●● Describe the available methods for applying updates to Windows 10.
●● Explain the Windows Update configuration options.
●● Explain the Group Policy Object (GPO) settings available for configuring Windows Update.
●● Configure Windows Update.
●● Describe how to use Windows Server Update Services (WSUS) to provide updates to Windows 10.
Windows Update Settings in Windows 10

To configure Windows Update settings on a local computer, open Settings. Tap Update & security. On
the left are two tabs, Windows Update and Delivery Optimization.
From the Windows Update tab, you can configure the following settings:
●● Check for updates. Here you can check whether new updates are available.
●● Update history. You can use this option to view both updates that are applied, and those that failed
to apply. Here you also can tap the Uninstall updates option to open the Installed Updates node of
Programs and Features in Control Panel. You then can choose to remove any unwanted updates. In
this page, there is also a Recovery Options link, which you can use to reset the computer to a previous
build, or to use advanced startup.
●● Change active hours. You can use this setting to ensure that Windows 10 will not restart during
active hours, which by default is set between 8:00 AM and 5:00 PM.
●● Restart options. From here, you can configure a custom restart time, if you want Windows 10 to
restart at a certain time.
From the Advanced options, you can configure the following settings:
●● Receive updates for other Microsoft products when I update Windows. If you have Microsoft
Office or other Microsoft products installed, selecting this option enables Windows Update to keep
those products up to date simultaneously.
●● Pause Updates. This option allows the user to defer updates for up to 35 days, including security
updates.
●● Defer feature updates. Some Windows 10 editions allow you to defer updates to your computer.
When you defer updates, Windows 10 does not download or install new Windows 10 features for
several months. Note: Deferring feature updates does not affect security updates, but it does prevent
you from receiving the latest Windows features as soon as they are available. Deferring updates is
covered in more detail in the Windows Update for Business topic later in this lesson.
●● Choose when updates are installed. These options allow you to set the number of days to defer
when feature and quality updates are installed. Note: Prior to Windows 10 version 1903, there was an
option to choose between Semi-Annual Channel (Targeted) and Semi-Annual Channel, as a way of
defining which devices would receive updates sooner rather than later. This option has been removed,
and deferrals are configured by setting the number of days to defer quality and feature updates.
From the Delivery Optimization tab, you can configure the following:
●● Allow downloads from other PCs. Windows Update enables you to obtain updates from more than
one place. By default, this is enabled. This setting means that Windows obtains updates from Micro-
soft, but also from computers on the local network. The advantage of this scenario is that Windows
can apply settings more quickly. Once one device has updates installed, other devices can obtain the
same updates without needing to download from Microsoft. You can configure the additional sources
as either:
●● PCs on my local network
●● PCs on my local network, and PCs on the Internet
Turning this option off will mean the client will only download updates from Microsoft.
●● Selecting Advanced options on the Delivery Optimization page allows you to restrict the bandwidth
available for downloading updates and uploading updates to other PCs.
Using a WSUS Server to Deploy Updates

Organizations and home users use different methods to process updates. Within an organization,
downloading updates and applying them to each individual computer within an organization is repetitive
and inefficient. Consequently, Microsoft provides a number of ways for organizations to make the update
process more manageable. One of these is the Windows Server Update Services (WSUS) role.
The WSUS role provides a central management point for updates to your computers running the Win-
dows operating system. By using WSUS, you can create a more efficient update environment in your
organization, and stay better informed about the overall update status of the computers on your net-
work.
WSUS is a server role included in the Windows Server operating system that downloads and distributes
updates to Windows clients and servers. WSUS can obtain updates that are applicable to the Windows
operating system and common Microsoft programs, such as the Microsoft Office suite and Microsoft SQL
Server.
In the simplest configuration, a small organization can have a single WSUS server that downloads
updates from the Microsoft Update website. The WSUS server then distributes the updates to computers
that you have configured to obtain automatic updates from the WSUS server. You must approve the
updates before clients can download them.
Larger organizations can create a hierarchy of WSUS servers. In this scenario, a single centralized WSUS
server obtains updates from Microsoft Update, and other WSUS servers obtain updates from the central-
ized WSUS server.
You can organize computers into groups to simplify the approval of updates. For example, you can
configure a pilot group to be the first set of computers that you use for testing updates.
WSUS can generate reports to help monitor update installation. These reports can identify which com-
puters have not applied recently approved updates. Based on these reports, you can investigate why this
is happening.
The WSUS update management process

The update management process allows you to manage and maintain WSUS and the updates that it
retrieves. This process is a continuous cycle during which you can reassess and adjust the WSUS deploy-
ment to meet changing needs. The four phases in the update management process are:
●● Assess. The goal of the assess phase is to set up a production environment that supports update
management for routine and emergency scenarios. The assess phase is an ongoing process that you
use to determine the most efficient topology for scaling the WSUS components. As your organization
changes, you might identify a need to add more WSUS servers in different locations.
●● Identify. During the identify phase, you identify new updates that are available, and determine
whether they are relevant to your organization. You have the option to configure WSUS to retrieve all
updates automatically, or to retrieve only specific types of updates. WSUS also identifies which
updates are relevant to registered computers.
●● Evaluate and plan. After you identify the relevant updates, you need to evaluate whether they work
properly in your environment. There is always the possibility that the specific combination of software
in your environment might have problems with an update. To evaluate updates, you should have a
test environment in which you can apply updates to verify proper functionality. During this time, you
might identify dependencies that an update requires to function properly, and you can plan any
changes that you need to make. You can achieve this if you use one or more computer groups for
testing purposes. For example, you may have a computer group with client computers that run all of
the operating systems and applications that are updated by using WSUS. You can use another
computer group for servers that run the different applications and operating systems that are updat-
ed by WSUS. Before you deploy updates to the entire organization, you can push updates to these
computer groups, and then test them. Only after making sure they work as expected should you move
on to the deploy phase.
●● Deploy. After you have thoroughly tested an update and determined any dependencies, you can
approve it for deployment in the production network. Ideally, you should approve the update for a
pilot group of computers before approving the update for the entire organization. You also can
configure WSUS to use automatic updates.
Windows Update for Business

As an alternative to using WSUS, organizations implementing Windows 10 can use Windows Update for
Business. Windows Update for Business enables information technology administrators to keep the
Windows 10 devices in their organization always up to date with the latest security defenses and Win-
dows features by directly connecting these systems to Windows Update service. You can use Group Policy
or MDM solutions such as Intune to configure the Windows Update for Business settings that control
how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage
devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD)
alongside your on-premises domain-joined machines.
Specifically, Windows Update for Business allows for:
●● The creation of deployment rings, where administrators can specify which devices go first in an
update wave, and which ones will come later (to ensure any quality bars are met).
●● Selectively including or excluding drivers as part of Microsoft-provided updates.
●● Integration with existing management tools such as Windows Server Update Services (WSUS), Config-
uration Manager, and Microsoft Intune.
●● Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the
need for an on-site server caching solution.
Windows Update for Business provides three types of updates in Windows:

●● Feature Updates. previously referred to as upgrades, Feature Updates contain not only security and
quality revisions, but also significant feature additions and changes; they are released semi-annually.
●● Quality Updates. these are traditional operating system updates, typically released the second
Tuesday of each month (though they can be released at any time). These include security, critical, and
driver updates. Windows Update for Business also treats non-Windows updates (such as those for
Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as
Microsoft Updates and devices can be optionally configured to receive such updates along with their
Windows Updates.
●● Non-deferrable updates. Currently, antimalware and antispyware Definition Updates from Windows
Update cannot be deferred.
Using Group Policy Settings for Configuring

Windows Update
Group Policy enables policy-based administration using Microsoft Active Directory directory services (AD
DS). Group Policy uses directory services and security group membership to apply device and user
configurations from a central management point . Policy settings are specified by an administrator. This is
in contrast to profile settings, that are specified by a user. Policy settings are created using the Microsoft
Management Console (MMC) snap-in for Group Policy – GPMC.msc.
To configure each individual computer with specific Windows Update settings would be very time-con-
suming. Fortunately, you can create a Group Policy Object (GPO) to configure the necessary settings, and
then use Active Directory Domain Services (AD DS) to apply those settings to the appropriate collection
of computers. Three nodes in Group Policy contain Windows Update settings that are relevant for
Windows 10 devices.
Note: There are several settings for earlier Windows versions. Please note, this section lists only those
that are relevant to Windows 10.
The first of these nodes is the Windows Update node. Open the Group Policy Management Editor on a
domain controller, and then navigate to Computer Configuration/Administrative Templates/Windows
Components/Windows Update. You can configure the following settings:
●● Configure Automatic Updates. This policy setting specifies whether the computer will receive
security updates and other important downloads through the Windows automatic updating service.
This setting lets you specify whether to enable automatic updates on your computer. If you enable
this service, you must select one of the four options in the Group Policy setting:
●● 2 - Notify for download and notify for install. When Windows finds updates that apply to your
computer, an icon displays in the status area, with a message that updates are ready for download.
Selecting the icon or the message provides the option to select the specific updates that you want
to download. Windows then downloads your selected updates in the background. When the
download completes, the icon displays in the status area again, with notification that the updates
are ready for installation. Selecting the icon or message provides the option to select which
updates to install.
●● 3 - Auto download and notify for install. Windows finds updates that apply to your computer,
and then downloads these updates in the background, without notifying or interrupting the user
during this process. When the download completes, the icon displays in the status area, with a
notification that the updates are ready for installation. Selecting the icon or message provides the
option to select which updates to install.
●● 4 - Auto download and schedule the install. Specify the schedule by using the options in the
Group Policy setting. If you do not specify a schedule, the default schedule for all installations will
be every day at 03:00. If any of the updates require a restart to complete the installation, the
Windows operating system will restart the computer automatically. If a user is signed in to the
computer when the Windows operating system is ready to restart, it will notify the user and give
the option to delay the restart.
●● 5 - Allow local admin to choose setting. With this option, the local administrators will be
allowed to use the Automatic Updates control panel to select a configuration option. For example,
administrators can choose their own scheduled installation time. Local administrators cannot
disable Automatic Updates configuration.

To use the Configure Automatic Updates setting, select Enabled, and then select one of the options
(2, 3, 4, or 5). If you select 4, you can set a recurring schedule. If you do not specify a schedule, all
installations will occur every day at 03:00. If you set the status to Enabled, Windows recognizes when
the computer is online, and then uses its Internet connection to search Windows Update for updates
that apply to your computer. If you set the status to Disabled, you must manually download and
install any updates that are available on Windows Update. If you set the status to Not Configured,
the use of Automatic Updates is not specified at the Group Policy level. However, an administrator can
still configure Automatic Updates through Control Panel.
●● Specify intranet Microsoft update service location. This setting specifies an intranet server to host
updates from Microsoft Update. You then can use this update service to update your network’s
computers automatically. This setting lets you specify a server on your network to function as an
internal update service. The Automatic Updates client will search this service for updates that apply to
the computers on your network. To use this setting, you must set two server name values, including
the:
●● Server from which the Automatic Updates client detects and downloads updates
●● Server to which updated workstations upload statistics
You can set both values to be the same server. If you set the status to Enabled, the Automatic Up-
dates client connects to the specified intranet location, instead of Windows Update, to search for and
download updates. Enabling this setting means that end users in your organization do not have to go
through a firewall to get updates, and it gives you the opportunity to test updates before deploying
them. If you set the status to Disabled or Not Configured, and if Automatic Updates is not disabled
by policy or user preference, the Automatic Updates client connects directly to the Windows Update
site on the Internet. Note: The preceding settings do not have an obvious effect on the user interface,
because in Windows 10, these options are not visible in the Advanced options pane of Windows
Update. They are visible in Windows 8.1. However, these settings do affect the way in which Windows
Update delivers updates.
●● Do not connect to any Windows Update Internet locations. This policy is applicable only when you
have configured the Specify intranet Microsoft update service location setting. When enabled, this
policy will prevent users from downloading updates that you have not authorized in the Windows
Server Update Services console. It may disrupt users’ connection to the Windows Store.
●● Do not include drivers with Windows Updates. When you enable this setting, targeted devices will
not install drivers with quality updates.
●● Specify deadline before auto-restart for update installation. By using this setting, you can config-
ure a deadline before which users have to restart their computer after installing updates. The default
deadline is 7 days, but you can configure a deadline between 2 and 14 days.
●● Turn off auto-restart for updates during active hours. With this setting, you can configure the
active hours and prevent users from changing them. The span of active hours can be up to 12 hours.
●● Windows Update for Business. In this node, you can configure one or both of the following policy
settings:
●● Select when Preview Builds and Feature Updates are received. This policy configures whether
the targeted Windows 10 devices will be in the Windows Insider build – Fast, Windows Insider
build – Slow, Release Windows Insider build, or Semi-annual Channel. You can further delay feature
updates up to 365 days. You also can prevent feature updates from being received for up to 35
days by selecting the Pause feature updates check box.
●● Select when Quality Updates are received. With this policy, you can configure deferral of quality
updates for up to 30 days. You also can prevent quality updates from being received for up to 35
days, by selecting the Pause quality updates check box.
In addition to the Windows Update node, you also can configure update settings in Computer Configu-
ration/Administrative Templates/Windows Components/Data Collection and Preview Builds. You
can configure the following settings:
●● Toggle user control over Insider builds. This policy setting determines whether users can access the
Insider build controls in the Update & security section in the Settings app. It also enables users to
choose whether to make their devices available for downloading and installing Windows preview
software. These controls are located under Windows Insider Program. If you enable or do not config-
ure this policy setting, users can download and install Windows preview software on their devices. If
you disable this policy setting, the users cannot install Windows Insider builds.
●● Allow Telemetry. This policy setting determines the amount of diagnostic and usage data reported to
Microsoft. A value of 0 indicates that operating system (OS) components will send no telemetry data
to Microsoft. Setting a value of 0 is applicable for enterprise and server devices only. Setting a value of
0 for other devices is equivalent to choosing a value of:
●● A value of 1 sends only a limited amount of diagnostic and usage data. Note that setting values of
0 or 1 will degrade certain experiences on the device.
●● A value of 2 sends enhanced diagnostic and usage data.
●● A value of 3 sends the same data as a value of 2, plus additional diagnostics data, such as the
system state at the time of a system halt or crash, and the files and content that may have caused
the problem.
If you disable or do not configure this policy setting, users can configure the Telemetry level in
Settings.
●● Disable pre-release features or settings. This policy setting determines the level to which Microsoft
can experiment with the product to study user preferences or device behavior. A value of 1 permits
Microsoft to configure device settings only. A value of 2 allows Microsoft to conduct full experimenta-
tions. If you disable this policy setting, no experimentations will occur. If you do not configure this
policy setting, user can configure the Let Microsoft try features on this build option in Settings.
Finally, the Computer Configuration/Administrative Templates/Windows Components/Delivery
Optimization node contains the following settings:
●● Download Mode. Set this policy to configure the use of Windows Update Delivery Optimization in
downloads of Windows apps and updates. Available modes are: Bypass, Group, HTTP only, Internet,
LAN, and Simple.
●● Group ID. Set this policy to specify an arbitrary group ID to which the device belongs. Use this if you
need to:
●● Limit the number of devices participating in peering in a domain network with many users.
●● Create a single group for Local Network Peering for branches that are on different domains or are
not on the same network address translation (NAT).
Note: This is a best effort optimization. You should not rely on it for an authentication of identity. You
must use a globally unique identifier (GUID) as the group ID.
●● Max Upload Bandwidth Set this policy to define a limit for the upload bandwidth that a device will
utilize for all concurrent upload activity via Delivery Optimization (set in kilobytes per second).
●● Max Cache Size Set this policy to define the maximum cache size Delivery Optimization can utilize as
a percentage of the internal disk size.
●● Max Cache Age Set this policy to define the maximum time that the Delivery Optimization cache
holds each file.

Lab 0401: Managing Windows Update Settings
Summary
In this lab you will learn how to manage Windows Update settings for a single device and how to manage
feature and quality updates for multiple devices using Windows Update for Business Group Policy
settings.
Exercise 1: Configuring Updates for a Single Device
Scenario
You need to validate the Windows Update settings for SEA-WS3. You have also been asked to ensure that
the following Windows update settings are applied to the device:
Exercise 2: Managing Feature and Quality Updates with Win-

dows Update for Business
Scenario
You have been delegated the task to create Group Policy Objects to configure Windows Update for
Business. Your first task is to determine how many deployment rings you will need and the associated
Windows update settings based upon business requirements. You then need to configure a Group Policy
object for each deployment ring. The Group Policy Objects will then be applied to organizational units by
the Active Directory administrators at a later time.
Module Review
1. Your organization needs to separate machines into different deployment timelines. You decide to use
the Ring update method. Which of the following are Windows service rings? (select four)
A. Preview
B. Line of Business
C. Mission Critical
D. Targeted
E. Broad
F. Critical
2. Your organization has a number of custom applications. You need additional time to test application
compatibility before deployment. Which Windows 10 servicing option provides you the ability to do
this?
A. Windows Insider
B. Monthly Channel
C. Semi-Annual Channel
D. Long-Term Servicing Channel
E. Annual Channel
3. You need to make new feature upgrades available to some of the desktop support team members
before they are released to users. Which Windows 10 Servicing option allows you to do this?
A. Sandbox Channel
B. Windows Insider
C. Monthly Channel
D. Semi-Annual Channel
E. Long-Term Servicing Channel
F. Annual Channel
4. Your organization requires that updates are controlled and deferred. You want to utilize the service
updates with Windows 10. Which servicing tool will allow you to perform centralized management
using Group Policy?
A. Windows Update
B. Windows Update for Business
C. Configuration Manager
D. Windows Server Update Service
E. None mentioned
5. Which of the following is not a node in Group Policy that contain Windows Update settings that are
relevant for Windows 10 devices?
A. Windows Update
B. Windows Update for Business
C. Configuration Manager
D. Windows Server Update Service
E. None mentioned
6. Which are the four phases in the update management process? (select four)
A. Evaluate
B. Plan
C. Assess
D. Identify
E. Support
F. Evaluate and plan
G. Deploy
7. The network for your company doesn't provide a bandwidth that can handle quick update delivery.
You decide to take advantage of a peer to peer delivery mechanism for updates. With this approach,
how long can you defer Quality Updates for?
A. up to 14 days
B. up to 30 days
C. up to 35 days
D. up to 180 days
8. A,D,E,F 2) C 3) B 4) B 5) D 6) C,D,F,G 7) B
Module 5 Configuring Networking
Configure IP Network Connectivity

Lesson Introduction
Connecting a Windows client to a network has become a typically automatic process. When Windows is
installed, the default network drivers and settings are typically enough to get connected and locate a
server or router that governs the network environment and provides the necessary information to the
client connect to the local network. In a typical home or public network, it’s often a matter of just plug-
ging in an ethernet cable, or in the case of wireless connections, entering the SSID (service set identifier)
and a password, if applicable, to access common resources such as the Internet.
Connecting a device to an organization’s network can be more complex, and the default settings may not
be sufficient for connecting to a network or accessing certain resources. Regardless of the network
settings or complexity, it’s not an uncommon occurrence for a device to occasionally have difficulty
connecting to a network. This is especially true of mobile devices.
So it is important that you understand the fundamentals of both IPv4 and IPv6, and know how to config-
ure them in Windows 10 within the context of your organization’s network infrastructure.
Lesson Objectives
●● Describe IPv4.
●● Describe IPv4 subnets.
●● Explain the difference between public and private IPv4 addressing.
●● Implement automatic IPv4 address allocation.
●● Describe the tools available to configure network settings in Windows 10.
●● Describe the tools available to troubleshoot network connections.
●● Configure an IPv4 network connection.
●● Describe IPv6.
150 Module 5 Configuring Networking
●● Explain IPv6 addressing.
Windows Network Configuration

The Windows client network settings can be found in the Windows Setting App, under Network &
Internet. Alternatively, you can select on the network connection icon on the right side of the taskbar,
and then select Network & Internet Settings. Either will open the following submenu:
By default, you will see the Network Status page, which will indicate your current connection state. You’ll
also notice additional sub-menus on the left side, such as Wi-Fi, Airplane mode, Data usage, VPN,
Dial-up, Ethernet, and Proxy. These are the various methods available for connecting to a network – and
will vary depending on what type of connections the individual device will support.
From within Ethernet or Wi-Fi, you can:
●● Change adapter options. You can configure the network adapter settings. A list of network adapters
displays, and you can then configure the properties for each, including:
●● Internet Protocol Version 6 (TCP/IPv6). Enables you to manually configure the IPv6 settings for a given
adapter.
●● Internet Protocol Version 4 (TCP/IPv4). Enables you to manually configure the IPv4 settings for a given
adapter.
●● Change advanced sharing options. You can configure network discovery, file and print sharing, public
folder sharing, media streaming options, and the encryption level to use for file sharing connections.
Configure IP Network Connectivity 151
●● Launch the Network and Sharing Center. You can use this tool to configure most network settings. You
will learn more about it below.
●● Enable and configure a homegroup. You can enable and configure homegroups, which are collections
of computers that you deploy on a home network and that share resources such as files and printers.
When your computer is part of a homegroup, you can share images, media files, documents, and
printer devices with others in your homegroup. Once you enable a homegroup, you can then define
which libraries you will share, such as Pictures, Documents, or Videos. You can enable a homegroup
only on network interfaces that are defined as part of a private network location profile. To provide for
basic security, you can enable a password on your homegroup.
●● Note: Although domain-joined computers cannot create homegroups, they can connect to existing
homegroups.
●● Configure Internet options. You can configure the options your web browsers use.
●● Configure Windows Firewall. You can launch the Windows Firewall tool and configure Windows
Firewall rules, notifications, and advanced settings.
●● From within Wi-Fi, you also can:
●● View available networks. You can use this setting to view available networks, but not explicitly hidden
wireless networks.
●● View hardware properties. You can use this setting to view properties of your Wi-Fi connection such as
its Service Set Identifier (SSID), protocol, and security type, in addition to the manufacturer and the
physical MAC address of your Wi-Fi adapter.
●● Manage known networks. You can use this setting to display the properties of the wireless networks
you have connected to and remove (or forget, as referenced in the graphical user interface (GUI)) their
settings.
●● Configure Hotspot 2.0 networks. You can use this setting to use Online Sign-Up to connect to Hotspot
2.0 networks.
Network and Sharing Center

This tool is largely the same as it is in Windows 8.1. It provides a clear view of the status for any wired or
wireless connection, and you can use it to create additional network connections by using a wizard-driven
interface. The Network and Sharing Center also provides links for accessing other network-related tools,
including:
●● Change advanced sharing settings
●● Internet Options
●● Windows Firewall
●● Network and Internet Troubleshooting Wizard
Overview of IPv4 Settings

To configure network connectivity, you must be familiar with IPv4 addresses and how they work. Commu-
nication between computers can happen only if they can identify each other on the network. When you
assign a unique IPv4 address to each networked computer, the IPv4 address identifies the computer to
the other computers on the network. That IPv4 address, combined with the subnet mask, identifies the
computer’s location on the network, just as the combination of a number and a street name identify the
location of a house.
Overview of connecting with another network host

In a typical situation, communication starts with a request to connect to another host by its computer
name. However, to communicate, the requesting host needs to know the media access control (MAC)
address of the receiving host’s network interface. Conversely, the receiving host needs to know the
requesting host’s MAC address. Once the requesting host discovers the MAC information, it caches it
locally. A MAC address is a hard-coded, unique identifier assigned to network interfaces by the manufac-
turers of network adapters. Before the requesting host can find the receiving host’s MAC address, a
number of steps occur.
The following is a high-level overview of these steps:
1. A host sends a request to connect to Server. The name Server1 must be resolved to an IPv4 address.
2. Once the sender knows the recipient’s IPv4 address, it uses the subnet mask to determine whether the
IPv4 address is remote or on the local subnet.
3. If it is local, an Address Resolution Protocol (ARP) request is broadcast on the local subnet. If it is
remote, an ARP request is sent to the default gateway and then routed to the correct subnet.
4. The host that owns that IPv4 address will respond with its MAC address and a request for the sender’s
MAC address.
5. Once the exchange of MAC addresses completes, IPv4 communication negotiation and the exchange
of IP data packets can occur.
Components of an IPv4 address

IPv4 uses 32-bit addresses. If you view an IPv4 address in its binary format, it has 32 characters, as the
following example shows:
11000000101010000000000111001000
IPv4 divides the address into four octets, as the following example shows:
11000000.10101000.00000001.11001000
To make the IP addresses more readable, binary representation of the address typically shows it in
decimal form, as the following example shows:
192.168.1.200
In conjunction with a subnet mask, the address identifies:

●● The computer’s unique identity, which is the host ID.
●● The subnet on which the computer resides, which is the network ID.
This enables a networked computer to communicate with other networked computers in a routed
environment.
IPv4 address classes

The Internet Assigned Numbers Authority (IANA) organizes IPv4 addresses into classes, and the number
of hosts in a network determines the required class of addresses. Class A through Class E are the names
that IANA has specified for IPv4 address classes.
Classes A, B, and C are IP addresses that you can assign to host computers as unique IP addresses, where-
as you can use Class D for multicasting. Additionally, IANA reserves Class E for experimental use.
Defining Subnets
A subnet is a network segment. Single or multiple routers separate the subnet from the rest of the
network. When your Internet service provider (ISP) assigns a network to a Class A, B, or C address range,
you often must subdivide the range to match the network’s physical layout. Subdividing enables you to
break a large network into smaller, logical subnets.
When you subdivide a network into subnets, you must create a unique ID for each subnet, which you
derive from the main network ID. To create subnets, you must allocate some of the bits in the host ID to
the network ID. By doing so, you can create more networks.
By using subnets, you can:

●● Use a single Class A, B, or C network across multiple physical locations.
●● Reduce network congestion by segmenting traffic and reducing broadcasts on each segment.
●● Overcome the limitations of current technologies, such as exceeding the maximum number of hosts
that each segment can have.
A subnet mask specifies which part of an IPv4 address is the network ID and which is the host ID. A
subnet mask has four octets, similar to an IPv4 address.
Simple IPv4 networks

In simple IPv4 networks, the subnet mask defines full octets as part of the network and host IDs. A 255
represents an octet that is part of the network ID, and a 0 represents an octet that is part of the host ID.
Class A, B, and C networks use default subnet masks. The following table lists the characteristics of each
IP address class.
Class First octet Default subnet Number of Number of hosts

mask networks per network
A 1 to 127 255.0.0.0 126 16,777,214
B 128 to 191 255.255.0.0 16,384 65,534
C 192 to 223 255.255.255.0 2,097,152 254
Complex IPv4 networks

In complex networks, subnet masks might not be simple combinations of 255 and 0. Rather, you might
subdivide one octet with some bits for the network ID and some for the host ID. If you do not use an
octet for subnetting, this is classless addressing, or Classless Interdomain Routing (CIDR). You use more or
less of the octet. This type of subnetting uses a different notation, which the following example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4 addressing:
172.16.16.1/20
The /20 represents how many leftmost subnet bits are set to 1 in the mask. This notation style is called
CIDR. This subnet mask in binary notation would look like this:
11111111.11111111.11110000.00000000
The first 20 bits are set to 1 and indicate the subnet ID, and the last 12 zero placeholders represent how
many bits are used to identify the host.
Configuring connectivity to other subnets

A default gateway is a device on a TCP/IP internetwork, usually a router, which forwards IP packets to
other subnets. A router connects groups of subnets to create an intranet. In an intranet, any given subnet
might have several routers that connect it to other local and remote subnets. You must configure one of
the routers as the default gateway for local hosts so that the local hosts can communicate with hosts on
remote networks.
When a host delivers an IPv4 packet, it performs an internal calculation by using the subnet mask to
determine whether the destination host is on the same network or on a remote network. If the destina-
tion host is on the same network, the local host delivers the packet. If the destination host is on a differ-
ent network, the host transmits the packet to a router for delivery.
Note: The host determines the MAC address of the router for delivery, and the initiating host addresses
the router explicitly, at the media access layer.
When a host on the network uses IPv4 to transmit a packet to a destination subnet, IPv4 consults the
internal routing table to determine the appropriate router to ensure that the packet reaches the destina-
tion subnet. If the routing table does not contain any routing information about the destination subnet,
IPv4 forwards the packet to the default gateway. The host assumes that the default gateway contains the
required routing information.
In most cases, you can use a Dynamic Host Configuration Protocol (DHCP) server to assign the default
gateway automatically to a DHCP client. This is more straightforward than manually assigning a default
gateway on each host.
Public and Private IP Addressing

Devices and hosts that connect directly to the Internet require a public IPv4 address. However, hosts and
devices that do not connect directly to the Internet do not require a public IPv4 address.
Public IPv4 addresses

Public IPv4 addresses, which IANA assigns, must be unique. Usually, your ISP allocates to you one or
more public addresses from its address pool. The number of addresses that your ISP allocates to you
depends upon how many devices and hosts that you have to connect to the Internet.
Private IPv4 addresses

The pool of IPv4 addresses is becoming smaller, so IANA is reluctant to allocate superfluous IPv4 ad-
dresses. Technologies such as network address translation (NAT) enable administrators to use a relatively
small number of public IPv4 addresses, and at the same time, enable local hosts to connect to remote
hosts and services on the Internet. IANA defines the following address ranges as private. Internet-based
routers do not forward packets originating from, or destined to, these ranges.
Class Mask Range

A 10.0.0.0/8 10.0.0.0 - 10.255.255.255
B 172.16.0.0/12 172.16.0.0 - 172.31.255.255
C 192.168.0.0/16 192.168.0.0 - 192.168.255.255
In today’s network environments, it is most common for organizations to have one or more public,
routable IP addresses from an ISP assigned to the external interfaces of their firewall appliances. Addi-
tionally, they use the designated private IP subnets internally.
Implementing Automatic IPv4 Addressing

It is important that you know how to assign static IPv4 addresses manually and support devices that use
DHCP to assign IPv4 addresses dynamically.
Static configuration
You can configure static IPv4 configuration manually for each of your network’s computers. When you
perform IPv4 configuration, you must configure the:
●● IPv4 address
●● Subnet mask
●● Default gateway
●● Domain Name System (DNS) server
Static configuration requires that you visit each computer and input the IPv4 configuration. This method
of computer management is time-consuming if your network has more than 10 to 12 computers. Addi-
tionally, making a large number of manual configurations heightens the risk of mistakes.
DHCPv4
DHCPv4 enables you to assign IPv4 configurations automatically for a large number of computers
without having to assign each one individually. The DHCP service receives requests for IPv4 configuration
from computers that you configure to obtain an IPv4 address automatically. It also assigns IPv4 informa-
tion from scopes that you define for each of your network’s subnets. The DHCP service identifies the
subnet from which the request originated, and assigns IP configuration from the relevant scope.
DHCP helps simplify the IP configuration process. However, keep in mind that if you use DHCP to assign
IPv4 information and the service is business-critical, you must:
●● Include resilience in your DHCP service design so that the failure of a single server does not prevent
the service from functioning.
●● Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole
network, and it can prevent communication.
IPv4 alternate configuration

If you use a laptop to connect to multiple networks, such as networks at work and at home, each network
might require a different IP configuration. Windows 10 supports the use of Automatic Private IP Address-
ing (APIPA) and an alternate static IP address for this scenario.
When you configure Windows 10 devices to obtain IPv4 addresses from DHCP, use the Alternate Config-
uration tab to control the behavior if a DHCP server is not available. By default, Windows 10 uses APIPA
to assign itself an IP address automatically from the 169.254.0.0 to 169.254.255.255 address range. This
enables you to use a DHCP server at a location with DHCP and the need for internet access and the APIPA
address range a location without DHCP but the need to communicate between computers (such as a
workgroup), without reconfiguring IP settings. Additionally, this is useful for troubleshooting DHCP. If the
computer has an address from the APIPA range, it is an indication that the computer cannot communi-
cate with a DHCP server.
Tools for Configuring Network Settings

In addition to the Network and Settings section in Settings, you can configure network settings by using
a number of tools in Windows 10. The tool you decide to use depends on your situation and goals.
Network Setup Wizard

Windows 10 provides the Network Setup Wizard, a user-friendly interface that you can use to configure
network settings. Windows 10 recognizes any unconfigured network devices on the computer, and then
automates the process of adding and configuring them. The Network Setup Wizard also recognizes any
wireless networks in range of the computer, and then guides you through the process of configuring
them.
You can save network settings to a USB flash drive for use when configuring additional computers, which
makes that process quicker. You also can use the Network Setup Wizard to enable sharing across your
network for documents, photos, music, and other files.
Windows PowerShell
Although you can use the graphical tools previously described to perform all network configuration and
management tasks, sometimes it can be quicker to use command line tools and scripts. Windows has
always provided the command prompt for certain network management tools. However, Windows
PowerShell provides a number of network-specific cmdlets that you can use to configure, manage, and
troubleshoot Windows network connections.
The following table lists some of the network-related Windows PowerShell cmdlets and their purposes.
Cmdlet Purpose
Get NetIPAddress Retrieves information about the IP address
configuration.
Get NetIPv4Protocol Retrieves information about the IPv4 protocol
configuration (the cmdlet Get-NetIP6Protocol
returns the same information for the IPv6 proto-
col).
Get NetIPInterface Obtains a list of interfaces and their configura-
tions. This does not include IPv4 configuration of
the interface.
Set NetIPAddress Sets information about the IP address configura-
tion.
Set NetIPv4Protocol Sets information about the IPv4 protocol configu-
ration (the cmdlet Set-NetIP6Protocol returns the
same information for the IPv6 protocol.)
Set NetIPInterface Modifies IP interface properties.
Get NetRoute Obtains the list of routes in the local routing table.
Test-Connection Runs similar connectivity tests to that used by the
Ping command. For example, test-connection
lon-dc1.
Resolve-Dnsname Provides a similar function to the NSLookup tool.
Get NetConnectionProfile Obtains the type of network (public, private, or
domain) to which a network adapter is connected.
Clear-DnsClientCache Clears the client’s resolver cache, similar to the
IPConfig /flushdns command.
Get-DnsClient Retrieves configuration details specific to the
different network interfaces on a specified com-
puter.
Cmdlet Purpose
Get-DnsClientCache Retrieves the contents of the local DNS client
cache, similar to the IPConfig /displaydns
command.
Get-DnsClientGlobalSetting Retrieves global DNS client settings, such as the
suffix search list.
Get-DnsClientServerAddress Retrieves one or more DNS server IP addresses
associated with the interfaces on the computer.
Register-DnsClient Registers all of the IP addresses on the computer
onto the configured DNS server.
Set-DnsClient Sets the interface-specific DNS client configura-
tions on the computer.
Set-DnsClientGlobalSetting Configures global DNS client settings, such as the
suffix search list.
Set-DnsClientServerAddress Configures one or more DNS server IP addresses
associated with the interfaces on the computer.
For example, to configure the IPv4 settings for a network connection by using Windows PowerShell, use
the following cmdlet:
Set-NetIPAddress –InterfaceAlias Wi-Fi –IPAddress 172.16.16.1
Netsh
You also can use the Netsh command ¬line tool to configure network settings. For example, to configure
IPv4 by using Netsh, you can use the following example:
Netsh interface ipv4 set address name="Local Area Connection"
source=static addr=172.16.16.3 mask=255.255.255.0 gateway=172.16.16.1
Note: Functionality in the Windows PowerShell network-related cmdlets has largely replaced Netsh.
Tools for Troubleshooting Network Connections

Windows 10 includes a number of tools that you can use to diagnose network problems, including:
●● Event Viewer
●● Windows Network Diagnostics
●● IPConfig
●● Ping
●● Tracert
●● NSLookup
●● Pathping
●● Windows PowerShell
●● Microsoft Message Analyzer
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an
error. IP conflicts are reflected in the system log and might prevent services from starting. When these
events occur, Windows records the event in an appropriate event log. You can use Event Viewer to read
the log. When you troubleshoot errors on Windows 10, you can view the events in the event logs to
determine the cause of the problem.
You can use Event Viewer to access the Application, Security, Setup, and System logs under the Windows
Logs node. When you select a log and then select an event, a preview pane under the event list contains
details of the specified event. To help diagnose network problems, look for errors or warnings related to
network services in the System log.
Windows Network Diagnostics

In the event of a Windows 10 networking problem, the Diagnose Connection Problems option helps
diagnose and repair the problem. Windows Network Diagnostics then presents a possible description of
the problem and a potential remedy. The solution might require manual intervention from the user.
IPConfig
The IPConfig command displays the current TCP/IP network configuration. Additionally, you can use
IPConfig to refresh DHCP and DNS settings. For example, you might need to flush the DNS cache. The
following table provides a brief description of some of the IPConfig command switches.
Command Description
ipconfig /all View detailed configuration information.
ipconfig /release Release the leased configuration back to the DHCP
server.
ipconfig /renew Renew the leased configuration.
ipconfig /displaydns View the DNS resolver cache entries.
ipconfig /flushdns Purge the DNS resolver cache.
ipconfig /registerdns Register/update the client’s host name with the
DNS server.
Ping
You use the Ping command to verify IP-level connectivity to another TCP/IP computer. This command
sends and receives Internet Control Message Protocol (ICMP) echo request messages, and displays the
receipt of corresponding echo reply messages. The Ping command is the primary TCP/IP command used
to troubleshoot connectivity.
Note: Firewalls might block the ICMP requests. As a result, you might receive false negatives when using
Ping as a troubleshooting tool.
Tracert
The Tracert tool determines the path taken to a destination computer by sending ICMP echo requests.
The path displayed is the list of router interfaces between a source and a destination. This tool also
determines which router has failed, and what the latency, or speed, is. These results might not be accu-
rate if the router is busy, because the router will assign the packets a low priority.
Pathping
The Pathping command traces a route through the network in a manner similar to the Tracert tool.
However, Pathping provides more detailed statistics on the individual steps, or hops, through the
network. The command can provide greater detail because it sends 100 packets for each router, which
enables it to establish trends.
NSLookup
The NSLookup tool displays information that you can use to diagnose the DNS infrastructure. You can
use the tool to confirm connection to the DNS server, in addition to the existence of the required records.
Windows PowerShell
You can use Windows PowerShell to configure network connection settings. In addition to this, you can
use Windows PowerShell cmdlets for troubleshooting network settings.
Microsoft Message Analyzer

Microsoft Message Analyzer is a tool that captures network traffic and then displays and analyzes
information about that traffic. You can use Microsoft Message Analyzer to monitor live network traffic, or
import, aggregate, and analyze data from log and trace files. Microsoft Message Analyzer replaces
Network Monitor.
Overview of IPv6 in Windows 10

Though most networks to which you connect Windows 10–based devices currently provide IPv4 support,
many also support IPv6. To connect computers that are running Windows 10 to IPv6 based networks, you
must understand the IPv6 addressing scheme and the differences between IPv4 and IPv6.
Benefits of IPv6
The IPv6 protocol provides the following benefits:
●● Large address space. A 32-bit address space can have 4,294,967,296 possible addresses. IPv6 uses
128-bit address spaces, which can have 340,282,366,920,938,463,463,374,607,431,768,211,456 (or
3.4x10^38 or 340 undecillion) possible addresses.
●● Hierarchical addressing and routing infrastructure. The IPv6 address space is more efficient for routers,
which means that even though there are many more addresses, routers can process data much more
efficiently because of address optimization.
●● Stateless and stateful address configuration. IPv6 has autoconfiguration capability without DHCP, and
it can discover router information so that hosts can access the Internet. This is a stateless address
configuration. A stateful address configuration is when you use the DHCP version 6 (DHCPv6) proto-
col. Stateful configuration has two additional configuration levels: one in which DHCP provides all the
information, including the IP address and configuration settings, and another in which DHCP provides
just configuration settings.
●● Required support for Internet Protocol security (IPsec). The IPv6 standards require support for the
Authentication Header (AH) and encapsulating security payload (ESP) headers that IPsec defines.
Although IPsec does not define support for its specific authentication methods and cryptographic
algorithms, IPsec is defined from the start as the way to protect IPv6 packets.
●● Note: IPsec provides for authentication and, optionally, encryption for communications between
hosts.
●● Restored end-to-end communication. The global addressing model for IPv6 traffic means that
translation between different types of addresses is not necessary, such as the translation done by NAT
devices for IPv4 traffic. This simplifies communication because you do not need to use NAT devices
for peer-to-peer applications, such as video conferencing.
●● Prioritized delivery. IPv6 contains a field in the packet that lets network devices determine that the
packet processing should occur at a rate that you specify. This enables traffic prioritization. For
example, when you are streaming video traffic, it is critical that the packets arrive in a timely manner.
You can set this field to ensure that network devices determine that the packet delivery is time-sensi-
tive.
●● Support for single-subnet environments. IPv6 has much better support of automatic configuration
and operation on networks consisting of a single subnet. You can use this to create temporary, ad hoc
networks through which you can connect and share information.
●● Extensibility. The design of IPv6 enables you to extend it with less constraint than IPv4.
IPv6 in Windows 10
Windows 10 uses IPv6 by default. Windows 10 includes several features that support IPv6, as described
below.
Windows 10 dual stack

Windows 10 supports both IPv6 and IPv4 in a dual stack configuration. The dual IP stack helps reduce
maintenance costs by providing the following features:
●● Shared transport and framing layer.
●● Shared filtering for firewalls and IPsec.
●● Consistent performance, security, and support for both IPv6 and IPv4.
When you connect to a new network that advertises IPv6 routability, Windows 10 tests IPv6 connectivity,
and it will only use IPv6 if IPv6 connectivity is actually functioning. Windows 10 also supports a function-
ality called address sorting. This functionality helps the Windows 10 operating system determine which
protocol to use when applications that support both IPv4 and IPv6 addresses are configured for both
protocol stacks.
DirectAccess use of IPv6

DirectAccess enables remote users to access a corporate network anytime they have an Internet connec-
tion, because it does not require a virtual private network (VPN). DirectAccess provides a flexible corpo-
rate network infrastructure to help you remotely manage and update user PCs on and off a network.
DirectAccess makes the end-user experience of accessing corporate resources over an Internet connec-
tion nearly indistinguishable from the experience of accessing these resources from a computer at work.
DirectAccess uses IPv6 to provide globally routable IP addresses for remote access clients.
Windows services can use IPv6

Windows 10 services such as file sharing and remote access use IPv6 features, such as IPsec. This includes
VPN Reconnect, which uses Internet Key Exchange version 2 (IKEv2), an authentication component of
IPv6.
The Windows 10 operating system supports remote troubleshooting capabilities such as Windows
Remote Assistance and Remote Desktop. Remote Desktop enables administrators to connect to multiple
Windows Server sessions for remote administration purposes. You can use IPv6 addresses to make
remote desktop connections. Windows Remote Assistance and Remote Desktop use the Remote Desktop
Protocol to enable users to access files on their office computers from other computers, such as their
home computers.
IPv6 Addressing Overview

The most obvious, distinguishing feature of IPv6 is its use of much larger addresses. IPv4 addresses are
expressed in four groups of decimal numbers, such as 192.168.1.1. Each grouping of numbers represents
a binary octet. In binary, the preceding number is as follows:
11000000.10101000.00000001.00000001
(four octets = 32 bits) The size of an address in IPv6 is four times larger than an IPv4 address. IPv6
addresses are expressed in hexadecimal, as the following example shows:
2001:DB8::2F3B:2AA:FF:FE28:9C5A
This might seem complex for end users, but the assumption is that users will rely on DNS names to
resolve hosts, meaning they will rarely type IPv6 addresses manually. The IPv6 address in hexadecimal
also is easier to convert to binary. This makes it simpler to work with subnets and calculate hosts and
networks.
IPv6 address types

IPv6 address types are similar to IPv4 address types. The IPv6 address types are:
●● Unicast. An IPv6 unicast address is equivalent to an IPv4 unicast address. You can use this address
type for one-to-one communication between hosts. Each IPv6 host has multiple unicast addresses.
There are three types of unicast addresses:
●● Global unicast addresses. These are equivalent to public IPv4 addresses. They are globally routable
and reachable on the IPv6 portion of the Internet.
●● Link-local addresses. Hosts use link-local addresses when communicating with neighboring hosts on
the same link. For example, on a single-link IPv6 network with no router, hosts communicate by using
link-local addresses. Link-local addresses are local-use unicast addresses with the following properties:
●● IPv6 link-local addresses are equivalent to IPv4 APIPA addresses.
●● Link-local addresses always begin with FE80.
●● Unique local unicast addresses. Unique local addresses provide an equivalent to the private IPv4
address space for organizations, without the overlap in address space when organizations combine.
●● Multicast. An IPv6 multicast is equivalent to an IPv4 multicast address. You use this address type for
one-to-many communication between computers that you define as using the same multicast
address.
●● Anycast. An anycast address is an IPv6 unicast address that is assigned to multiple computers. When
IPv6 addresses communicate to an anycast address, only the closest host responds. You typically use
this address type for locating services or the nearest router.
In IPv4, you typically assign a single host with a single unicast address. However, in IPv6, you can assign
multiple unicast addresses to each host. To verify communication processes on a network, you must know
the purposes for which IPv6 uses each of these addresses.
Interface identifiers
The last 64 bits of an IPv6 address are the interface identifier. This is equivalent to the host ID in an IPv4
address. Each interface on an IPv6 network must have a unique interface identifier. Because the interface
identifier is unique to each interface, IPv6 uses interface identifiers rather than MAC addresses to identify
hosts uniquely.
Implement Name Resolution

Lesson Introduction
Windows 10 devices communicate over a network by using names in place of IP addresses. Devices use
name resolution to find an IP address that corresponds to a name, such as a host name. This lesson
focuses on different types of computer names and the methods to resolve them.
Lesson Objectives
●● Describe name resolution.
●● Describe DNS.
●● Explain how to troubleshoot name resolution.
●● Configure and test name resolution settings in Windows 10.
What Is Name Resolution

Name resolution is the process of converting computer names to IP addresses. Name resolution is an
essential part of computer networking because it is easier for users to remember names than abstract
numbers, such as an IPv4 or IPv6 address. Windows 10 supports a number of different methods for
resolving computer names, such as DNS, Windows Internet Name Service (WINS), and local hosts or
LMHOSTS resolution.
Implement Name Resolution 167
Computer names
A host name is a user-friendly name that is associated with a host’s IP address and identifies it as a TCP/IP
host. A host name can be no more than 255 characters in length, and must contain only alphanumeric
characters, periods, and hyphens. A host name is an alias or a fully qualified domain name (FQDN).
Note: An alias is a single name associated with an IP address, and the host name combines an alias with
a domain name to create the FQDN.
The elements of the name include periods as separators. Applications use the structured FQDN on the
Internet. An example of an FQDN is payroll.contoso.com.
A NetBIOS name is a nonhierarchical name that some older apps use. A 16-character NetBIOS name
identifies a NetBIOS resource on a network. A NetBIOS name represents a single computer or a group of
computers. NetBIOS uses the first 15 characters for a specific computer’s name and the final sixteenth
character to identify a resource or service on that computer. An example of a NetBIOS name is NYC-
SVR2[20h].
Methods for resolving names

There are a number of ways in which apps resolve names to IP addresses. DNS is the Microsoft standard
for resolving host names to IP addresses. Apps also use DNS to do the following:
●● Locate domain controllers and global catalog servers. Apps use this functionality when you sign in to
Active Directory Domain Services (AD DS).
●● Resolve IP addresses to host names. Apps use this functionality when a log file contains only a host’s
IP address.
●● Locate a mail server for email delivery. Apps use this functionality for the delivery of all Internet email.
When an app specifies a host name, TCP/IP uses the DNS resolver cache, DNS, and Link-Local Multicast
Name Resolution when it attempts to resolve the host name. The Hosts file is loaded into the DNS
resolver cache.
Note: If NetBIOS over TCP/IP is enabled, TCP/IP also uses NetBIOS name resolution methods when
resolving single-label, unqualified host names.
Depending on the configuration, Windows 10 resolves host names by performing the following actions:
1. Checking whether the host name is the same as the local host name.
2. Searching the DNS resolver cache which is populated from the local Hosts file.
3. Sending a DNS request to its configured DNS servers.
Note: Windows 10 can use Link-Local Multicast Name Resolution for networks that do not have a DNS
server.
Overview of DNS
DNS is a service that manages the resolution of host names to IP addresses. Microsoft provides a DNS
Server role on Windows Server 2012 R2 that you can use to resolve host names in your organization.
Typically, you will deploy multiple DNS servers in your organization to help improve both the perfor-
mance and the reliability of name resolution.
Note: The Internet uses a single DNS namespace with multiple root servers. To participate in the Internet
DNS namespace, you must register a domain name with a DNS registrar. This ensures that no two
organizations attempt to use the same domain name.
Structure of DNS
The DNS namespace consists of a hierarchy of domains and subdomains. A DNS zone is a specific portion
of that namespace that resides on a DNS server in a zone file. DNS uses both forward and reverse lookup
zones to satisfy name resolution requests.
Forward lookup zones

Forward lookup zones are capable of hosting a number of different record types. The most common
record type in forward lookup zones is an A record, also known as a host record. This record is used when
resolving a host name to an IP address. Record types in forward lookup zones include:
●● A. A host record, the most common type of DNS record.
●● SRV. Service records are used to locate domain controllers and global catalog servers.
●● MX. Mail exchange records are used to locate the mail servers responsible for a domain.
●● CNAME. Canonical name records (CNAME records) resolve to another host name, also referred to as
an alias.
Reverse lookup zones

Reverse lookup zones contain PTR records. PTR records are used to resolve IP addresses to host names.
An organization typically has control over the reverse lookup zones for its internal network. However,
some PTR records for external IP addresses obtained from an ISP could be managed by the ISP.
How names are resolved with DNS

Resolving DNS names on the Internet involves an entire system of computers, not just a single server.
There are hundreds of servers on the Internet, called root servers, which manage the overall process of
DNS resolution. 13 FQDNs represent these servers. A list of these 13 FQDNs is preloaded on each DNS
server. When you register a domain name on the Internet, you are paying to become part of this system.
To understand how these servers work together to resolve a DNS name, see the following name resolu-
tion process for the name www.microsoft.com:
1. A workstation queries the local DNS server for the IP address www.microsoft.com.
2. If the local DNS server does not have the information, it queries a root DNS server for the location of
the .com DNS servers.
3. The local DNS server queries a .com DNS server for the location of the microsoft.com DNS servers.
4. The local DNS server queries the microsoft.com DNS server for the IP address of www.microsoft.com.
5. The microsoft.com DNS server returns the IP address of www.microsoft.com to the local DNS server.
6. The local DNS server returns the result to the workstation.
Caching and forwarding can modify the name resolution process:
●● Caching. After a local DNS server resolves a DNS name, it caches the results for the period that the
Time to Live (TTL) value defines in the Start of Authority (SOA) record for the DNS zone. The default
TTL is one hour. Subsequent resolution requests for the DNS name receive the cached information.
Note that it is not the caching server that sets the TTL, but the authoritative DNS server that resolved
the name from its zone. When the TTL expires, the caching server must delete it. Subsequent requests
for the same name would require a new name resolution request to the authoritative server.
●● Forwarding. Instead of querying root servers, you can configure a DNS server to forward DNS requests
to another DNS server. For example, requests for all Internet names can be forwarded to a DNS server
at an ISP.
Troubleshooting Name Resolution

When you troubleshoot name resolution, you must understand which name resolution methods the
computer is using, and in what order. As you know, the operating system resolves host names either by
using a local text file named Hosts, or by using DNS.
Note: Windows 10 appends the primary and connection-specific suffixes to all names that it is resolving.
If the name resolution is unsuccessful initially, Windows 10 applies parent suffixes of the primary DNS
suffix. For example, if the DNS resolver attempts to resolve the name LON-CL1, Windows 10 appends the
.adatum.com suffix to attempt resolution. If that is unsuccessful, the operating system appends .com to
the name, and attempts to resolve it once again. You can configure this behavior from the Advanced
TCP/IP Settings page.
The primary tools for troubleshooting host name resolution are IPConfig and NSLookup, and their
Windows PowerShell equivalents Get-NetIPAddress, Get-NetIPv4Protocol, and Resolve-dnsname.
Best Practice: Be sure to clear the DNS resolver cache between resolution attempts.
The process for troubleshooting name resolution

If you cannot connect to a remote host, and if you suspect a name resolution problem, you can trouble-
shoot name resolution by using the following procedure:
1. Open an elevated command prompt, and then clear the DNS resolver cache by typing the following
command:
IPConfig /flushdns
Note: Alternately, you can use the Windows PowerShell cmdlet Clear-DnsClientCache.
2. Attempt to verify connectivity to a remote host by using its IP address. This helps you identify whether
the issue is due to name resolution. You can use the Ping command or the test-connection Windows
PowerShell cmdlet. If the Ping command succeeds with the IP address but fails by the host name, the
problem is with name resolution. Note: Remember that the remote host must allow inbound ICMP
echo packets through its firewall for this test to be viable.
3. Attempt to verify connectivity to the remote host by its host name, by using the FQDN followed by a
period. For example, type the following command at the command prompt:
Test-connection LON-cl1.adatum.com
Note: You also can use the ping command.

4. If the test is successful, the problem is likely unrelated to name resolution.
5. If the test is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and then add
the appropriate entry to the end of the file. For example, add this line, and then save the file:
172.16.0.51 LON-cl1.adatum.com
6. Perform the test-by-host-name procedure again. Name resolution should now be successful.
7. Examine the DNS resolver cache to verify that the name resolved correctly. To examine the DNS
resolver cache, type the following command at a command prompt:
IPConfig /displaydns
Note: You also can use the Windows PowerShell cmdlet Get-DnsClientCache.
8. Remove the entry that you added to the Hosts file, and then clear the resolver cache once more. At
the command prompt, type the following command, and then examine the contents of the filename.
txt file to identify the failed stage in name resolution:
NSLookup.exe –d2 LON-cl1.adatum.com. \> filename.txt
The Windows PowerShell equivalent command is:

Resolve-dnsname lon-cl1.adatum.com. \> filename.txt
Interpreting NSLookup output

You should understand how to interpret the NSLookup command output so that you can identify
whether the name resolution problem exists with the client computer’s configuration, the name server, or
the configuration of records within the name server-zone database. In the first section of the following
output sample, the client resolver performs a reverse lookup to determine the DNS server host name. You
can view the query 10.0.16.172.in-addr.arpa, type = PTR, class = IN in the QUESTIONS section. The
returned result, name = LON-dc1.adatum.com, identifies the host name of the petitioned DNS server:
\------------
SendRequest(), len 41
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
10.0.16.172.in-addr.arpa, type = PTR, class = IN
\------------
\------------
Got answer (73 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
10.0.16.172.in-addr.arpa, type = PTR, class = IN
ANSWERS:
\-\> 10.0.16.172.in-addr.arpa
type = PTR, class = IN, dlen = 20
name = LON-dc1.adatum.com
ttl = 1200 (20 mins)

\------------
Server: LON-dc1.adatum.com
Address: 172.16.0.10
Implement Wireless Network Connectivity 173
Implement Wireless Network Connectivity

Lesson Introduction
An increasing number of devices use wireless connections as the primary method for accessing corporate
intranets and the Internet. Additionally, many users have come to expect a wireless infrastructure in a
corporate workplace. As a result, a good working knowledge of wireless connectivity is a requirement for
today’s networking environment. This lesson discusses the various wireless standards and the configura-
tion and support of Windows 10 wireless clients.
Lesson Objectives
●● Describe wireless technologies.
●● Configure wireless settings in Windows 10.
●● Discuss the considerations for implementing wireless networks within organizations.
Wireless Network Technologies

Wireless networking uses radio waves to connect wireless devices to other network devices. Wireless
networks generally consist of wireless network devices, access points (APs), and wireless bridges that
conform to 802.11x wireless standards.
Wireless Network Topologies

There are two types of wireless network topologies:
●● Infrastructure. Infrastructure wireless networks consist of wireless local area networks (LANs) and
cellular networks, and require the use of a device, such as an AP, to allow communication between
client wireless devices. You can manage infrastructure wireless networks centrally.
●● Ad hoc. Ad hoc networks can connect wireless devices dynamically in a peer-to-peer configuration
without the use of any infrastructure devices.
802.11x wireless standards

The 802.11 standard has been evolving since 1997. There have been many improvements in transmission
speed and security of the 802.11 technology since then. A letter of the alphabet designates each new
standard, as the following table shows.
Specification Description
802.11a This is the first extension to the original 802.11
specification. It provides up to 54 megabits per
second (mbps) and operates in the 5 gigahertz
(GHz) range. It is not compatible with 802.11b.
802.11b This specification provides 11 mbps and operates
in the 2.4 GHz range.
802.11e This specification defines Quality of Service and
multimedia support.
802.11g This specification is for transmission over short
distances at speeds up to 54 mbps. It is backward
compatible with 802.11b, and operates in the 2.4
GHz range.
802.11n This specification adds multiple-input and multi-
ple-output, thereby providing increased data
throughput at speeds up to 100 mbps. It vastly
improves speed over previous specifications, and it
supports both 2.4 GHz and 5 GHz ranges.
802.11ac This specification builds on 802.11n to attain data
rates of 433 mbps. 802.11ac operates only in the 5
GHz frequency range.
Wireless security
Wireless security has been the biggest consideration by organizations planning a wireless implementa-
tion. Because wireless traffic travels across open airwaves, it is susceptible to interception by attackers.
Therefore, organizations utilize several security technologies to address these concerns. Most Wi-Fi
devices support multiple security standards. The following table describes the current security methods
available for wireless networks.
Security method Description

Wired Equivalent Privacy (WEP) WEP is the oldest form of wireless security. Some
devices support different versions: WEP 64-bit key,
WEP 128-bit key, WEP 256-bit key. The security
issues surrounding WEP are well documented, and
you should avoid using WEP unless it is the only
alternative.
Wi-Fi Protected Access (WPA) Developed to replace WEP, WPA has two varia-
tions:WPA-Personal. WPA-Personal is for home
and small business networks, and is easier to
implement than WPA Enterprise. It involves
providing a security password, and uses a technol-
ogy called Temporal Key Integrity Protocol. The
password and the network SSID generate con-
stantly changing encryption keys for each wireless
client. WPA-Enterprise. WPA-Enterprise is for
corporate networks. It involves the use of a
Remote Authentication Dial-In User Service
(RADIUS) server for authentication.
WPA2 This is an improved version of WPA that has
become the Wi-Fi security standard. WPA2
employs Advanced Encryption Standard (AES),
which employs larger encryption key sizes.
The security methods that a given wireless device supports depend on the vendor and the device’s age.
All modern wireless devices should support WPA2.
Wireless Driver Model

Windows 10 introduces a new Wireless Driver Interface (WDI) driver model. This feature allows for a
universal WLAN driver package that supports native functionality in both desktop and mobile versions of
Windows 10. Such a driver is called a Universal Windows driver. This driver works on OneCore Universal
App Platform (UAP) based editions of Windows, such as Windows 10 for desktop editions (Home, Pro,
Enterprise, and Education), Windows 10 Mobile, and Windows 10 IoT Core (IoT Core).
A Universal Windows driver calls a subset of the interfaces that are available to a Windows driver. For
example, the cellular and Wi-Fi connections can be managed using the same networking stack. That
allows for easy configuration of metered connections, where you want to avoid large data transfers when
possible, and monitoring data usage on a per-connection basis. It also offers greater reliability, with the
capability to recover quickly when a device hangs for firmware-related reasons. The new driver model
also supports MAC address randomization to increase security and privacy.
Why would you want to randomize your MAC address? When you are not connected to Wi-Fi, your PC
sends a signal to look for Wi-Fi networks in the area to help you get connected. The signal contains the
unique physical hardware (MAC) address for your device. Some places, for example shopping malls,
stores, or other public areas, might use this unique address to track your movement in that area. If your
Wi-Fi hardware supports it, you can turn on random hardware addresses to make it harder for people to
track you when your PC scans for networks and connects.
Configuring Wi-Fi Settings and Profiles

An increasing number of devices use wireless connections as the primary method for accessing corporate
intranets and the Internet. Additionally, many users have come to expect a wireless infrastructure in a
corporate workplace. As a result, a good working knowledge of wireless connectivity is a requirement for
today’s networking environment. This section discusses the following wireless standards and the configu-
ration and support of them in Windows 10 wireless clients. The standards are Wi-Fi Sense, Miracast, and
Near Field Communications.
Wi Fi Sense
Windows 10 supports a new feature called Wi-Fi Sense. This feature is not available on earlier versions of
Windows. Wi Fi Sense automatically connects you to Wi Fi, so you can get online quickly in more places.
It can connect you to open Wi Fi hotspots it knows about through crowdsourcing, or to Wi Fi networks
your contacts have shared with you by using Wi Fi Sense. These are typically open Wi Fi hotspots you see
when you're out and about. The initial settings for Wi Fi Sense are determined by the options you chose
when you first set up your PC with Windows 10 or your phone with Windows 10 Mobile. You can change
your Wi Fi Sense settings any time by selecting Settings > Network & Internet > Wi Fi > Manage Wi
Fi settings on your PC, and then changing one or both of these settings under Wi Fi Sense.
Additional Reading: For more about Wi-Fi Sense select here: https://aka.ms/Whzu4q
Miracast
Windows 10 has built-in support for the Wi-Fi Alliance Miracast devices. Miracast is a protocol that will
transmit audio and video between devices via Wi-Fi. It is peer-to-peer and uses Wi-Fi Direct for the
connection. It is not necessary that both devices are connected to the Internet. They only need to share
the same local wireless network. The shared information is sent by the device via Wi-Fi through a Wi-Fi
Direct connection to a receiver connected to the display device. The receiver then decodes the video
signal and passes it to the TV display (or other display device). Miracast supports WPA2-PSK encryption,
so all you share is safe.
Near Field Communication

Windows 10 has built-in support for Near Field Communication (NFC), which is still an emerging technol-
ogy based on short-range wireless radio technologies using radio frequency identification (RFID).
NFC-enabled printing enables users to “tap” a device (such as a tablet or phone) onto a printer to
connect to it. Where the components cannot be tapped together, NFC should still work if the devices are
brought close together, within a maximum distance of 4 inches (10 centimeters).
NFC is similar to Bluetooth, but without the option to manually pair—the communication is triggered due
to physical proximity. NFC uses short-range radio waves for discovery and for transmitting data, and
requires some form of NFC-enabled hardware, such as a smart tag, sticker, key fob, or wallet card, which
may also be located inside a laptop or tablet. Most Windows Phones have NFC built into the devices,
which enables NFC sharing of photos between NFC-connected devices.
Once an enterprise has made available NFC-enabled devices, administrators can perform the following
management tasks:
●● Add a NFC smart tag to their printer, or purchase printers with NFC built in.
●● Enable the following connection types to be used: Universal Naming Convention (UNC), Web Services
on Devices (WSD), and Wi-Fi Direct.
●● Optionally, use the PowerShell cmdlet Write-PrinterNfcTag to provision an NFC tag with information
about a printer.
●● Although NFC built-in support is provided by Windows 10, this is available for OEMs and ISVs to
produce NFC-enabled hardware. NFC offers mobile devices significant opportunities to access
resources by using proximity alone. Other emerging technologies include Windows 10 support for the
Windows Sensor and Location platform, and support for the Windows Biometric Framework (WBF).
These frameworks enable developers to utilize support for sensors, which can be attached or embed-
ded within modern Windows devices (phone, tablets, Internet of Things, PCs), and include capabilities
such as:
●● Speed, motion, acceleration, gyrometer
●● GPS location, elevation, inclinometer, compass orientation
●● Humidity, temperature, light, atmospheric pressure
●● Biometric human proximity, human presence
Additional Reading: For more information on NFC Printing select here: https://aka.ms/Oid2f9
Configuring Wi-Fi Settings/Profile

Windows 10 makes it very easy to connect to and configure wireless network settings. Use the following
procedures to manage your wireless network connections.
Connect to a wireless network

To connect to a wireless network:
1. Tap the wireless network icon on the notification area to see a list of available wireless networks.
2. Tap the network of your choice.

3. Tap Connect.
4. When prompted, enter the security information required by the wireless hub to which you are con-
necting your device, and then tap Next.
You are connected.
Configure wireless networks

To configure your wireless networks:
1. Open Settings.
2. Select Network & Internet.
3. Select Wi-Fi.
4. On the Wi-Fi page, choose the following options:
●● Connect to suggested open hotspots
●● Let me use Online Sign-Up to get connected
●● Get online when you’re on the go by buying Wi-Fi
1. At the top of the page, select Manage known networks.
2. On the Manage known networks page, tap the network you wish to manage.
3. Tap to view Properties or Forget the network.
4. Configure advanced wireless properties
From Network and Sharing Center, you also can configure advanced wireless properties: - In Network and
Sharing Center, tap the name of your wireless network adapter on the right. - In the Wi-Fi Status dialog
box, you can view the properties of your wireless connection. - Tap Wireless Properties to view additional
information, including the security settings of the connection.
Note: You can use Windows Server Group Policy Objects (GPOs) to configure wireless profiles. This saves
your users from having to configure their wireless connections manually.
Setup Wireless Display with Miracast

Miracast is a wireless technology your PC can use to project your screen to TVs, projectors, and streaming
media players that also support Miracast. You can use this to share what you are doing on your PC,
present a slide show, or even play your favorite game on a larger screen.
Get your devices ready

In order to use Miracast, both the source and target device’s hardware and OS must support Miracast.
Windows 8.1/10 support Miracast. Also, if the display you'll project to doesn’t support Miracast, you’ll
need to set up the display by adding an extra piece of hardware to it before you can start projecting.
Add the display to complete the connection

With your PC and display ready to project, you need to add the wireless display to your PC. Both devices
need to be within range, which usually means that they're in the same room.
To add a wireless display to your PC:

1. Swipe in from the right edge of the screen, and then tap Devices. (If you're using a mouse, point to
the lower-right corner of the screen, move the mouse pointer up, and then select Devices.)
2. Tap or select Project, and then tap or select Add a wireless display.
3. Choose the wireless display in the list of devices found, and follow the instructions on the screen.
Project your screen to a wireless display

After you add the wireless display to your PC, you can project your screen to it and change what you see
on each screen.
To project your screen:
●● Swipe in from the right edge of the screen, and then tap Devices. (If you're using a mouse, point to
●● Tap or select Project, and then tap or select the wireless display you want.
To choose what you see on each screen:
2. Tap or select Project, and then choose one of these options:
●● PC screen only. You’ll see everything on your PC. (When you're connected to a wireless projector, this
option changes to Disconnect.)
●● Duplicate. You’ll see the same things on both screens.
●● Extend. You'll see everything spread over both screens, and you can drag and move items between
the two.
●● Second screen only. You’ll see everything on the connected screen. Your other screen will be blank.
Disconnect from a wireless display

If you move your PC beyond the range of the wireless display (such as to another room), or if you make
your PC sleep or hibernate, the two devices will disconnect. You can also disconnect the wireless display
manually.
2. Tap or select Project, and then tap or select Disconnect.
Fix problems
You can solve many problems by installing the latest drivers for your PC and the latest firmware for your
wireless display or Miracast adapter. To update firmware on your wireless display or adapter, go to the
Support section of the manufacturer's website, search on your specific device, and follow their instruc-
tions to download and install that firmware. You can also check the Windows Store to see if there’s an
app from the manufacturer of your wireless display or Miracast adapter that updates firmware.
Remote Access Overview

Lesson Introduction
Windows 10 helps users improve their productivity, regardless of their location, or that of the data they
need. Windows 10 supports the use of either VPNs or DirectAccess to enable users to access their work
environments from anywhere they connect.
Lesson Objectives
●● Describe how to use VPNs to connect to a remote network.
●● Explain how DirectAccess can help remote users connect.
●● Discuss the considerations of enabling remote access for your users.
Overview of VPNs
A VPN provides a point-to-point connection between components of a private network, through a public
network such as the Internet. Tunneling protocols enable a VPN client to establish and maintain a
connection to the listening virtual port of a VPN server. To emulate a point-to-point link, the data is
encapsulated, or wrapped, and prefixed with a header. This header provides routing information that
enables the data to traverse the public network to reach its endpoint.
Remote Access Overview 181
To emulate a private link, the data is encrypted to ensure confidentiality. Packets that are intercepted on
the public network are indecipherable without encryption keys. Two types of VPN connections exist:
●● Remote access. Remote access VPN connections enable users who are working at home, at customer
sites, or from public wireless access points to access a server that exists in your organization’s private
network. They do so by using the infrastructure that a public network, such as the Internet, provides.
From the user’s perspective, the VPN is a point-to-point connection between the computer, the VPN
client, and your organization’s server. The exact infrastructure of the shared or public network is
irrelevant, because it logically appears as if the data is sent over a dedicated private link.
●● Site-to-site. Site-to-site VPN connections, which also are known as router-to-router VPN connections,
enable your organization to have routed connections between separate offices or with other organi-
zations over a public network, while maintaining secure communications.
Properties of VPN connections

VPN connections in Windows 10 can use:
●● Point-to-Point Tunneling Protocol (PPTP)
●● Layer Two Tunneling Protocol with IPsec (L2TP/IPsec)
●● Secure Socket Tunneling Protocol (SSTP)
●● Internet Key Exchange version 2 (IKEv2)
Note: An IKEv2 VPN provides resilience to the VPN client when the client either moves from one wireless
hotspot to another or switches from a wireless to a wired connection. This ability is a requirement of VPN
Reconnect.
All VPN connections, irrespective of tunneling protocol, share some common characteristics:
●● Encapsulation. With VPN technology, private data is encapsulated with a header that contains
routing information, which allows the data to traverse the transit network.
●● Authentication. Authentication ensures that the two communicating parties know with whom they
are communicating.
●● Data encryption. To ensure data confidentiality as the data traverses the shared or public transit
network, the sender encrypts the data and the receiver decrypts it. The encryption and decryption
processes depend on both the sender and the receiver using a common encryption key. Intercepted
packets sent along the VPN connection in the transit network will be unintelligible to anyone who
does not have the common encryption key.
Conditional Access Framework

Starting with Windows 10 version 1607, you can provide additional security for your remote access
connections by integrating VPN with the Conditional Access Framework. The Conditional Access Frame-
work is a Microsoft Azure Active Directory–based policy engine that in combination with a mobile device
management (MDM) solution such as Microsoft Intune, can verify device compliance before granting
access to a corporate network or Microsoft Online.
Windows Information Protection

Another security-related feature is the VPN client integration with Windows Information Protection.
Windows Information Protection is a feature that uses a number of technologies (including BitLocker
Drive Encryption, AppLocker, and Microsoft Azure Rights Management) to protect enterprise data against
leakage and unauthorized use. It relies on Microsoft Intune, Microsoft System Center Configuration
Manager, or another third-party MDM solution to create and deploy policies that you use to specify
protected apps, and to apply desired protection levels to your data.
With the new VPNv2 configuration service provider, you have the ability to use an MDM solution to
configure VPN profiles on managed devices. In case of Microsoft Intune, you have access to pre-defined
policy templates that include built-in support for VPN plug-ins.
Windows 10 version 1607 also includes a number of remote access usability improvements that you can
configure via VPN profiles, including:
●● Always On. This feature triggers automatic connections following a user sign-in or a network change.
●● App-triggered VPN. This feature triggers automatic connections following a launch of applications
that you specify, based on a Universal Windows Platform package family name or a file path.
●● Note: Note that this functionality is available on both workgroup and domain-joined computers,
unlike Windows 8.1, which is limited it to workgroup computers only.
●● Traffic filters. With this feature, you can control the types of network traffic that will be able to reach
your corporate network. You can accomplish this by defining either app-based or traffic-based rules.
With app-based rules, you specify a list of allowed applications. The definition of traffic-based rules
consists of 5-tuple policies, that take into account the source and destination IP addresses, the source
and destination ports, and the network protocol.
●● LockDown VPN. This feature enforces a number of VPN device settings that affect its connectivity. For
example, you can ensure that a user cannot modify the VPN profile or disconnect an active VPN
connection. You also can implement forced tunneling and block outbound traffic if the VPN connec-
tion is not available.
Creating a VPN Connection in Windows 10

To create a VPN connection in Windows 10, use the following procedure:
1. Tap the Network icon in the notification area, and then tap Network settings.
2. In Network & internet, tap the VPN tab.
3. Tap Add a VPN connection.
4. In the Add a VPN connection dialog box, in the VPN provider list, tap Windows (built-in).
5. In the Connection name box, enter a meaningful name, such as Office Network.
6. In the Server name or address text box, type the FQDN of the server to which you want to connect.
This is usually the name of the VPN server.
7. In the VPN type list, select between Point to Point Tunneling Protocol (PPTP), L2TP/IPsec with
certificate, L2TP/IPSec with pre-shared key, Secure Socket Tunneling Protocol (SSTP), and
IKEv2. This setting must match the setting and policies configured on your VPN server. If you are
unsure, tap Automatic.
8. In the Type of sign-in info list, select either User name and password, Smart card, One-time
password, or Certificate. Again, this setting must match your VPN server policies.
9. In the User name (optional) box, type your user name, and then in the Password (optional) box,
type your password. Select the Remember my sign-in info check box, and then tap Save.
To manage your VPN connection, from within Network & internet, on the VPN tab, tap the VPN connec-
tion, and then tap Advanced options. You can then reconfigure the VPN settings as needed.
Remote Access Overview 183
Note: Your VPN connection will appear on the list of available networks when you tap the network icon
in the notification area.
Always On VPN
With traditional VPNs, the end user typically initiates the VPN connection by launching the VPN client
and authenticating. There are two common disadvantages with this:
●● Users have to be aware of what resources require VPN access and the additional steps the user must
perform every time they need to connect over VPN.
●● Traditional VPNs are an “all or nothing” solution. Once connected, all network traffic is tunneled over
the VPN. This can lead to large amounts of bandwidth on the organization’s network being consumed
when it isn’t necessary. The most notable example being remote users who frequently use publicly
accessible websites and resources. They might need VPN access for one or two tasks, but inadvertent-
ly pass all internet traffic over the organization’s network instead of directly through the end user’s
ISP.
Always On VPN provides a more seamless experience for end users. It supports remote access for
domain-joined, nondomain-joined (workgroup), or Azure AD–joined devices, and personally owned
devices. Administrators configure routing policies to determine when the client should direct traffic over
the VPN. Policies can be based on user, hardware, or software criteria. For example, you could enable
device authentication for remote device management, and then enable user authentication for connectiv-
ity to internal company sites and services. Because it’s controlled by policies, the user no longer has to be
concerned with when to connect or disconnect from the VPN, whether they are remote or on the internal
network.
Most organizations supporting VPN access typically have the technologies deployed that are needed for
Always On VPN. Other than your Domain Controller and DNS servers, the Always On VPN deployment
requires an NPS (RADIUS) server, a Certification Authority (CA) server, and a Remote Access (Routing/
VPN) server. Once the infrastructure is set up, you must enroll clients and then connect the clients to your
on-premises securely through several network changes.
Always On VPN and Direct Access

Always On VPN is the successor to Direct Access. While both solutions are supported, Microsoft recom-
mends deploying or migrating to Always On VPN. Direct Access also provide seamless access, but
required IPv6 and that clients be domain-joined. Always On VPN can use either IPv4 or IPv6, and supports
non-domain joined devices. Always On VPN also provides more granular controls over how traffic is
routed and support for conditional access policies. Always On VPN only supports Windows 10 clients,
while Direct Access support Windows 7 and higher. Administrators should review each solution to assess
which solution meets their needs.
Configuring Clients for Always On VPN

Windows 10 clients are configured for Always On VPN through ProfileXML. ProfileXML is a uniform
resource identifier (URI) node within the VPNv2 configuration service provider (CSP). Conceptually, CSPs
work similar to how Group Policy works. Similar to how you use the Group Policy Management Editor to
configure Group Policy objects (GPOs), you configure CSP nodes by using a mobile device management
(MDM) solution such as Microsoft Intune. In this case, configuring a specific node called ProfileXML in the
VPNv2 CSP, which contains all the settings necessary.
The settings and XML file are typically created by the Administrator responsible for the VPN infrastruc-
ture. Once the XML file is created, it can be deployed to clients with either a device profile in Intune or as
a package in Configuration Manager. It can also be deployed using PowerShell.
Remote Management 185
Remote Management
Lesson Introduction
Windows desktops and apps from the datacenter or from the Azure cloud can run on a variety of devices.
Employees install Microsoft Remote Desktop clients and run desktops and apps on their laptops, tablets
or phones and stay productive on the go. This lesson also discusses remote assistance features to help
users remotely.
Lesson Objectives
●● Describe Remote Desktop in Windows 10.
●● Enable and use Remote Assistance including Easy Connect.
●● Describe Azure Remote Desktop Services.
Remote Desktop Overview

Remote Desktop Connection is a useful Windows feature that allows you to access a different PC on your
network, or on the Internet, from your own PC. This feature requires that both computers are powered on
and connected to Internet. If those conditions are met you can use your PC to fix problems on any other
PC remotely. This feature will enable you to get full access to all files that are stored on that PC, and you
will see the live desktop.
How to use Remote Desktop

Use Remote Desktop on your Windows 10 PC or on your Windows, Android, or iOS device to connect to
a PC from afar.
1. First, you will need to set up the remote PC to allow remote connections. On the remote PC, open
Settings (Gear-shaped Settings icon) and select System > About. Note the PC name, you will need
this later. Then, under Related settings, select System info.
2. In the left pane of the System window, select Advanced system settings.
3. On the Remote tab of the System Properties dialog box, under Remote Desktop, select Allow
remote connections to this computer, and then select OK.
4. Next, in Settings (Gear-shaped Settings icon), select System > Power & sleep and check to make
sure Sleep is set to Never.
On the device you wish to connect from, do one of the following:
●● On your local Windows 10 PC: In the search box on the taskbar, type Remote Desktop Connection,
and then select Remote Desktop Connection. In Remote Desktop Connection, type the full name of
the remote PC, and select Connect.
●● On your Windows, Android, or iOS device: Open the Remote Desktop app (available for free from the
Windows Store, Google Play, or the Mac App Store), and add your remote PC. Select the remote PC,
and then wait for the connection to complete.
Using Remote Desktop with Azure AD-joined devices

If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional
configuration is needed. To allow additional users to connect to the PC, you must allow remote connec-
tions for the local Authenticated Users group. Specific Azure AD users can be added with the following
PowerShell cmdlet:
net localgroup "Remote Desktop Users" /add
"AzureAD\\the-UPN-attribute-of-your-user"
You can also add other Azure AD users to the Administrators group on a device and restrict remote
credentials to Administrators.
Using Remote Assistance

With remote management tools and technologies, a network administrator can access a computer on the
network, take control of it, and perform tasks on it, without having to be physically in front of the com-
puter. This saves both time and money by reducing the number of trips required to service problematic
computers. Users can also remotely access their own computers for working at them while not physically
sitting in front of them. Remote Assistance is a bundled service with Windows 10. It enables a technician
to take control of a computer to troubleshoot and perform maintenance tasks without having to physi-
cally travel to the problematic machine. This enables the technician to resolve problems without leaving
their home or office. The end user must be there to authorize this, and the user can end the session at
any time. This technology is generally used only to troubleshoot remote computers and is not used for
telecommuting or accessing files or folders.
Enable or disable remote features

By default, Remote Assistance connections are enabled for a Windows 10 computer. You can make
changes to the default from the System Properties dialog box, shown below. You can open this dialog
box in many ways.
1. Sign-in as Administrator
2. Right-click Start
3. Select System
4. Select Advanced system settings or Remote settings in the left pane
5. Select the Remote tab
6. Select the Allow Remote Assistance connections to this computer check box
Verify the Windows firewall is configured correctly

Check to see that the Windows firewall is not blocking Remote Assistance.
1. Select Start and then select Settings
2. Select Network & Internet
3. Select Windows Firewall
4. Select Allow an app or feature through Windows Firewall
5. Scroll through the list of Allowed apps and features looking for Remote Assistance
6. Verify that Remote Assistance is selected, if not select Change settings
7. Select the select box for Remote Assistance, and select OK
Configure and use Remote Assistance

To use Remote Assistance, the user must be at the problematic computer. A Remote Assistance session
must be initiated by that user, and the user must approve the connection before it can be made.
1. Right-click Start and then select Control Panel
2. Enter invite in the search box
3. Select Invite someone to connect to your PC and help you, or offer to help someone else. The
Windows Remote Assistance wizard starts.
Once configured, Windows Remote Assistance can also be access using an Administrative PowerShell
console. After you select Invite someone you trust to help you, you have three options:
●● Save this invitation as a file
●● Use email to send an invitation the user sends the invitation using an email client on the machine but
cannot send it using any form of web-based email
●● Use Easy Connect (the easiest option if it is enabled by the help and support team)
When the user selects Easy Connect, an Easy Connect password appears. The user only needs to relay
that password to the help and support team. The support technician can then send a connection request,
which the user then accepts. Both of these items are shown below. Once the connection is made, the
“Expert” can ask to control the computer to resolve the problem, train the user, or perform other tasks.
For security reasons, consider turning this feature off till it is needed.
Quick Assist
Microsoft Quick Assist is a Windows 10 app that enables two people to share a computer over a remote
connection so that one person can help solve problems on the other person’s computer just like Remote
Assistance. In fact, depending on which version of Windows 10 is on a PC may determine whether Quick
Assist or Remote Assistance is installed.
Select the Start button > Windows Accessories > Quick Assist, or select the search box on the taskbar and
type Quick Assist, and then select Quick Assist in the list of results.
Remote Desktop Services

Remote Desktop Services is one of the most used services of a System Administrator.
Remote desktops
Remote Desktop Services (RDS), formerly Terminal Services, provide users with access to a full remote
desktop experience. In this scenario, users securely connect to a remote session via their local Remote
Desktop Connection (RDC) client. After they authenticate, users are presented with a full desktop just as if
they were signed in locally. The client machines send keystrokes and mouse movements to the server,
and screen images are delivered back to the client machines. Users have access to applications as if the
applications are running locally, even though they are running on a Remote Desktop Session Host (RD
Session Host) server. Each user establishes his or her own private session that does not affect any other
users who are connected to the same RD Session Host server.
To access any remote desktop, the user account (or domain global group) of the connecting user must be
added to the Remote Desktop Users group on the computer to which they are connecting. By default,
this group has no members, and therefore, users cannot make a remote desktop connection until their
account has been added to the local Remote Desktop Users group. However, this can be configured
during the initial RDS deployment.
Note: Standard users do not have the right to sign in to domain controllers either locally or remotely.
Being added to the Remote Desktop Users group on a domain controller does not change this. A stand-
ard user still needs to be given the right to sign in to a domain controller and must be added to the
Remote Desktop Users group to connect to a domain controller remotely.
Installing the RD Session Host role on a server automatically enables remote desktop connections to the
local computer and adds users who have been granted access to the local Remote Desktop Users group.
If you do not install the RD Session Host role, you can still enable remote desktop access to any Win-
dows-based operating system by modifying the system properties to allow remote connections. Connect-
ing this way is limited to Administrators by default, and only two concurrent connections are allowed. You
can allow remote connections and select the users who can connect remotely by using the System
Properties item in Control Panel.
Remote desktops are well‑suited for single‑task workers, such as point-of-sale terminals or data‑entry
workers. In such scenarios, it is important to provide a consistent desktop experience for all workers.
Remote desktops also perform well over limited bandwidth, making this a suitable solution for branch
offices where information technology (IT) support might be limited. Remote desktops are typically
employed with thin clients. Another common use for remote desktops is to enable users to access their
organizational desktop. For example, users can work from home by connecting to their workstations.
Remote desktops in Azure

Using RDS in Azure enables access to the desktop of virtual machines running in Azure, similar to access-
ing a local system. A Remote Desktop connection can be used to troubleshoot and diagnose problems
with an application while it is running. One way to enable a Remote Desktop connection in your VM is
during development by including the Remote Desktop modules in your service definition or you can
choose to enable Remote Desktop through the Remote Desktop Extension. The preferred approach is to
use the Remote Desktop extension as you can enable Remote Desktop even after the application is
deployed without having to redeploy your application.
Remote Commands in Windows PowerShell

The Windows PowerShell remoting features are supported by the WS-Management protocol and the
Windows Remote Management (WinRM) service that implements WS-Management in Windows. Com-
puters running Windows 7 and later include WinRM 2.0 or later.
You can verify the availability of WinRM and configure a PowerShell for remoting by following these
steps:
1. Start Windows PowerShell as an administrator by right-clicking the Windows PowerShell shortcut and
selecting Run As Administrator.
2. The WinRM service is configured for manual startup by default. You must change the startup type to
Automatic and start the service on each computer you want to work with. At the PowerShell prompt,
you can verify that the WinRM service is running using the following command:
get-service winrm
The value of the Status property in the output should be “Running”.

3. To configure Windows PowerShell for remoting, type the following command:
Enable-PSRemoting –force
In many cases, you will be able to work with remote computers in other domains. However, if the remote
computer is not in a trusted domain, the remote computer might not be able to authenticate your
credentials. To enable authentication, you need to add the remote computer to the list of trusted hosts
for the local computer in WinRM. To do so, type:
winrm s winrm/config/client '\@{TrustedHosts="RemoteComputer"}'
Here, RemoteComputer should be the name of the remote computer, such as:
winrm s winrm/config/client '\@{TrustedHosts="CorpServer56"}'
When you are working with computers in workgroups or homegroups, you must either use HTTPS as the
transport or add the remote machine to the TrustedHosts configuration settings. If you cannot connect to
a remote host, verify that the service on the remote host is running and is accepting requests by running
the following command on the remote host:
winrm quickconfig
This command analyzes and configures the WinRM service.

To use Windows PowerShell remoting features, you must start Windows PowerShell as an administrator
by right-clicking the Windows PowerShell shortcut and selecting Run As Administrator. When starting
PowerShell from another program, such as the command prompt (cmd.exe), you must start that program
as an administrator.

Lab 0501: Configuring Network Connectivity
Summary
In this lab, you will identify IPv4 settings and validate connectivity on a Windows 10 device. You will also
configure a Windows 10 device to automatically obtain IPv4 settings from a DHCP service.
Exercise 1: Verifying and Testing IPv4 Settings
Scenario
You need to identify the current static IPv4 settings on SEA-CL1. You also need to test connectivity from
SEA-CL1 to SEA-DC1.
Exercise 2: Configuring Automatic IPv4 Settings
Scenario
Your network administrative team has configured DNS and DHCP services located on SEA-DC1. You need
to reconfigure SEA-CL1 to obtain its IPv4 settings using the DHCP service. You will then test and verify the
connectivity between SEA-CL1 and SEA-DC1 using the newly obtained IPv4 address settings.
Lab 0502: Configuring and Testing Name Resolution
Summary
In this lab, you will verify and manage name resolution for a Windows 10 network client. You will also test
and troubleshoot name resolution by using command line tools, DNS, and a hosts file entry.
Exercise 1: Verify and Manage Name Resolution
Scenario
You need to check and verify current DNS settings on SEA-CL1. You will also test out command line tools
used to view and clear the DNS client cache.
Exercise 2: Testing Name Resolution
Scenario
A user reports that SEA-CL1 cannot connect to www.Contoso.com or intranet.Contoso.com. To address
the issue, you decide to add www to the hosts file along with the SEA-SVR1.contoso.com IP address. You
will also add an alias DNS record for intranet.Contoso.com that resolves to SEA-SVR1.contoso.com. Finally
you will verify name resolution and connectivity.
Lab 0503: Administering Windows 10 Using Remote Man-

agement
Summary
In this lab you will learn how to perform remote Windows administration using Remote PowerShell,
Remote Desktop, and Windows Admin Center.
Exercise 1: Administering Windows using Remote PowerShell

and Remote Desktop
Scenario
Your company is planning to open a new branch office. To manage the devices in the new branch office
you need to use Remote PowerShell and Remote Desktop. You need to test remote administration by
running remote PowerShell commands on SEA-SVR2 and you need to enable Remote Desktop on
SEA-CL1.
Exercise 2: Administering Windows using Windows Admin

Center
Scenario
You need to test remote administration capabilities of the Windows Admin Center. For this scenario, you
will install Windows Admin Center on SEA-CL1 and then perform remote administration tasks on SEA-
SVR1.
Module Review
Discussion
What are some considerations for enabling Wi‑Fi access for your users?

1. You are an IT Support professional tasked with configuring static IPv4 configuration for each of your
organization's computers. Your network administrator has provided you with a spreadsheet of
available IPv4 addresses. What do you have to configure in addition to the IP address?
A. Subnet mask
B. Default gateway
C. Domain Name System (DNS) server
D. MAC address [ ] Activation key
2. You are configuring static IPv4 configuration manually for each of your network’s computers. Your
network is configured to use a simple Class B subnet mask of 255.255.0.0. Which of the following IP
addresses is a valid address for you network?
A. 120.1.0.21
B. 150.0.10.100
C. 192.168.0.11
D. 169.254.245.2
3. Your organization recently upgraded to Windows 10 from Windows 8.1. You want to use a familiar,
wizard driven, tool to configure wired and wireless connections. Which tool should you use?
A. Network & Internet
B. Network and Sharing Center
C. Network Setup Wizard
D. Windows PowerShell
4. Your network administrator has asked you to verify that a Windows 10 computer in your Houston
office has network connectivity to a file server at the Chicago office. You need to provide detailed
statistics on the individual steps, or hops, through the network routers. Which command or tool
should you use?
A. The Pathping command
B. The Ping command
C. The Tracert tool
D. NSLookup
E. Microsoft Message Analyzer
5. Your organization has recently upgraded the network to support IPv6. You are part of a team that
supports the Windows 10 devices. Which of the following are IPv6 benefits? (select 4)
A. Large address space
B. Hierarchical addressing and routing infrastructure
C. Converts IPv4 addresses into IPv6 addresses automatically
D. IPv6 and IPv4 can run together (dual stack)
E. Supports DirectAccess for remote access clients
F. Uses 256-bit addresses
G. Provides URL filtering
6. Your organization is deploying Always On VPN. You need to deploy the necessary configuration to
clients. Which methods can you use to do this? (Select three)
A. Configuration Manager
B. Group Policy
C. Microsoft Intune
D. PowerShell
7. You are an IT Support Professional for you organization's business applications. A home-based user
has requested support with an application. You ask the user to send you an invitation using Quick
Assist. Which options will the user have? (select three)
A. Save this invitation as a file
B. Send invitation to phone
C. Use email to send an invitation
D. Send Instant Message with invitation

E. Use Easy Connect
8. One of the users you support is not able to make a remote desktop connection to a Windows 10
computer. He is getting an access denied error. You need to confirm that his account has permissions
to make a remote desktop connection. Which security group on the Windows 10 computer should his
account be a member of?
A. Remote Users
B. Remote Desktop Users
C. Remote Administrators
D. RD Sessions Host
E. Power Users
F. All mentioned
9. A,B,C 2) B 3) B 4) A 5) A,B,D,E 6) A,C,D 7) A,D,E 8) B
Module 6 Configuring Storage
Managing Storage
Lesson Introduction
Although you can save files to the local hard disk in Windows 10, several additional storage options are
available. This lesson describes some of the different storage technologies, including different types of
server-based and cloud-based storage.
This lesson will also cover considerations for configuring storage for use in Windows 10. While the default
settings for a disk drive will be sufficient for most scenarios when installing Windows, there are additional
options available for advanced configurations, such as clients with multiple storage drives or specific
partition requirements.
You can use disk management tools to perform disk-related tasks, such as creating and formatting
partitions and volumes, assigning drive letters, and resizing disks.
Lesson Objectives
●● Describe the different ways to access storage.
●● Explain the difference between network-attached storage (NAS) and storage area networks (SANs).
●● Compare MBR and GUID partition table (GPT) disks.
●● Describe how to convert a basic disk to a dynamic disk.
●● Describe the tools available for managing disks.
●● Describe a simple volume.
●● Describe mirrored, spanned, and striped volumes.
●● Create volumes, resize, and manage volumes.
196 Module 6 Configuring Storage
Storage Options
Local hard disk
A locally attached hard disk is also known as direct-attached storage (DAS). Depending on the hard disk
type and the type of hard disk controller, you might get varying performance of the local hard disk. The
solid-state drives (SSDs), which use flash card technology, are the fastest hard disks, but they are more
expensive than older technologies. SSDs are also often smaller in capacity compared to the normal hard
disk drives.
All tablets use some kind of flash card technology. They use SSDs when they require more capacity for
local storage. In rare occasions, you may need to acquire a driver for the hard disk before you can install
Windows 10.
Advantages of using local hard disks include:
●● Availability. The local hard disk is always available, including in situations where there is no network
connectivity.
●● Performance. Only a single user uses the local hard disk. In addition, the bandwidth of your network
connection does not limit you.
●● Disadvantages of using local hard disks include:
●● Backup. You will not automatically have a backup of your data.
●● Physical failures. If your local hard disk fails, you will not be able to start your computer.
Virtual hard disk

Windows 10 fully supports virtual hard disks. The virtual hard disk (.vhd or .vhdx) file format specifies a
virtual hard disk encapsulated in a single file. It is capable of hosting native file systems and supporting
standard disk operations.
Virtual hard disks are an integral part of virtual machine environments such as Client Hyper-V. You can
use virtual hard disks for several purposes and in any scenario where you might use a physical hard disk.
If you plan to use a virtual hard disk in place of a physical disk, consider the following advantages and
disadvantages.
Advantages of using virtual hard disks include:
●● Portability. Virtual hard disk files might be easier to move between systems, particularly when you use
shared storage.
●● Backup. A .vhd file represents a single file for backup purposes.
●● Disadvantages of using virtual hard disks include:
●● Performance. In high I/O scenarios, the additional overhead of using a virtual hard disk can affect
performance.
●● Physical failures. A .vhd file does not protect against cluster failure on the underlying physical disks.
Supporting virtual disk formats

Windows 10 supports both the .vhd and .vhdx virtual disk formats. The .vhdx format has a metadata
structure that reduces data corruption and improves alignment on large sector disks. Virtual hard disks
Managing Storage 197
are limited to 2 TB of storage, whereas the new .vhdx format is suitable for virtual disks up to a supported
maximum size of 64 TB.
Server-based storage
Using Windows Server 2016 as a file server gives you central access to your files. Although the file server
contains local storage, larger organizations will often acquire separate storage systems optimized for
performance and security. You connect these separate storage systems to the server, like a NAS and a
SAN, which you will learn about later in this module. Windows Server 2012 R2 adds functionality, such as
Work Folders, offline files, and failover clustering, that makes it suitable as a file server for both small,
medium, and large enterprises.
Advantages of using server-based storage include:
●● Redundancy. Because most server-based storage protects data by using redundant disk systems, you
will not suffer data loss due to the failure of a single hard disk.
●● Backup. Automatic backup is in place for most server-based storage.
●● Performance. Server-based storage is often faster than local hard disks because it uses faster disks,
which you configure in a performance-optimized way.
Disadvantages of using server-based storage include:
●● Availability. You need a network connection to access server-based storage. If you are outside your
company’s network, you might not be able to access the storage remotely, unless you use some kind
of caching technique, such as offline files.
●● Performance. You can experience bottlenecks in both network connectivity and access to server-based
storage because many users are accessing the same storage simultaneously.
Network and Cloud Storage Options

There are two types of external storage systems: NAS (Network-Attached Storage) and SAN (Storage Area
Networking). You use NAS for both client-based and server-based computing, whereas you most often
use SAN for server-based computing and then make it accessible to users. Although Windows 10 in-
cludes the iSCSI initiator that allows you to connect to SANs, you usually use SANs in server-based
computing.
NAS
NAS is storage that is connected to a dedicated storage device. You can access it over the network. Unlike
DAS, NAS is not directly attached to a computer or server, and users access it over the network. NAS has
two distinct solutions: a low-end appliance (NAS only), and an enterprise-class NAS that integrates with
SAN.
Each NAS device has a dedicated operating system that controls access to the data on the device, which
reduces the overhead associated with sharing the storage device with other server services. An example
of NAS software is Windows Storage Server, a special edition of Windows Server 2012 R2.
NAS devices typically provide file-level access to the storage, which means that you can access the data
on the storage only as files. You must use protocols such as Common Internet File System (CIFS), Server
Message Block (SMB), or network file system (NFS) to access the files.
To enable NAS storage, you need a storage device. Frequently, these devices do not have any server
interfaces such as keyboards, mice, and monitors. To configure the device, you need to provide a network
configuration, and then access the device across the network. You can then create network shares on the
device by using the name of the NAS and the share created. The network’s users can then access these
shares.
SAN
SAN is a high‐speed network that connects computer systems or host servers to high-performance
storage subsystems. A SAN usually includes various components such as host bus adapters (HBAs),
special switches to help route traffic, and storage disk arrays with logical unit numbers (LUNs) for storage.
A SAN enables multiple servers to access a pool of storage in which any server can potentially access any
storage unit. Because a SAN is a network, you can use a SAN to connect many different devices and hosts
and provide access to any connected device from anywhere.
SANs provide block-level access. This means that, rather than accessing the content on the disks as files
by using a file access protocol, SANs write blocks of data directly to the disks by using protocols such as
Fibre Channel over Ethernet or Internet Small Computer System Interface (iSCSI).
Today, most SAN solutions offer SAN and NAS together. The backend head units, disks, and technologies
are identical, and only the access method differs. Enterprises often provision block storage from the SAN
to the servers by using Fibre Channel over Ethernet or iSCSI. NAS services use the CIFS and NFS proto-
cols. If you want to use a SAN, Windows 10 supports the iSCSI protocol with the iSCSI initiator.
Cloud Based Storage

Cloud storage simplifies access to your files as long as you have Internet access. When you sign in with
your Microsoft account, you can access all the files on your Microsoft OneDrive. Microsoft also offers
enterprise cloud storage with Microsoft Azure Storage. Cloud storage provides several benefits:
●● Easy access anywhere to data such as photos, music, and documents.
●● Automatic backup of important files.
●● Synchronizing favorites and other settings across devices.
OneDrive
OneDrive offers the benefits of making files accessible by any device, while offering a seamless end user
experience in the desktop client. OneDrive is covered in more detail in the next topic.
Azure Storage
Microsoft Azure Storage is a cloud storage solution that developers and IT professionals use to build
applications. Azure Storage saves data in the cloud. You can access Azure Storage by using any type of
device and by using any type of application, from the smallest app to applications with terabytes of data.
Azure Storage can handle four types of storage:
●● Blob storage stores any type of text or binary data. This includes documents and media files.
●● Table storage stores structured datasets. Table storage is a NoSQL key-attribute data store.
●● Queue storage provides messaging for workflows. Communication between different components of
cloud services is also one of the uses of queue storage.
●● File storage uses the standard SMB protocol. Azure virtual machines and cloud services can share file
data with file storage. On-premises applications can also access file data in a share via file storage.
MBR and GPT

Before you can use a disk in Windows 10, you must prepare it for use. You must first partition the disk by
using the master boot record (MBR) partitioning scheme or the globally unique identifier (GUID) partition
table-partitioning scheme. After partitioning the disk, you must create and format one or more volumes
before an operating system can use the disk.
MBR disks
The MBR contains the partition table for a disk and a small amount of executable code called the master
boot code. Partitioning a disk creates the MBR automatically on the first sector of the hard disk. The MBR
contains a four-partition entry table that describes the size and location of a disk partition by using 32-bit
logical block addressing (LBA) fields. Most Windows 10 editions, such as the 32-bit and 64-bit versions
that run on motherboards with BIOS firmware, require an MBR-partitioned system disk and are not
bootable with a larger capacity disk. Newer motherboards enabled with Unified Extensible Firmware
Interface (UEFI) can read both MBR and the newer Grid Partition Table (GPT) disks.
How MBR disks work

The MBR is stored at a consistent location on a physical disk, enabling a computer’s BIOS to reference it.
During the startup process, a computer examines the MBR to determine which partition is active on the
installed disks. The active partition contains the operating system startup files.
Features of MBR disks

The MBR partition scheme has been in use for a long time. It supports both current and older desktop
operating systems, such as the MS-DOS and Microsoft Windows Server 4.0 operating systems. Conse-
quently, most operating systems today support the MBR partition scheme. However, the MBR partition
scheme imposes certain restrictions, including:
●● Four partitions on each disk. MBR-based disks are limited to four partitions. All of these can be
primary partitions, or one can be an extended partition with logical volumes inside. You can configure
the extended partition to contain multiple volumes.
●● A 2 TB-maximum partition size. A partition cannot be larger than 2 TB.
●● No redundancy provided. The MBR is a single point of failure. If it is corrupt or suffers damage, it can
render a computer incapable of starting.
MBR disks can be either basic or dynamic disk types. Dynamic disks support additional options that are
not available on a basic disk, including volumes that are able to span multiple disks and fault-tolerant
volumes.
GPT disks
GPT disks contain an array of partition entries that describe the start and end LBA of each partition on a
disk. Each GPT partition has a unique GUID and partition-content type. Each LBA that the partition table
describes is 64 bits in length. The UEFI specifies the GPT format, but it is not exclusive to UEFI systems.
Both 32-bit and 64-bit Windows operating systems support GPT for data disks on BIOS systems. Howev-
er, they cannot boot from them. 64-bit Windows operating systems support GPT for boot disks on UEFI
systems.
Features of GPT disks

GPT disks address the limitations of MBR disks and provide support for the following:
●● 128 partitions per disk. This is a vast improvement over MBR-based disks.
●● 18 exabytes of volume size. This is a theoretical maximum because hard-disk hardware that can
support such vast volume sizes is not yet available.
●● Redundancy. Cyclic redundancy check (CRC) duplicates and protects the GPT.
●● You can implement GPT disks on Windows Server 2008 and newer versions, Windows 10, Windows
8.1, Windows 8, Windows 7, and Windows Vista. You cannot use the GPT partition style on removable
disks.
GPT architecture
A GPT-partitioned disk defines the following sectors:
●● Sector 0 contains a legacy protective MBR, which contains one primary partition that covers the entire
disk:
●● The protective MBR protects GPT disks from previously released MBR disk tools, such as the MS-DOS
fdisk or Windows NT Disk Administrator. These tools view a GPT disk as a single encompassing
(possibly unrecognized) partition by interpreting the protected MBR, rather than mistaking the disk
for one that does not have any partitions. This means that the tools will not view a GPT-initialized disk
as having no partitions, making it less vulnerable to incidental data loss.
●● Legacy software that is not aware of GPT interprets only the protected MBR when it accesses a GPT
disk.
●● Sector 1 contains a partition table header. The partition table header contains the unique disk GUID,
the number of partition entries (usually 128), and pointers to the partition table.
●● The partition table starts at sector 2. Each partition entry contains a unique partition GUID, the
partition offset, length, type (also a GUID), attributes, and a 36-character name.
The following table describes the partitions that Windows 10 creates when you install it on a GPT disk.
Partition Type Size Description

A Extensible Firmware 100 megabytes (MB) Contains the Windows
Interface (EFI) system Boot Manager, the files
partition that an operating
system requires to start,
the platform tools that
run before an operating
system starts, and the
files that the Windows
Boot Manager must
access before an
operating system starts.
The EFI system partition
must be the first
partition on the disk
because it is impossible
to span volumes when
the EFI system partition
is logically between
what you are attempt-
ing to span.
Partition Type Size Description

B Microsoft Reserved 128 MB Reserved for Windows
partition (MSR partition) components. The Disk
Management tool hides
this partition. It does
not receive a drive
letter. Usage example:
When you convert a
basic GPT disk to
dynamic, the system
decreases the size of
the MSR partition and
uses that space to
create the Logical Disk
Manager Metadata
partition.
C Operating system Remaining disk This partition contains
the operating system
and is the size of the
remaining disk.
Dynamic Disks
Dynamic disks provide features that basic disks do not. You can create volumes that span multiple disks
and fault-tolerant volumes. Dynamic disks can also use the MBR or GPT partition styles.
Dynamic disks use a database to track information about volumes on dynamic disks in the computer.
Each dynamic disk in a computer stores a replica of the dynamic disk database, which is useful if you
experience a corrupted dynamic disk database. Windows can repair the corrupted dynamic disk by using
the database on another dynamic disk. The partition style of the disk determines the location of the
database. On MBR partitions, Windows 10 stores the database in the last 1 MB of the disk. On GPT
partitions, the database is located in a 1-MB reserved and hidden partition.
You can perform the following operations only on dynamic disks:
●● Create and delete spanned, striped, and mirrored volumes.
●● Extend a simple volume to a noncontiguous space or spanned volume.
●● Remove a mirror from a mirrored volume.
●● Repair mirrored volumes.
●● Reactivate a missing or offline disk.
You should be aware of the following considerations regarding dynamic disks:
●● You cannot convert a basic disk to a dynamic disk unless there is at least 1 MB of unused space on the
disk because of the Logical Disk Manager database.
●● You cannot convert a dynamic disk to a basic disk without losing data. You need to delete all dynamic
volumes on the disk. Disk Management automatically converts the disk to basic when you delete the
last volume.
●● You cannot use Windows PowerShell to manage dynamic disks. The storage cmdlets will not recog-
nize dynamic disks.
Convert a basic disk to a dynamic disk

You use the Disk Management snap-in to convert a basic disk to a dynamic disk. Right-click the disk you
want to convert and select Convert to Dynamic Disk.
Note: In a multiboot scenario, if you are in one operating system, and you convert a basic MBR disk that
contains an alternate operating system to a dynamic MBR disk, you will not be able to start in the
alternate operating system.
Basic disks vs. dynamic disks

The following table describes the differences between using basic and dynamic disks.
Disk type Advantages Disadvantages

Basic disks Compatible with most operating • Only uses contiguous space on
systems. Convert to dynamic disk one disk.
without data loss. • Limited number of partitions
on MBR disks.
Dynamic disks Multidisk volumes. Fault-tolerant • Only compatible with Windows.
volumes. 1024 volumes on MBR • Does not convert to basic disk
disks. without data loss.
Disk Management Tools

You can use the following tools to manage Windows 10 disks and the volumes or partitions that they
contain:
●● Disk Management. A GUI for managing disks and volumes, both basic and dynamic, locally or on
remote computers. After you select the remote computer that you want to manage, you can perform
the same tasks that you typically perform when you use a local computer.
●● DiskPart. A scriptable command-line tool with functionality that is similar to Disk Management, which
also includes advanced features. You can create scripts to automate disk-related tasks, such as
creating volumes or converting disks to dynamic. This tool always runs locally.
●● Windows PowerShell 5.0. Windows PowerShell is a scripting language that accomplishes many tasks in
the Windows environment. Starting with Windows PowerShell 3.0, disk management commands are
available for use as stand-alone commands or as part of a script.
Note: Windows 10 does not support remote connections in workgroups. Both the local computer and
the remote computer must be in a domain for you to use Disk Management to manage a disk remotely.
Note: Do not use disk-editing tools such as dskprobe.exe to make changes to GPT disks. Any change that
you make renders the checksums invalid, which might cause the disk to become inaccessible. To make
changes to GPT disks, use Windows PowerShell, DiskPart, or Disk Management.
With either tool, you can initialize disks, create volumes, and format a volume file system. Additional
common tasks include moving disks between computers, changing disks between basic and dynamic
types, and changing the partition style of disks. You can perform most disk-related tasks without restart-
ing a system or interrupting users, and most configuration changes take effect immediately.
Disk Management
By using the Disk Management snap-in to the Microsoft Management Console (MMC), administrators
can manage volumes quickly and confirm the health of each volume. Disk Management in Windows 10
provides the same features as previous versions, including:
●● Simpler partition creation. When you right-click a volume, you can choose whether to create a basic,
spanned, or striped partition directly from the menu.
●● Disk conversion options. When you try to extend a partition to a noncontiguous area on the same or
another disk, Disk Management prompts you to convert the disk to dynamic. You also can convert
basic disks to dynamic disks without incurring data loss. However, converting a dynamic disk to basic
is not possible without first deleting all of the volumes.
●● Extend and shrink partitions. You can extend and shrink partitions from Disk Management.
To open Disk Management, use this procedure:
1. Select Start and type disk. This will display the search window.
2. Continue typing diskmgmt.msc in the search box, and then select diskmgmt.msc in the results list.
DiskPart
By using DiskPart, you can manage fixed disks and volumes by using scripts or direct input from the
command line. At the command prompt, type DiskPart, and then enter commands at the DiskPart
command prompt. The following are common DiskPart actions:
●● To view a list of DiskPart commands, at the DiskPart command prompt, type commands.
●● To create a DiskPart script in a text file and then run the script, type a script similar to diskpart /s
testscript.txt.
●● To create a log file of the DiskPart session, type DiskPart /s testscript.txt > logfile.txt.
The following table shows several DiskPart commands that you will use frequently.
Command Description
list disk Displays a list of disks and related information,
including: Disk size The amount of available free
space on the disks Whether the disks are basic or
dynamic Whether the disks use the MBR or GPT
partition style The disks marked with an asterisk (*)
are the ones against which the commands will
execute.
select disk disknumber Selects the specified disk, where disknumber is the
disk number, and gives it focus.
convert gpt Converts a disk with the MBR partition style to a
basic disk with the GPT partition style.
Windows PowerShell
Prior to Windows PowerShell 3.0, if you wanted to script disk management tasks, you had to make calls to
Windows Management Instrumentation (WMI) objects or include DiskPart in your scripts. Windows
PowerShell 3.0 and newer versions include commands for natively managing disks. The following table
details some Windows PowerShell commands.
Command Description Additional parameters

Get-Disk Returns information on all disks FriendlyName returns informa-
or disks that you specify with a tion about disks that have the
filter. specified friendly name. Number
returns information about a
specific disk.
Clear-Disk Cleans a disk by removing all ZeroOutEntireDisk writes zeros
partition information. to all sectors of a disk.
Initialize-Disk Prepares a disk for use. By PartitionStyle PartitionStyle
default, it creates a GPT partition. specifies the type of the parti-
tion, either MBR or GPT.
Set-Disk Updates a physical disk with the PartitionStyle PartitionStyle
specified attributes. specifies the type of the parti-
tion, either MBR or GPT. You can
use this to convert a disk that
was initialized previously.
Get-Volume Returns information on all file DriveLetter Char gets informa-
systems’ volumes, or those tion about the specified drive
volumes that you specify with a letter. FileSystemLabel String
filter. returns information on the NTFS
file systems or Resilient File
System (ReFS) volumes.
Simple Volumes
The most commonly used disk arrangement is a simple volume. This volume is a contiguous, unallocated
area of a physical hard disk that you format to create a file system. You then assign a drive letter to it or
mount it in an existing volume by using a volume mount point.
Simple volume characteristics

A simple volume is a volume that encompasses available free space from a single, basic, or dynamic
hard-disk drive. A simple volume can consist of a single region on a disk or multiple regions of the same
disk that link together. Simple volumes have the following characteristics:
●● Not fault-tolerant. Disk failure leads to volume failure.
●● Volume I/O performance is the same as disk I/O performance.
Simple volume scenarios

The following table contains example scenarios for disks and volumes.
Scenario Description
Business desktop computer with one disk Most business users require a basic disk and one
basic volume for storage, but do not require a
computer with volumes that span multiple disks or
that provide fault tolerance. This is the best choice
for those who require simplicity and ease of use.
Scenario Description
Business desktop computer with one disk and If small business users want to upgrade their
more than one volume operating systems and reduce the impact on their
business data, they must store the operating
system in a separate location from business data.
This scenario requires a basic disk with two or
more simple volumes. Users can install an operat-
ing system on the first volume, creating a boot
volume or system volume, and use the second
volume to store data. When a new version of an
operating system releases, users can reformat the
boot or system volume, and then install the new
operating system. The business data, located on
the second volume, remains untouched.
A simple volume might provide better performance than striped data layout schemes. For example, when
serving multiple, lengthy, sequential streams, performance is best when a single disk services each
stream. Workloads composed of small, random requests do not always result in performance benefits
when you move them from a simple to a striped data layout.
The emergence of SSDs, which offer extremely fast data transfer rates, offers the Windows 10 user
another decision related to storing data. SSDs currently are more expensive and have smaller capacities
compared to traditional magnetic hard disk drives. This combination of performance, size, and cost is an
acceptable compromise when used in small form factor devices. However, a desktop PC might benefit
from a combination of an SSD for Windows system files and a large capacity hard disk drive for business
data.
Mirrored, Spanned and Striped Volumes

A mirrored volume presents two disks to the operating systems as a single logical volume. A mirrored
volume always consists of exactly two disks. Each disk has an identical copy of the data that is on the
logical volume.
A spanned volume joins areas of unallocated space on at least two and at most 32 disks into a single
logical disk. Similar to a spanned volume, a striped volume also requires two or more disks. However,
striped volumes map stripes of data cyclically across the disks.
Basic disks support only primary partitions, extended partitions, and logical drives. To use mirrored,
spanned, or striped volumes, you must convert the disks to dynamic disks as described previously.
Dynamic disks use a database to track information about the disk’s dynamic volumes and the computer’s
other dynamic disks. Because each dynamic disk on a computer stores a replica of the dynamic disk
database, the Windows operating system can repair a corrupted database on one dynamic disk by using
the database on another dynamic disk.
Characteristics of mirrored volumes

A mirrored volume also is a RAID-1 (Redundant Array of Independent Disks) volume. A mirrored volume
combines equal-sized areas of unallocated space from two disks. You use a mirrored volume when you
wish to provide redundancy for your system partition. Both spanned volumes and striped volumes
require a Windows operating system to be running to recognize the volume—therefore, neither of those
solutions can provide protection against disk failures for a system partition.
When creating a mirrored volume, the disk for the shadow volume must be at least the same size as the
volume you want to mirror. Once you establish the mirror, you cannot resize the mirrored volume.
There are two main benefits of using mirrored volumes. Recovering from a disk failure is very quick as
there is no data to rebuild. Additionally, read operations have a slight performance boost because you
can read from both disks simultaneously.
There are two main disadvantages of using mirrored volumes. Write operations are slightly slower as
every write needs to occur on both disks. Mirrored volumes are the least efficient use of space compared
with other disk configurations.
Characteristics of spanned volumes

A spanned volume gives users the option to gather noncontiguous free space from two or more disks
into the same volume. A spanned volume does not provide any fault tolerance. Additionally, because the
areas that you combine are not necessarily equally distributed across the participating disks, there is no
performance benefit to implementing spanned volumes. I/O performance is comparable to simple
volumes.
You can create a spanned volume by extending a simple volume to an area of unallocated space on a
second disk, or you can designate multiple disks during the volume-creation process. The benefits of
using spanned volumes include uncomplicated capacity planning and straightforward performance analy-
sis.
If you create a new spanned volume, you must define the same properties as when you create a simple
volume in terms of size, file system, and drive letter. In addition, you must define how much space to allo-
cate to the spanned volume from each physical disk.
You can create spanned volumes on dynamic disks only. If you attempt to create a spanned volume on
basic disks, the Windows operating system prompts you to convert the disk to dynamic after you have
defined the volume’s properties and confirmed the choices.
It is possible to shrink a spanned volume. However, it is not possible to remove an area from a specific
disk. For example, if a spanned volume consists of three 100-MB partitions on each of three disks, you
cannot delete the third element.
If you install additional hard disks, it is possible to extend the spanned volume to include areas of
unallocated space on the new disks, as long as the total number of disks does not exceed the 32-disk
limit for spanned volumes.
Characteristics of striped volumes

A striped volume is a RAID-0 volume. A striped volume combines equal-sized areas of unallocated space
from multiple disks.
You should create a striped volume when you want to improve the I/O performance of a computer.
Striped volumes provide for higher throughput by distributing I/O across all disks that are a part of the
volume. The more physical disks that you combine, preferably across several disk controllers, the faster
the potential throughput is. For most workloads, a striped data layout provides better performance than
simple or spanned volumes, as long as you select the striped unit appropriately, based on workload and
storage hardware characteristics. The overall storage load balances across all physical drives.
Striped volumes also are well suited for isolating the paging file. By creating a volume where Pagefile.sys
is the only file on the entire volume, the paging file is less likely to become fragmented, which helps
improve performance. Redundancy is not required for the paging file normally. Striped volumes provide a
better solution than RAID-5 for paging file isolation. This is because the paging file activity is write-inten-
sive, and RAID-5 is better suited for read performance than write performance.
Because there is no allocated capacity for redundant data, striped volumes do not provide data-recovery
mechanisms such as those in RAID-1 and RAID-5. The failure of any disk results in data loss on a larger
scale than it would on a simple volume, because it disrupts the entire file system that spreads across
multiple physical disks. The more disks that you combine in RAID-0, the less reliable the volume becomes.
When you create a striped volume, you define the file system, drive letter, and other standard volume
properties. Additionally, you must define the disks from which to allocate free space. The allocated space
from each disk must be identical in size. It is possible to delete a striped volume, but it is not possible to
extend or to shrink the volume.
Note: RAID-5 is a striped set with parity volume. It combines the speed of striped volumes with fault
tolerance. It is not possible to create RAID-5 in Disk Management in Windows 10.
Managing Existing Volumes

Windows 10 allows you to resize a volume by using the Shrink Volume or Extend Volume options within
the provided disk tools. You can shrink existing volumes to allow space to create additional, unallocated
space to use for data or apps on a new volume. On the new volume, you can:
●● Install another operating system, and then perform a dual boot.
●● Save data separately from the operating system.
To perform a shrink operation, ensure that the disk is formatted with the NTFS file system or, if it is
unformatted, ensure that you are part of the Backup operator or Administrators group. When you shrink
a volume, contiguous free space relocates to the end of a volume. If you want to ensure that the maxi-
mum amount of space is available, make sure you perform the following tasks before shrinking:
●● Defragment the disk. This rearranges the disk sector so that unused space is at the end of the disk.
●● Ensure that the volume you are shrinking is not storing any page files.
When you shrink a volume, unmovable files (for example, a page file) do not relocate automatically. It is
not possible to decrease the allocated space beyond the point where the unmovable files are located. If
you need to shrink a partition further, transfer the unmovable file to another disk, shrink the volume, and
then transfer the unmovable file back to the disk. You can shrink simple and spanned volumes, but not
others. You can increase the size of a simple volume in the following ways:
●● Extend the simple volume on the same disk. The disk remains a basic disk if the free space is adjacent
to the volume you want to extend. If it is not contiguous space, then the disk will convert to a dynamic
disk.
●● Extend a simple volume to include unallocated space on other disks on the same computer. This
creates a spanned volume.
Maintaining Disks and Volumes 211
Maintaining Disks and Volumes

Lesson Introduction
The storage functionality in Windows 10 can give you an overview of what types of files the volumes are
storing. When you first create a volume, you typically create new files and folders on a volume’s available
free space in contiguous blocks. This provides an optimized file system environment. As the volume
becomes full, the availability of contiguous blocks diminishes. This can lead to suboptimal performance.
This lesson explores file system fragmentation and the tools that you can use to reduce fragmentation.
You also will see how Windows 10 can compress files to take up less space on the hard disk. You will see
how you can configure disk quotas to monitor and control the use of disk space.
Lesson Objectives
●● Explain the primary characteristics of the Storage functionality in Windows 10.
●● Describe how to use the Storage functionality.
●● Describe how files stored on disks might fragment.
●● Describe how to defragment volumes.
●● Explain folder compression.
●● Describe how to compress folders.
●● Describe what disk quotas are.
●● Describe how to configure disk quotas.
Monitoring Storage Usage

Windows 10 simplifies the process of monitoring storage usage. In previous Windows versions, it was not
easy to get an overview of what type of files took up space on the hard disks. Windows 10 gives you that
information in the Storage section of System Settings. Storage gives you an easy way to manage all your
storage and the files that a particular drive is storing. It presents a straightforward method to clean out
the files you no longer need and an easy way to select the drive where you want to store different
categories of files.
Storage
In Storage, you get an overview of all the volumes currently attached to your PC. This includes hard disks,
USB drives, and other external storage, except OneDrive. The drive that contains the Windows installation
has the label This PC. You identify the other drives by label and drive letter. When you select a drive, you
will get a more detailed view of the categories of files that are taking the most space. The categories are
color-coded to make it easier to see how the space is divided. Storage usage shows the size for the
following categories of files:
●● System & reserved
●● Apps & games
●● Documents
●● Pictures
●● Music
●● Videos
●● Mail
●● OneDrive
●● Desktop
●● Maps
●● Other people
●● Temporary files
●● Other
Depending on the drive and category that you select, you will have different management options. If you
select one of the file type categories on drives other than This PC, you will see a list of directories con-
taining files from that category. For This PC, you have a choice to open File Explorer with that particular
file type’s folder within the user’s profile.
System and Reserved
This category gives you a list of disk space used by Windows system files, virtual memory, hibernation file,
and System Restore. You can select Manage System Restore to configure System Restore and decide how
much disk space System Restore can use.
Apps and Games
You can sort the application list by size, name, and install date. You can also search for an app by name,
and when you select the app, you have easy access to uninstall the app.
OneDrive
You will be able to select which folders synchronize to this device to save disk space. This is particularly
useful on devices with limited storage space, such as tablets.
Temporary Files
This category gives you a list of disk space used by temporary files, downloads, the recycle bin, and
previous versions of Windows. For each item, there is an option to delete the files.
Save Locations
Storage usage also allows you to choose the drive to save new files. You can choose between the drives
connected to your computer. If you are signed in with a Microsoft account, you can also choose
OneDrive.
Disk Optimization
By default, Windows 10 will optimize internal storage devices automatically. The method of optimization
depends on whether the drive is hard disk drive or a solid state drive.
Hard Disk Drives and Defragmentation

Fragmentation of a file system occurs over time as you save, change, and delete files. Initially, Windows
saves files in contiguous areas on a given volume. This is efficient for the physical disk, as the read/write
heads are able to access these contiguous blocks most quickly.
As the volume fills with data and other files, contiguous areas of free space become harder to find. File
deletion also causes fragmentation of available free space. Additionally, when you extend and save a file,
such as editing a document or spreadsheet, there might not be contiguous free space following the
existing file blocks. This forces the I/O manager to save the remainder of the file in a noncontiguous area.
Over time, contiguous free space becomes more scarce, leading to fragmentation of newly stored
content. The incidence and extent of fragmentation varies depending on available disk capacity, disk
consumption, and usage patterns.
Although NTFS is more efficient at handling disk fragmentation than earlier file systems, this fragmenta-
tion still presents a potential performance problem. Combined hardware and software advances in the
Windows operating system help to mitigate the impact of fragmentation and deliver better responsive-
ness.
Solid State Drives (SSD)

Defragmentation is not needed on SSDs, as they work quite differently from traditional hard disk drives.
The Windows Storage Optimizer subsystem automatically uses TRIM to mark data blocks as not being
used and optimize the drive. While the Optimize Drives UI does not distinguish between defragmentation
and retrimming, Windows 10 detects the drive type and runs the appropriate optimization task when
needed.
Optimizing a disk
When you optimize a disk, files are relocated optimally. This ability to relocate files is beneficial when you
are shrinking a volume, because it frees up space that you can later reclaim. Windows 10 defragments
drives automatically on a scheduled basis, running weekly in the background to rearrange data and
reunite fragmented files. You can check the status of a defragmentation or perform a manual optimiza-
tion at any time by launching the Optimize Drives tool.
To optimize a volume or drive manually, or to change the automatic optimization schedule, right-click a
volume in File Explorer, select Properties, select the Tools tab, and then select Optimize. You can perform
the following tasks:
●● Change settings, which allows you to:
●● Enable or disable the automated optimization.
●● Specify the automated optimization frequency.
●● Set a notification for three consecutive missed optimization runs.
●● Select which volumes you want to optimize.
●● Analyze the disk to determine whether it requires optimization.
●● Launch a manual optimization.

You can also start the optimization process by launching Defragment and Optimize Your Drives from the
Administrative Tools section within the System and Security section in Control Panel.
To verify that a disk requires defragmentation, in the Optimize Drives tool, select the disk that you want
to defragment, and then select Analyze. After Windows finishes analyzing the disk, check the percentage
of fragmentation on the disk in the Current status column. If the number is high, you should defragment
the disk. The Optimize Drives tool might take several minutes to a few hours to finish defragmenting,
depending on the size and degree of fragmentation of the disk or USB device, such as an external hard
drive. You can use the computer during the defragmentation process, although disk access might be
slower and the defragmentation might take longer.
You can configure and run disk defragmentation from an elevated command prompt by using the defrag
command-line tool. Use Defrag /? at a command prompt for available options.
You can minimize file system fragmentation by using the following methods:
●● Partition a disk so that you isolate static files from those that users create and delete frequently, such
as some user-profile files and temporary Internet files.
●● Use the Disk Cleanup feature (cleanmgr.exe) to free disk space that is consumed by each user’s prefer-
ences for console files that the profile saves.
File and Folder Compression

Windows 10 supports file compression on an individual-file basis on NTFS-formatted volumes only. The
file compression algorithm is a lossless compression algorithm, which means that compressing and
decompressing a file results in no data loss. This is different from other types of compression algorithms,
where compression and decompression always cause some data loss.
Configuring compression
You set compression from the properties of a file or folder on the General tab. You select Advanced and
set or clear the compression attribute. You can also configure compression from the command line by
using the compact command.
Features of NTFS folder compression

NTFS compression, which is available on volumes that use NTFS, has the following features and limita-
tions:
●● Compression is an attribute of a file or folder.
●● Volumes, folders, and files on an NTFS volume are either compressed or uncompressed.
●● New files created in a compressed folder are compressed by default.
●● The compression state of a folder does not necessarily reflect the compression state of the files within
that folder. For example, you can compress a folder without compressing its contents, and you can
compress some or all of the files in a compressed folder.
●● NTFS compression works with NTFS-compressed files without decompressing them because they are
decompressed and recompressed without user intervention:
●● When you open a compressed file, the Windows operating system automatically decompresses it for
you.
●● When the file closes, the Windows operating system compresses it again.
●● NTFS-compressed file and folder names display in a different color, by default, to make them easier to
identify.
●● NTFS-compressed files and folders only remain compressed while an NTFS volume is storing them.
●● You cannot encrypt an NTFS-compressed file.
●● The compressed bytes of a file are not accessible to applications, which see only the uncompressed
data:
●● Applications that open a compressed file can perform tasks on it as if the file was not compressed.
●● If you copy compressed files to a file allocation table (FAT) or Resilient File System (ReFS) volume, the
copy of the file will not be compressed because those file systems do not support NTFS compression.
Copying and moving compressed files and folders

When you move or copy compressed files and folders, the method and destination can change the
compression state. The following list explains what happens when you move and copy files:
●● When you copy a file or folder within an NTFS partition, the file or folder inherits the compression
state of the target folder. For example, if you copy a compressed file or folder to an uncompressed
folder, the file or folder is uncompressed automatically.
●● When you move a file or folder within an NTFS partition, the file or folder retains its original compres-
sion state. For example, if you move a compressed file or folder to an uncompressed folder, the file
remains compressed.
●● When you move a file or folder between NTFS partitions, the file or folder inherits the target folder’s
compression state. Because Windows 10 treats a move between partitions as a copy followed by a
delete operation, the files inherit the target folder’s compression state.
●● When you copy a file to a folder that already contains a file of the same name, the copied file takes on
the compression attribute of the target file, regardless of the compression state of the folder.
●● Compressed files that you copy to a FAT partition are uncompressed because FAT volumes do not
support compression. However, when you copy or move files from a FAT partition to an NTFS parti-
tion, they inherit the compression attribute of the folder into which you copy them.
●● When you copy a file, NTFS calculates disk space based on the uncompressed file’s size. This is
important because files are uncompressed during the copy process, and the system must ensure there
is enough space. If you copy a compressed file to an NTFS partition that does not have enough space
for the uncompressed file, an error message notifies you that there is not enough disk space.
●● Compressed (zipped) folder
●● In Windows 10, you can combine several files and folders into a single compressed folder by using the
Compressed (zipped) Folder feature. Use this feature to share a group of files and folders with others,
without sending individual files and folders.
●● Files and folders that you compress by using the Compressed (zipped) Folder feature can compress
on both FAT-formatted and NTFS-formatted volumes. A zipper icon identifies files and folders that
you compress by using this feature.
●● You can open files directly from these compressed folders, and you can run some of these programs
directly from compressed folders without uncompressing them. Files in compressed folders are
compatible with other file compression programs and files. You also can move compressed files and
folders to any drive or folder on your computer, the Internet, or your network.
●● Compressing folders by using Compressed (zipped) Folder does not affect a computer’s overall
performance. Central processing unit (CPU) utilization increases only when you use Compressed
(zipped) Folder to compress a file. Compressed files take up less storage space, and you can transfer
them to other computers more quickly than uncompressed files. You can work with compressed files
and folders the same way you work with uncompressed files and folders.
●● Comparing zipped folder compression and NTFS folder compression
●● You should be aware of the differences between zipped folder compression and NTFS folder compres-
sion. A zipped folder is a single file inside which Windows allows you to browse. Some applications
can access data directly from a zipped folder, while other applications require that you first unzip the
folder contents before the application can access the data.
●● In contrast, NTFS compression compresses individual files within a folder. Therefore, NTFS compres-
sion does not affect data access as zipped folders do, because it occurs at the individual file system
level and not the folder level. Additionally, zipped folders are useful for combining multiple files into a
single email attachment, whereas NTFS compression is not.
●● File and folder compression that uses the Send To Compressed (zipped) Folder command is different
from NTFS file and folder compression:
●● For selected files or folders, the Send To Compressed (zipped) Folder command compresses the
selected content into a portable zip file. The original file or folder does not change, and a new,
compressed zip file is created.
NTFS compression does not create a second, compressed zip-type file. Instead, it actually reduces the
size of the selected file, folder, or volume by compressing its content.
Managing Storage Spaces 217
Managing Storage Spaces

Lesson Introduction
Managing multiple physical disks attached directly to a computer can often be a tedious task for adminis-
trators. To overcome this problem, many organizations use SANs that essentially group physical disks
together. SANs require specialized configuration and sometimes specialized hardware, which makes them
expensive. To overcome these issues, you can use the Storage Spaces feature. It pools disks together, and
presents them to the operating system as a single disk. This lesson explains how to configure and
implement the Storage Spaces feature.
Lesson Objectives
●● Explain what the Storage Spaces feature is.
●● Describe the features of Storage Spaces.
●● Discuss in which scenarios to use Storage Spaces.
●● Show how to configure Storage Spaces.
Storage Spaces Overview

Storage Spaces is a storage virtualization capability that is available in Windows Server 2012, in addition
to Windows 8 and newer versions. Windows Server 2016 includes a version called Storage Spaces Direct.
Storage Spaces is available for NTFS and ReFS volumes, providing redundancy and pooled storage for
numerous internal and external drives of differing sizes and interfaces. You can use Storage Spaces to add
physical disks of any type and size to a storage pool, and then create highly available virtual disks from
the storage pool. The primary advantage of Storage Spaces is that you do not have to manage single
disks, but can manage multiple disks as one unit.
To create a highly available virtual disk, you need the following:

●● Physical disk. Physical disks are disks such as Serial ATA (SATA) or Serially Attached SCSI (SAS) disks. If
you want to add physical disks to a storage pool, the disks need to satisfy the following requirements:
●● Creating a storage pool requires one physical disk.
●● Creating a resilient mirror virtual disk requires a minimum of two physical disks.
●● Creating a virtual disk with resiliency through parity requires a minimum of three physical disks.
●● Three-way mirroring requires at least five physical disks.
●● Disks must be blank and unformatted; no volume must exist on them.
●● Disks attachment can use a variety of bus interfaces including SAS, SATA, small computer system
interface (SCSI), and USB.
●● Storage pool. A storage pool is a collection of one or more physical disks that you can use to create
virtual disks. You can add all nonformatted physical disks and disks that do not have an attachment to
another storage pool to a storage pool.
●● Storage space. This is similar to a physical disk from the perspective of users and programs. However,
storage spaces are more flexible because they include thin provisioning or just-in-time (JIT) alloca-
tions, and they include resiliency to physical disk failures with built-in functionality such as mirroring.
●● Disk drive. You can access this volume from your Windows operating system, for example, by using a
drive letter.
Features of Storage Spaces

You can create storage spaces from storage pools. If your storage pool contains more than one disk, you
can also create redundant storage spaces. To configure Storage Spaces in the Control Panel or Windows
PowerShell, you need to consider the following features and their redundancy functionalities.
Storage layout
Configure this feature to define the number of disks from the storage pool that you allocate to a virtual
disk. Valid options include:
●● Simple. A simple space has data striping but no redundancy. In data striping, logically sequential data
is segmented across all disks in such a way that provides access for these sequential segments to
different physical storage drives. Striping makes it possible to access multiple segments of data
concurrently. Do not host important data on a simple volume, because it provides no failover capabili-
ties when the disk that is storing the data fails. This is similar to the striped volumes discussed earlier.
●● Two-way and three-way mirrors. Mirror spaces maintain two or three copies of the data that they host
(two data copies for two-way mirrors and three data copies for three-way mirrors). Data duplication
happens with every write to ensure that all data copies are always current. Mirror spaces also stripe
the data across multiple physical drives. Mirror spaces provide the benefit of greater data throughput
and lower access latency. They also do not introduce a risk of corrupting at-rest data, and do not
require the extra journaling stage when writing data. Two-way mirrors are similar to the mirrored
volumes discussed earlier.
●● Parity. A parity space is similar to RAID 5. Storage Spaces stores data, along with parity information,
striped across multiple physical drives. Parity enables Storage Spaces to continue servicing read and
write requests even when a drive has failed. Parity always rotates across available disks to enable I/O
optimization. Storage Spaces require a minimum of three physical drives for parity spaces. Parity
spaces have increased resiliency through journaling. There is no equivalent to parity in volumes on
dynamic disks.
Managing Storage Spaces 219
Provisioning schemes
You can provision a virtual disk by using two different schemes:
●● Thin provisioning space. Thin provisioning is a mechanism that enables you to allocate storage when
the storage space needs it. The storage pool organizes the storage capacity into provisioning slabs.
The allocation does not happen until the point when datasets grow to require the storage. As op-
posed to the traditional fixed storage allocation method, in which you might allocate large pools of
storage capacity that remain unused, thin provisioning optimizes utilization of available storage.
Organizations also can save on operating costs, such as electricity and floor space, associated with
keeping the unused drives operating. The disadvantage of using thin provisioning is lower disk
performance because storage allocation occurs when the pool needs extra storage.
●● Fixed (or “thick”) provisioning space. With Storage Spaces, fixed provisioned spaces also employ the
flexible provisioning slabs. The difference between thin provisioning and a fixed provisioning space is
that the storage capacity allocation in the fixed provisioning space happens at the same time as
storage space creation.
Scenarios for Storage Spaces

Storage Spaces can simplify your storage administration and allow for easy storage growth. In most
enterprises, servers will be the only computers using Storage Spaces. Small offices might use Storage
Spaces in Windows 10 to create high capacity and storage that is easy to administer.
Thin provisioning storage

The need for storage is always growing. Smaller companies without IT staff might find it difficult to add
new storage to their solutions today. Storage Spaces can help with storage growth when you use thin
provisioning. Thin provisioning will allow you to create a bigger storage space than what the disks will be
able to store. You then add the disks to the storage space when you need more storage, and the storage
space will automatically claim the space on the disks.
Reliable storage
Small businesses often do not have the funds for acquiring enterprise-grade storage solutions. Storage
Spaces can help these companies get fault-tolerant storage for an affordable price. Storage Spaces has
two resiliency types that provide fault tolerance. These will help to make the storage highly available in
case of disk failures. Two-way mirror and parity can function even when one drive fails. Three-way mirror
can function with two drive failures.
High-performance storage
Users who have computing needs with high-performance storage, such as video editing, might also
benefit from Storage Spaces. When you create a storage space with parity resilience, the striping will give
a better performance reading and writing to the storage. When you use SSDs as the physical drives, you
should be able to get the required disk I/O.

Lab 0601: Managing Storage
Summary
In this lab you will learn how to manage local disk storage using Disk Management and PowerShell.
Exercise 1: Creating and Managing a Simple Volume
Scenario
You need to add storage to SEA-WS2. Additional disks have been installed and you now have to create
two new partitions to store data.
Lab 0602: Creating a Storage Space
Summary
In this lab you will configure a storage space that will combine multiple disk drives to one large single
disk.
Scenario
The sales department requires a new file share on SEA-WS2 that requires a mirror for resiliency. You have
added three new disk drives to SEA-WS2, and have decided to configure a storage space. You will remove
the partition from Disk 1 first and then use Disk 1, Disk 2, and Disk 3 to create a two-way mirror storage
pool inside a newly created storage space.
Module Review
1. Which of the following is not true when describing NAS devices?
A. NAS is storage that is connected to a dedicated storage device.
B. You can access it over the network.
C. NAS is directly attached to a computer or server.
D. Each NAS device has a dedicated operating system that controls access to the data on the device.
E. NAS devices typically provide file-level access to the storage.
F. All are true.
2. You are upgrading the local storage for a Windows 10 computer to a 6 TB disk. You have decided to
configure it as a GPT disk. Which of the following is a benefit of GPT disks? (select three)
A. 128 partitions per disk.
B. 18 exabytes of volume size.
C. They are not GPR disks.

D. Redundancy.
E. They require an 64-bit operating system. F. They are not redundant.
3. You are configuring a user's computer to have a fault tolerant volume. You will need to convert two of
the disks in the system from basic disks to dynamic disks. Which are some considerations you must be
aware of? (select three)
A. You need at least 1 MB of unused space on the disk
B. You cannot convert a dynamic disk to a basic disk without losing data.
C. You cannot delete all dynamic volumes on the disk.
D. You can use Windows PowerShell to manage dynamic disks.
E. You use the Disk Management snap-in to convert a basic disk to a dynamic disk.
4. You are an IT Support professional for your organization. You need to manage volumes quickly and
confirm the health of each volume.
A. Which tool should you use?
B. Disk Management
C. DiskPart
D. Settings app
E. File Explorer
5. Some of the users in your organization are running out of disk space. You have identified that these
users have unallocated free space on a different disk in their computers. What volume would add
space to their existing volume?
A. Mirrored volumes
B. Spanned volumes
C. Striped volumes
D. JBOD volumes
E. None mentioned
6. Which of the following statements are true when referring to NTFS compression? (select three)
A. Compression is an attribute of a file or folder.
B. Volumes, folders, and files on an NTFS volume are either compressed or uncompressed.
C. New files created in a compressed folder are not compressed by default.
D. The compression state of a folder reflects the compression state of the files within that folder.
E. When you open a compressed file, the Windows operating system automatically decompresses it
for you.
F. Compressed files or folders can not be deleted until they are uncompressed.
7. Which of the following represents a collection of one or more physical disks that you can use to
create virtual disks?
A. Physical disk
B. Storage pool
C. Storage space
D. Disk drive
8. You are an IT support professional for a start-up firm experiencing rapid growth. In the last year your
file servers have experienced 300% growth and are now at capacity. Which of the Storage Spaces
features would your organization benefit from the most?
A. Thin provisioning storage
B. Reliable storage
C. High-performance storage
D. None mentioned
9. C 2) A,B,D 3) A,B,E 4) A 5) B 6) A,B,E 7) B 8) A
Module 7 Configuring Data Access and Usage
Overview of File Systems

Lesson Introduction
Before you can store data on a volume, you must first format the volume. To format a volume, you must
select the file system that the volume should use. Windows 10 supports different file systems, including
file allocation table (FAT), FAT32, and extended file allocation table (exFAT); NTFS file system and Resilient
File System (ReFS); and Compact Disc File System (CDFS) and Universal Disk Format (UDF), which are used
on optical and read-only media.
In this lesson, you will learn about the differences and benefits of the file systems that Windows 10
supports.
Lesson Objectives
●● Describe the features of the FAT file system.
●● Explain the features of the NTFS file system.
●● Describe the features of the ReFS file system.
●● Work with the file systems available in Windows 10.
The FAT File System

FAT is the oldest file system that Windows 10 supports. It has a low overhead but many limitations when
compared with newer file systems. However, enterprises often use it because nearly every operating
system supports it. For example, you would use FAT on removable media, such as a USB key, when you
need to transfer data between Windows 10 and a non-Microsoft operating system or on a local hard
drive if you have a PC with dual-boot configuration.
Windows 10 supports three versions of FAT: FAT, FAT32, and exFAT. The main difference between the
three versions is the size of the largest supported volume, the default cluster size, and the maximum
224 Module 7 Configuring Data Access and Usage
number of files and folders that you can create on the volume. The following table lists the differences
between the three FAT versions.
Attribute FAT FAT32 exFAT

Maximum volume size 4 gigabytes (GB) 32 GB 2 32 -1 clusters
Maximum file size 4 GB 4 GB 16 exabytes
Maximum files per 65536 4177920 Nearly unlimited
volume
Note: A cluster is the smallest unit of disk space that you can allocate to store a file. For example, if a
volume cluster is 4 kilobytes (KB) and you store a file with a size of 100 bytes on that volume, it will use
one cluster, which is 4 KB.
Note: The exFAT file system supports clusters from 512 bytes to 32 megabytes (MB).
Additional Reading: For a detailed comparison between FAT and FAT32, refer to: ”FAT16 vs. FAT32” at:
http://aka.ms/i7wc50
Additional Reading: For more information about exFAT limitations, refer to: “File System Functionality
Comparison” at: http://aka.ms/q3z160
When you compare any version of FAT with the NTFS file system, which is the default file system in
Windows 10, you will find that many NTFS features are not available with FAT, such as:
●● Security. You cannot configure file permissions and limit user actions on a FAT volume. Any user has
unlimited permissions to data stored on a FAT volume, which includes reading, modifying, and
deleting. You cannot limit user permissions to data that the FAT file system stores.
●● Auditing. You cannot audit user actions on the FAT file system. For example, if a user deletes a file,
Event Viewer will not log that action.
●● Compression. The FAT file system does not support compression and each file uses its full original
size, rounded to the closest cluster size. You can use compression that is not file-system dependent
on the FAT file system, such as compressed (zipped) folders.
●● Encryption. Encrypting File System (EFS) is not supported, and you cannot use it on ExFAT volumes.
You can use encryption that is not file-system dependent, such as non-Microsoft Pretty Good Privacy
(PGP) solution.
●● Disk Quota. The FAT file system does not support quotas. This means that you cannot limit the disk
space that users can use on a FAT volume. Each user can store as much data as there is available space
on the FAT volume.
Note: Windows 10 adds support for encryption on FAT and FAT32 volumes. Note: You select a file system
and cluster size when you format a volume. However, you cannot change the file system or cluster size
that you are using on the volume. You can only perform a backup, and then reformat the volume with
different parameters. The only exception is that you can convert FAT or FAT32 to NTFS file system.
The NTFS File System

The NTFS file system is the default file system in Windows 10.
Overview of File Systems 225
The NTFS file system provides performance, reliability, and advanced features that are not available in any
version of FAT, including:
●● Reliability. The NTFS file system uses log-file and checkpoint information to restore the consistency of
the file system when the computer restarts. In the event of a bad-sector error, the NTFS file system
dynamically remaps the cluster that contains the bad sector, and it allocates a new cluster for the data.
The NTFS file system also marks the cluster as bad, and no longer uses it.
●● Security. You can set permissions on a file, folder, or the entire NTFS volume, which enables you to
control which users, groups, or computers can read, modify, or delete data. You also can enable
auditing to log activities on the NTFS volume.
●● Data confidentiality. The NTFS file system supports EFS to protect file content. If you have enabled
EFS, you can encrypt files and folders for use by single or multiple users. The benefits of encryption
are data confidentiality and integrity, which can protect data against malicious or accidental modifica-
tion.
●● Limit storage growth. The NTFS file system supports the use of disk quotas, which enable you to
specify the amount of disk space that is available to a user. When you enable disk quotas, you can
track and control disk-space usage. You can configure whether to allow users to exceed their limits
and configure Windows 10 to log an event when a user exceeds a specified warning level or quota
limit.
●● Provide additional space. The NTFS file system allows you to create extra disk space by compressing
files, folders, or whole drives. You also can extend an NTFS volume by mounting an additional volume
to an empty folder.
●● Support for large volumes. You can format a volume up to 256 TB by using the NTFS file system with a
64 KB cluster size. The NTFS file system supports larger files and a larger number of files per volume
compared with any FAT version. The NTFS file system also manages disk space efficiently by using
smaller cluster sizes. For example, a 30-GB NTFS volume uses 4-KB clusters. The same volume format-
ted with FAT32 uses 16-KB clusters. Using smaller clusters reduces space wastage on hard disks.
●● Advanced features. The NTFS file system includes multiple advanced features, such as distributed link
tracing, sparse files, and multiple data streams.
Note: By using the Convert.exe utility, you can convert FAT or FAT32 to NTFS file system on data volumes
without downtime or data loss.
You cannot convert NTFS to FAT. You first must back up data, and then format the volume by using the
NTFS system and restore the data.
The ReFS File System

Windows Server 2012 introduced ReFS. It also is available in Windows 8.1, Windows Server 2012 R2, and
in all newer Microsoft operating systems. ReFS is built on the NTFS file system, and it is designed to
provide the highest level of resiliency, integrity, and scalability, regardless of software or hardware
failures. ReFS includes only some of NTFS features, such as security and auditing, but does not support
others, such as quota, compression, and EFS encryption. ReFS is especially useful for data volumes in
multiterabyte (TB) file servers and for cluster-shared volumes in failover clusters.
ReFS includes the following benefits:

●● ReFS is designed to provide the highest level of protection for data from common errors that can
cause corruption, such as unexpected loss of power or disk failure. If you use ReFS with redundant
storage, which is mandatory in Windows 10, ReFS can detect data corruption and automatically
correct it by using the second copy of the data.
●● ReFS periodically scans volumes. If it detects corruption, ReFS tries to correct the corruption automati-
cally. If it cannot repair the corruption automatically, ReFS localizes the salvaging process to the
corruption area. This does not require any downtime for the volume.
●● ReFS supports extremly large volumes, even larger than the NTFS file system, without impacting
performance . ReFS volumes can have multiple petabytes of data and a theoretical size limit for ReFS
volume is 2^78 bytes.
●● ReFS allows you to control file permissions and configure auditing as you would with the NTFS file
system. But several other NTFS features, such as compression, disk quotas, EFS, and volume shrinking,
are not available with ReFS volumes.
Windows 10 provided limited support for ReFS. You can use it only with two-way or three-way storage
spaces. You cannot format ReFS for nonmirrored storage spaces, such as simple or parity storage spaces.
Overview of File Systems 227
Additional Reading: For more information on ReFS, refer to: “Resilient File System Overview” at:http://
aka.ms/m3p37a
Configuring and Managing File Access

Lesson Introduction
You can control user access to files by configuring file and folder permissions. If file permissions are
supported by the file system, such as the NTFS file system or ReFS, you can configure permissions at the
volume (root folder), folder, and file levels. You also can assign permissions explicitly or you can inherit
them from the higher levels. If you are unsure whether you can inherit permissions, you can use the
effective permissions feature to review what type of permissions a user or group has to a file. While
permissions typically use group membership to control access, if Windows 10 is an AD DS member, you
also can use conditions to limit access. Conditions use claims, which are user-property values in AD DS.
Lesson Objectives
●● Describe the tools for managing files and folders.
●● Describe how to configure file and folder permissions.
●● Describe the concept of permission inheritance.
●● Implement conditions to limit file and folder access.
●● Secure files and folders by using file permissions.
●● Use the effective permissions feature.
●● Describe how copying and moving files and folders affect permissions.
Tools Used for Managing Files and Folders

When you restart or turn off a PC, only stored data is persistent in the memory. You can store data as
files, either on local or remote storage. You can manage files by using several tools in Windows 10, such
as File Explorer, command prompts, and Windows PowerShell.
Configuring and Managing File Access 229
File Explorer
File Explorer, called Windows Explorer in previous Windows versions, is a tool that you typically use to
manage files and folders. File Explorer provides a simple interface that is familiar to most Windows users.
You can use File Explorer to perform several functions, including:
●● Creating files and folders.
●● Accessing files and folders.
●● Managing properties of files and folders.
●● Searching for content in files and folders.
●● Previewing contents of files and folders.
By default, File Explorer is pinned to the Windows 10 taskbar. It includes the navigation and the details
pane, in addition to the address bar and ribbon, which makes it easier to use on touch devices. Depend-
ing on your permissions, you can right-click or use the ribbon option in File Explorer to access the
properties of any file or folder. You also can manage file permissions, and create, open, and delete files.
The ribbon is case-sensitive, and it provides fast access to common options. For example, you can map a
network drive from the ribbon when you have This PC selected and you can create a new folder when
you have Local Disk (C:) selected. If you need to access the same folder often, you can pin it to Quick
access, and it will appear in the navigation pane.
If you need to manage file permissions in File Explorer, right-click the object, and then select Properties,
or select the object, and then select Properties on the Home tab of the ribbon. You can configure
permissions on the Security tab of the Properties dialog box.
Command prompt
If you prefer, you can use a command prompt to access files and folders. You can access a command
prompt by right-clicking Start or by typing cmd in the Search the web and Windows text box on the
taskbar. The following table lists some common commands for managing files and folders.
Command Purpose
cd, chdir Changes the parent directory.
md, mkdir Creates a directory.
del, erase Deletes one or more files.
Move Moves one or multiple files.
Dir Displays a list of files and subdirectories in a
directory.
icacls Displays or modifies permissions by using access
control lists (ACLs).
Additional Reading: For more information on the icacls tool, refer to: “icacls” at: http://aka.ms/e898bk
Windows PowerShell
You can access Windows PowerShell by typing PowerShell in the Search the web and Windows text
box on the taskbar. Windows PowerShell provides multiple cmdlets that you can use to manage files and
folders, such as Get-Childitem, which displays a directory’s list of files and subdirectories, or Set-Location,
which changes the parent directory. It also includes many aliases, which are the same as the familiar tools
in command prompt, such as dir and cd, and you can use them instead of the Windows PowerShell
cmdlets. Run the Get-Alias cmdlet to view the list of all aliases.
To manage file permissions, you can use the Get-ACL and Set-ACL cmdlets. For example, to see the
current ACL on the C:\Perflogs directory, with the output in list format, run the following command:
Get-ACL C:\\perflogs \| Format-List
To modify a file or folder’s ACL, use the Set-ACL cmdlet. You also can use the Get-ACL cmdlet in conjunc-
tion with the Set-ACL cmdlet. You can use the Get-ACL cmdlet to provide the input by getting the object
that represents the file or folder’s ACL, and then use the Set-ACL cmdlet to change the ACL of the target
file or folder to match the values that the Get-ACL cmdlet provides.
For example, to set the ACL on the C:\Folder2 folder to be the same as the permissions on CL\Fold-
er1,including inheritance settings, you would run the following command:
Get-ACL C:\\Folder1 \| Set-ACL C:\\Folder2
Additional Reading: For more information on the Set-ACL cmdlet, refer to: “Set-Acl” at: http://aka.ms/
xxgj91
File and Folder Permissions

You can configure file and folder permissions only on NTFS and ReFS volumes. Permissions are rules that
determine what operations specific users can perform on a file or a folder. A file or folder’s owner can
grant or deny permissions to it, as can anyone with Full Control permissions, which grants that person
rights to modify permissions for that file or folder. You assign permissions to files and folders by granting
or denying a specific permission level. Typically, you assign them in groups to minimize administrative
overhead. If you assign permissions to a group, every group member has the assigned permission. You
can also assign permissions to individual users and computers. If you assign permissions to a group and
to individual group members, they are cumulative. This means that a user has the permissions that you
assign to him or her, in addition to those you assign to the group.
Permissions example
Consider the following example. Adam is a member of the Marketing group, which has Read permission
to the Pictures folder. If an administrator assigns Write permissions to Adam for the Pictures folder, Adam
will have Read permissions, because he is a member of the Marketing group, and Write permissions,
because the administrator assigned them directly to him.
Types of permissions
You can configure two types of permissions for files and folders on NTFS and ReFS volumes: basic and
advanced. The difference is that:
●● Basic permissions are the most commonly used permissions. You most often will work with basic
permissions and assign them to groups and users. Each basic permission is built from multiple special
permissions.
●● Advanced permissions provide a finer degree of control. However, advanced permissions are more
complex to document and manage than basic permissions.
Basic file and folder permissions

The following table lists the basic file and folder permissions. You can choose whether to allow or deny
each.
File permissions Description

Full control Provides complete control of the file or folder and
control of permissions.
File permissions Description

Modify Allows you to read a file, write changes to it, and
modify permissions. The advanced permissions
that comprise Modify permissions are Traverse
folder/execute file, List folder/read data, Read
attributes, Read extended attributes, Create files/
write data, Create folders/append data, Write
attributes, Write extended attributes, Delete, and
Read permissions.
Read & execute Allows you to see folder content, read files, and
start programs. This applies to an object and any
child objects by default. The advanced permissions
that make up Read & execute permissions are
Traverse folder/execute file, List folder/read data,
Read attributes, Read extended attributes, and
Read permissions.
Read Allows you only the ability to read a file, not make
any changes to it. This applies to an object and
any child objects by default. The advanced
permissions that make up Read permissions are
List folder/read data, Read attributes and Read
extended attributes, and Read permissions.
Write Allow you to change folder and file content. This
applies to an object and any child objects by
default. The advanced permissions that make up
Write permissions are Create files/write data,
Create folders/append data, Write attributes, and
Write extended attributes.
Special permissions This is a custom configuration.
Note: Groups or users that are have the Full Control permission on a folder can delete any files in that
folder, regardless of the permissions that protect the file.
To modify permissions, you must have the Full Control permission for a folder or file. The one exception is
for file and folder owners. The owner of a file or folder can modify permissions, even if they do not have
any current permission. Administrators can take ownership of files and folders to make modifications to
permissions.
Overview of Permission Inheritance

There are two ways that you can assign permissions to files and folders, including:
●● Explicit permissions. When you set permissions directly on a file or a folder, the permissions are
applied explicitly. You can assign permissions to the object directly by modifying the security settings
in the object’s properties dialog box.
●● Inherited permissions. Files and folders typically are arranged in a nested structure, where a folder
contains subfolders and files, and those subfolders contain files and folders. Permission inheritance
allows for child objects to inherit the parent object’s permissions settings. This allows you to assign
explicit permissions to a parent folder and have inheritance pass those permissions settings down to
the parent folder’s subfolders and files. You can control inheritance behavior. Inherited permissions
ease the task of managing permissions, and they ensure the consistency of permissions among all of a
container’s objects.
Permission inheritance allows the permissions that you set on a folder to apply automatically to files that
users create in that folder and its subfolders. This means that you can set permissions for an entire folder
structure at a single point. If you have to modify permissions, you then have to perform the change at
that single point only.
For example, when you create a folder called Folder1, all subfolders and files created within Folder1
automatically inherit that folder’s permissions. Therefore, Folder1 has explicit permissions, while all
subfolders and files within it have inherited permissions.
Permissions on a file are a combination of inherited and explicit permissions. For example, if you assign
Group1 Read permissions on a folder and Write permissions on a file in the folder, members of Group1
can read and write in the file. If inherited and explicit permissions conflict, explicit permissions take
precedence.
Inheritance for all objects
If the Allow or Deny check boxes that are associated with each of the permissions appear shaded, a file
or folder has inherited permissions from one of its parent folders. There are two ways that you can make
changes to inherited permissions:
●● Make changes to a parent folder at which you set permissions explicitly. The file or folder will inherit
these modified permissions.
●● Choose not to inherit permissions from a parent object. You then can make changes to the permis-
sions or remove a user or group from the permissions list of the file or folder.
Note: You can make changes to inherited permissions also by selecting the opposite permission (Allow or
Deny) to override the inherited permission. You should be aware that this might cause a different result
than many users expect, because when you set both the Deny and the Allow permissions at the same
level, Deny has a higher precedence than Allow. Therefore, we recommend that you avoid using this
option.
You also can deny permissions explicitly. For example, Alice might not want Bob to be able to read her
file, even though he is a member of the Marketing group, which has Read permissions. She can exclude
Bob by explicitly denying him permission to read the file. Typically, you use explicit denial to exclude a
subset, such as Bob, from a larger group, such as Marketing, that has permission to perform an operation.
Please note that although explicit denials are possible, their use increases the complexity of the authori-
zation policy, which can create unexpected errors. For example, you might want to allow domain adminis-
trators to perform an action, but deny domain users the ability to perform it. If you attempt to implement
this by explicitly denying domain users, you also deny any domain administrators who are domain users.
Though it is sometimes necessary, you should avoid the use of explicit denials.
In most cases, Deny overrides Allow unless a folder inherits conflicting settings from different parents. In
that case, the setting inherited from the parent closest to the object in the subtree takes precedence.
Note: Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow
permission entry. Explicit permissions take precedence over inherited permissions, including inherited
Deny permissions.
Child objects only inherit permissions that they are capable of inheriting. When you set permissions on a
parent object, you can decide whether folders, subfolders, and files can inherit permissions. Perform the
following procedure to assign permissions that child objects can inherit:
1. In File Explorer, right-click the file or subfolder, select Properties, select the Security tab, and then
select Advanced.
2. In the Advanced Security Settings for file or folder dialog box, the Inherited From column lists
from where the permissions are inherited. The Applies To column lists the folders, subfolders, or files
to which the permissions are applied.
3. Double-click the user or group for which you want to adjust permissions.
4. In the Permissions Entry for name dialog box, select the Applies to drop-down list, and then select
one of the following options:
●● This folder only
●● This folder, subfolders, and files
●● This folder and subfolder
●● This folder and files
●● Subfolders and files only
●● Subfolders only
●● Files only
5. Select OK in the Permission Entry for name dialog box, select OK in the Advanced Security Set-
tings for name dialog box, and then select OK in the Properties dialog box.
If the Special permissions entry in Permissions for User or Group box is shaded, it does not imply that
this permission is inherited. Rather, this means that a special permission is selected.
Note: If you add permissions for CREATOR OWNER at the folder level, those permissions will apply to the
user who created the file in the folder.
Preventing inheritance
After you set permissions on a parent folder, new files and subfolders that users create in the folder
inherit these permissions. You can block permission inheritance to restrict access to these files and
subfolders. For example, you can assign all Accounting users the Modify permission to the Accounting
folder. On the subfolder Invoices, you can block inherited permissions and grant only a few specific users
permissions to the folder.
Note: When you block permission inheritance, you have the option to convert inherited permissions into
explicit permissions, or you can remove all inherited permissions. If you want to restrict a particular group
or user, you can convert inherited permissions into explicit permissions to simplify configuration.
To prevent a child file or folder from inheriting permissions from a parent folder, select This folder only in
the Applies to drop-down list box when you configure permissions for the parent folder.
To prevent a folder or file from inheriting permissions from a parent folder, perform the following
procedure:
1. In File Explorer, right-click the file or subfolder, select Properties, select the Security tab, and then
select Advanced.
2. In the Advanced Security Settings for file or folder dialog box, select Disable inheritance.
3. In the Block Inheritance dialog box, select any of the following options:
●● Convert inherited permissions into explicit permissions on this object
●● Remove all inherited permissions from this object
●● Cancel
4. Select OK in the Advanced Security Settings for name dialog box, and then select OK in the
Properties dialog box.
Forcing permission inheritance
The Advanced Security dialog box for folders includes a Replace all child object permission entries
check box with inheritable entries from this object. Selecting this check box will replace the permissions
on all child objects for which you can change permissions, including child objects that had Block inher-
itance configured. This is useful if you need to change permissions on a large number of subfolders and
files, especially if you set the original permissions incorrectly.
Implementing Conditions to Limit File and Fold-

er Access
Traditionally, you control permissions to files and folders by using group membership. However, if your
Windows 10–based computer is a domain member, you can extend this traditional access control by
using conditions to limit access. Windows 8 and Windows Server 2012 introduced this feature, which
allows you to utilize user or computer properties to limit access beyond group membership. For example,
if the users have a defined department in AD DS, you can limit access to files or folders to users from a
specific department, regardless of their group membership. You also can limit access to users who are in
the department and in a specific group. You do this by extending a user token, which all users receive
upon sign-in, with the claims. Claims are AD DS properties and their values, and an administrator must
configure which properties can be used as claims in AD DS.
Even if an administrator does not specify in AD DS which properties to use as claims, you can use condi-
tions to limit access to files or folders based on user or device-group membership. When viewing the
permissions for a file or folder, the Condition column in the Advanced Security Settings lists the applied
conditions. Please note that when you specify conditions:
●● You use a Group condition so that you can specify that the permission will apply to the user based on
the following group-membership rules:
●● Member of Any of the specified groups.
●● Member of Each of the specified groups.
●● Not Member of Any of the specified groups.
●● Not Member of Each of the specified groups.
●● You use a Device condition so that you can specify that the permission will apply if a user accesses the
file from a specified computer or computers. The following topic provides more detail about this
condition.
You can specify multiple conditions for the configured permission to apply. For example, you can create a
permission that would give members of the Financial group Full Control permissions if they also are
members of the Managers group and are accessing the folder from Computer1.
Effective Permissions
Each file or folder on the NTFS file system or ReFS has inherited or explicit permissions assigned, or both.
Windows 10 determines effective permissions by combining the user and group permissions and com-
paring them to the permissions of the selected user.
You also can evaluate what the effective permissions will be if you add a user or a device to additional
groups, and configure whether to include user and device claims. For example, if you assign a user Read
permission and assign the Modify permission to a group of which the user is a member, the effective
permissions are a superset of the Read and Modify permissions. This superset is the Modify permission,
because Modify permission also includes Read permission.
You also can evaluate what type of permissions the user would have if you add the user to the IT and
Managers groups (without actually doing so) and whether the effective permissions should be different if
the user’s token includes a Country = US user claim.
Note: When you combine permissions, Windows 10 evaluates the Deny permissions before the Allow
permissions that are set at the same level. Therefore, the Deny permission takes precedence and over-
rides the Allow permission set on the same level.
If you set Deny and Allow permissions at different levels (for example, if Deny is set at the folder and
Allow is set at its subfolder) Allow can take precedence and override Deny.
Effective Access Feature

The Effective Access feature determines the permissions a user or group has on an object by calculating
the permissions that are granted to the user or group. The calculation takes into account the group
membership permissions and any of the permissions inherited from the parent object.
The calculation determines all of the domain and local groups of which the user or group is a member.
Note: The Effective Access feature always includes the Everyone group when calculating effective permis-
sions, as long as the selected user or group is not a member of the Anonymous Logon group.
The Effective Access feature only produces an approximation of the permissions that a user has. The
actual permissions a user has might be different, because permissions can be granted or denied based on
how a user signs in. The Effective Permissions feature cannot determine this information specific to the
sign-in, because the user might not sign in. Therefore, the effective permissions it displays reflect only
those permissions that a user or group specifies, not the permissions that the sign-in specifies. For
example, if a user connects to a computer through a file share, the sign-in for that user is marked as a
Network Logon. You then can grant or deny permissions to the well-known security identifier Network
that the connected user receives. This way, users have different permissions when they sign in locally than
when they sign in over a network.
You can view effective access permissions in the Advanced Security Settings dialog box for files or
folders stored on the NTFS or ReFS file system. You can access this dialog box from a folder’s Properties
dialog box by using the Advanced button on the Security tab, or directly from the Share menu on the
ribbon.
Note: Windows 10 supports claims, so you can include the user and device claims when evaluating
effective access. A claim is information about a user or device that a domain controller published, and
you can use it to evaluate if a user has access to data.
Copying and Moving Files

When you copy or move a file or folder, the permissions can change, depending on where you move the
file or folder. Therefore, when you copy or move files or folders, it is important to understand the impact
on permissions.
Effects of copying files and folders

When you copy a file or folder from one folder to another, or from one volume to another, permissions
for the files or folders might change. Copying a file or folder creates new objects with the same content
as the original files or folders, and it has the following effects on permissions:
●● When you copy a file or folder within a single volume, the copy of the folder or file inherits the
permissions of the destination folder.
●● When you copy a file or folder to a different volume, the copy of the folder or file inherits the permis-
sions of the destination folder.
●● When you copy a file or folder to a volume that does not support permissions (non-NTFS and non-
ReFS), such as a FAT file system, the copy of the folder or file loses its permissions. This is because the
target volume does not support permissions.
Note: When you copy a file or folder within a single volume or between volumes, you must have the
Read permission for the source folder and the Write permission for the destination folder.
Effects of moving files and folders

When you move a file or folder, permissions might change, depending on the destination folder’s permis-
sions. Moving a file or folder has the following effects on permissions:
●● If you move a file or folder within the same volume, only the pointer(s) are updated, and data is not
moved. Permissions that are inherited at the source location no longer apply and the file or folder that
you moved inherits the permissions from the new parent folder. If the file or folder has explicitly
assigned permissions, it retains those permissions, in addition to the newly inherited permissions.
Note: Most files do not have explicitly assigned permissions. Instead, they inherit permissions from their
parent folder. If you move files that have only inherited permissions, they do not retain the inherited
permissions during the move.
●● When you move a file or folder to a different volume, the folder or file inherits the destination folder’s
permissions, but it does not retain the explicitly assigned or inherited permissions from the source
location. When you move a folder or file between volumes, Windows 10 copies the folder or file to the
new location and deletes the original file from the source location.
●● When you move a file or folder to a volume that does not support permissions (non-NTFS and
non-ReFS), the folder or file loses its permissions because the target volume does not support
permissions.
Note: When you move a file or folder within a volume or between volumes, you must have both the
Write permission for the destination folder and the Modify permission for the source file or folder. You
require the Modify permission to move a folder or file, because Windows 10 deletes the folder or file
from the source folder after it copies it to the destination folder.
The Copy command is not aware of the security settings on folders or files. However, commands that are
more robust have this awareness. For example:
●● Xcopy has the /o switch to include Ownership and ACL settings.
●● Robocopy has several switches that cause security information to be copied:
●● /Copy:copyflag(s) the default setting is the equivalent of /Copy:DAT where D=Data, A=Attrib-
utes, and T=Timestamps. You can add the S flag where S=Security, such as NTFS ACLs.
●● /Sec is the equivalent of /Copy:DATS.
Configuring and Managing Shared Folders

Lesson Introduction
Collaboration is an important part of an administrator’s job. Your team might create documents that only
team members can share, or you might work with a remote team member who needs access to your
team’s files. Because of collaboration requirements, you must understand how to manage shared folders
in a network environment.
Sharing folders enables users to connect to a shared folder over a network, and to access the folders and
files that it contains. Shared folders can contain applications, public data, or a user’s personal data.
Managing shared folders helps you provide a central location for users to access common files, and it
simplifies the task of backing up data that those folders contain. This lesson examines various methods of
sharing folders, along with the effect this has on file and folder permissions when you create shared
folders on an NTFS-formatted partition.
Lesson Objectives
●● Describe shared folders.
●● Describe methods for sharing folders.
●● Describe the effect of combining file permissions and share permissions.
What Are Shared Folders

When you share a folder, you make its content available on the network to multiple users. You can limit
who can access the shared folder and what type of share permissions they have. Additionally, you can
limit the number of users who can access the share at the same time and specify if an offline copy of the
files users open will be created automatically on their computer.
Shared folders maintain a separate set of permissions from the file-system permissions, which means that
you can set share permissions even if you share a folder on the FAT file system. The same share permis-
sions apply to all shared content. This behavior is different from file system permissions, where you can
set permissions for each file individually. You can use these permissions to provide an extra level of
security for files and folders that you make available on your network. You can share the same folder
multiple times, by using a different share name and other share settings for each creation.
Note: Sharing is limited to folders. You cannot share an individual file or group of files within a folder that
is not shared. Windows 10 allows you to right-click a file in a user’s profile, and then select Share with.
However, this will share the Users folder, in which all user profiles are stored.
After you share a folder, all users will see the share name over your network. However, only users with
Read permissions can view its content.
Windows 10 restricts sharing of folders to members of the Administrators group only. If you want to
share a folder, you will have to provide administrative credentials to User Account Control (UAC).
Note: File and printer sharing is disabled by default. When you share the first folder on a Windows 10
device, Windows 10 turns on file and printer sharing automatically. This setting remains turned on even if
you remove all shared folders. You can configure it manually in Advanced sharing settings in Control
Panel.
Configuring and Managing Shared Folders 241
Shared folders permissions

When you share a folder, you must configure the permissions that a user or group will have when they
connect to the folder through the share. This is called sharing permissions, and there are three options:
●● Read. Users can view content, but they cannot modify or delete it.
●● Change. Users can also modify, delete, and create content, but they cannot modify permissions.
Includes Read permission.
●● Full Control. Users can perform all actions, including modifying the permissions. Includes Change
permission.
Basic sharing permissions are simplified and can have one of two options:
●● Read. The look but do not modify option. Users can open, but not modify or delete a file.
●● Read/Write. The Full Control option. Users can open, modify, or delete a file, and modify permissions.
View shared folders

Windows 10 creates several shared folders by default. You can view all shared folders in the Computer
Management console, by selecting the Shared Folders node. You also can run net view \\localhost /all
command or the Get-SmbShare cmdlet.
Note: In older Windows versions, you could recognize shared folders in File Explorer, because there was a
different icon for folders that were shared than for folders that were not shared. In File Explorer in
Windows 10, the same icon is used regardless of whether a folder is shared or not.
Connecting to a shared folder

Users can connect to a shared folder most commonly over the network by using its Universal Naming
Convention (UNC) address. The UNC address contains the name of the computer that is hosting the
folder and the shared folder name, separated by a backward slash () ,and preceded by two backward
slashes (\). For example, the UNC name for the Sales shared folder on the LON-CL1 computer in the
Adatum.com domain would be \LON-CL1.Adatum.com\Sales.
You can share folders in several ways, including by using:
●● The Shared Folders snap-in.
●● File Explorer.
●● A command prompt.
●● Windows PowerShell cmdlets.
Methods Available for Connecting to Share

Folders
There are several methods for configuring and accessing shared folders.
Connecting to a shared folder

Users can connect to a shared folder most commonly over the network by using its Universal Naming
Convention (UNC) address. The UNC address contains the name of the computer that is hosting the
folder and the shared folder name, separated by a backward slash () ,and preceded by two backward
slashes (\). For example, the UNC name for the Sales shared folder on the LON-CL1 computer in the
Adatum.com domain would be \LON-CL1.Adatum.com\Sales.
You can share folders in several ways, including by using:
●● The Shared Folders snap-in.
●● File Explorer.
●● A command prompt.
●● Windows PowerShell cmdlets.
Sharing folders by using the Shared Folders snap-in

You can use the Shared Folders snap-in to manage a computer’s file shares centrally. Use this snap-in to
create file shares, set permissions, and to view and manage open files and the users who can connect to a
computer’s file shares. Additionally, you can view the properties for the shared folder, which would allow
you to perform actions such as specifying file permissions.
You can create a new share in the Shared Folders snap-in by running the Create a Shared Folder Wizard.
When you run the wizard, you need to specify the folder path that you want to share and the share name.
By default, offline files are not created from the share content, and all users have Read-only share
permissions. However, you can modify these settings in the wizard or after creating the share.
Sharing folders by using File Explorer

You can use File Explorer to share a folder by:
●● Using the Share with option from the shortcut menu or ribbon (also called Network File and Folder
Sharing on the Sharing tab).
●● Selecting Advanced security from the Sharing tab.
Using the Share with option (Network File and Folder Shar-
ing)
The Share with option is a quick and easy way to share a folder. When you right-click a folder, and then
select Share with, you see a submenu that allows you to stop sharing the folder or share the folder with
specific people. When you share with specific people, you can select Everyone or use Find people to
share the folder with specific groups.
After selecting the users with whom you want to share with a folder, you can set Read or Read/Write
permissions. You cannot remove a folder’s owner. You also might notice users or groups that have
Permission Level value Custom. This is because they have file-specific file permissions.
Be aware that Network File and Folder Sharing will set share permissions and file permissions. The Share
permissions will be set as Everyone – Full Control, and the file permissions will be set based on what you
select. The share name will be the same as the folder name. You cannot share the same folder multiple
times by using Network File and Folder Sharing.
Using Advanced Sharing

Advanced Sharing provides several additional configuration options compared to Network File and
Folder Sharing. You can specify the share name, which is the same as the folder name, by default. Howev-
er, you can modify the name, choosing any name that is not used for a share name on the same comput-
er. You also can configure the number of users that can access a shared folder simultaneously, specify
caching settings, and define share permissions, which can be Full Control, Change, or Read. When you
use Advanced Sharing, you are configuring only share-folder permissions. You must configure file
permissions separately. However, you must be careful when you do this to ensure you are setting the
permissions exactly as you require. For example, if group does not have Read permissions to a folder, you
still can grant that group Full Control share permissions. However, when a group member tries to connect
to the share, an error returns, even if that user has sufficient share permissions. This is because the user
does not have file permissions, and therefore cannot access the share’s files.
Sharing folders by using the command line

You can share a folder by using the net share command, as the following example illustrates:
Net Share name=drive:path
This will create a simple share, which uses the share name that you specify, and which grants all users
Read permissions. You can specify additional parameters when creating a share, which the following table
lists.
Option Description
/Grant:user permission Allows you to specify Read, Change, or Full share
permissions for the specified user.
/Users:number Allows you to limit the number of users who can
connect to the share.
/Remark:”text” Allows you to add a comment to the share.
/Cache:option Allows you to specify the caching options for the
share.
sharename /Delete Allows you to remove an existing share.
Sharing folders by using Windows PowerShell

Windows PowerShell includes several cmdlets that you can use to manage shares. The following example
illustrates the cmdlet for creating a share:
New-SmbShare –Name ShareName –Path C:\LocalFolder
The following table lists additional Windows PowerShell commands that you can use to manage shares.
Command Description
Get-SmbShare Retrieves a list of the computer’s existing shares.
Set-SmbShare Modifies an existing share.
Remove-SmbShare Removes an existing share.
Get-SmbShareAccess Retrieves a share’s permissions.
Grant-SmbShareAccess Sets share permissions.
Shared Folder Properties

You can configure multiple shared folder properties when you create a share or when you modify shared
folder properties. Share properties control share behavior, including:
●● How users can view and connect to a share.
●● How many users can access a share simultaneously.
●● Which share permissions will be effective when users access the data through a share.
●● The offline settings for the share data.
You can configure these four properties in several ways, including by using Advanced Sharing, the Shared
Folders snap-in, the net use command, and the New-SmbShare or Set-SmbShare Windows PowerShell
cmdlets. However, if you want to modify more advanced share properties, such as by using access-based
enumeration or Server Message Block (SMB) encryption, you can do that only by using the Set-SmbShare
cmdlet.
You can configure the following basic properties for a share by using Advanced Sharing:
●● Share name. Each share must have a share name, and it must be unique for each Windows 10–based
computer. The share name can be any string that does not contain special characters, and it is part of
the UNC path, which Windows users use when connecting to a share. You can share the same folder
multiple times and with different properties, but each share name must be unique. If the share name
ends with a dollar sign ($), the share is hidden and not visible on the network. However, you can
connect to it if you know the share name and have appropriate permissions.
●● Number of simultaneous users. This limits the number of users that can have an open connection to
the share. The connection to the share is open when a user accesses the share for the first time, and it
closes automatically after a period of inactivity. The default value in Windows 10 is no more than 20
users. However, you can configure this to a lower number.
●● Caching/offline settings. You can control which of the share’s files and programs are available to
offline users, or those who do not have network connectivity. You can configure files to:
●● Cache on the client computer automatically when a user has network connectivity and opens them
for the first time.
●● Cache offline, only if the user manually configures this and has the necessary permissions.
●● Not cache at all.

●● Permissions. You can configure shared folder permissions, which Windows uses in conjunction with file
system permissions when a user tries to use a shared folder to access data over a network. Shared
folder permissions can allow Read, Change, or Full control permissions.
If you try to use a share name that is already in use on the computer, Windows 10 provides you with an
option to stop sharing an old folder and use the share name for sharing the current folder.
If you rename a folder that is shared currently, you do not receive a warning. However, the folder is no
longer shared.
Note: If you share a folder by using Network File and Folder Sharing, you can share a folder only once,
and you cannot configure its properties manually. The share name is set automatically and is the same as
the folder name. The share permissions, number of simultaneous users, and caching properties retain the
same value.
You can configure advanced share properties only by using Windows PowerShell. You cannot configure or
view them by using the GUI tool. Advanced share settings that you can configure in Windows 10 include
access-based enumeration and SMB encryption. For example, you can enable access-based enumeration
for the share name Folder1 by using the following cmdlet:
Set-SmbShare –Name Folder1 –FolderEnumerationMode AccessBased
Note: Access-based enumeration displays only the content for which a user has permissions. If the user
does not have Read permission to a file or folder, that file or folder does not display when the user
connects to the shared folder.
You can view all shared folder properties for the share name Folder1 by using the following cmdlet:
Get-SmbShare –Name Folder1 | Format-List –Property *
Additional Reading: For more information on the Get-SmbShare cmdlet, refer to: “Get-SmbShare” at:
http://aka.ms/dwc4lz
Additional Reading: For more information on the Set-SmbShare cmdlet, refer to: “Set-SmbShare” at:
http://aka.ms/unkrou
Combining Shared Folder and NTFS Permissions

When you create a shared folder on a volume that is formatted with a file system that supports security,
both the shared folder permissions and the file and folder permissions combine to control permissions to
file resources when a user connects via a network. File and folder permissions apply whether users access
a resource locally or over a network, but they filter against the shared folder permissions.
When you grant shared folder permissions, the following rules apply:
●● Except when using the Share in Network File and Folder Sharing, the Everyone group has the Read
shared folder permission.
●● Users must have appropriate file system permissions for each file and subfolder in a shared folder to
access those resources, in addition to appropriate shared folder permissions.
●● When you combine file-system and shared-folder permissions, the resulting permission is the most
restrictive one of the effective permissions between the two types. Typically, this is the highest
common denominator of the file-system and shared-folder permissions.
●● When a user attempts to connect to content through a share, the share permissions on a folder apply
to that folder, all of its files and sub-folders, and all files in those sub-folders.
When you configure shared folder permissions per shared folder, you can allow or deny only Read,
Change, and Full Control permissions, and these permissions apply to content in all folders and subfold-
ers. You have much more granularity when you configure file-system permissions. You can configure
permissions for each file, and you can allow or deny many more file-system permissions than share
permissions.
Note: If you enable the Guest user account on your computer, the Everyone group includes anyone.
Therefore, as a best practice, remove the Everyone group from any permission lists, and replace it with
the Authenticated Users group.
The following analogy can help you understand what happens when you combine file system and share
permissions:
●● If you want to access a shared folder’s files over a network, you must go through the shared folder.
●● If a share permission is set to Read, the most that you can do when connecting through a shared
folder is read the file, even if the individual file system permission is set to Full Control. All file system
permissions that are less restrictive than the share permissions filter out, so that only the most
restrictive permissions remain – in this case, the Read permission
●● ‘If you configure the share permission to Change, you are allowed to read or modify the share’s data.
If the file system permission is set to Full Control, the share permissions filter the effective permission
to Modify.
●● Alternatively, if the share permission is set to Full Control, but the users NTFS permissions for the
folder are set to Read, the effective permission is Read.
Managing User Files 247
Managing User Files

Lesson Introduction
An organization should have a defined strategy for how files should be stored and managed. Standard
best practices is for files to be stored on a file server, cloud service, or some form of redundant storage to
ensure data is not loss. Client devices eventually suffer hardware failure, as well as the risk of the device
getting stolen or data corruption. End users typically don’t take adequate steps on their own to ensure
data is not lost during such an event.
Windows 10 have different options for users to be able to protect files, with minimal to no impact to the
workflows they are accustomed to.
Lesson Objectives
●● Describe Windows Libraries.
●● Describe the capabilities of OneDrive.
●● Configure Windows 10 to synchronize files and settings using OneDrive.
●● Describe Work Folders and how they contrast to OneDrive.
●● Configure a client to use Work folders.
Windows Libraries
The libraries feature in Windows 10 provides a central place to manage files that are located in multiple
locations throughout your computer. Instead of selecting through many directories to find your files,
including them in a library provides faster access.
To view libraries in File Explorer select View then select Navigation pane and select Show libraries.
Using Libraries
By default certain libraries will already exist depending on which version of Windows you are using and
which version you may have migrated from. These libraries may include:
●● Documents
●● Saved Pictures
●● Videos
●● Music
●● Camera Roll
●● Pictures
You can create or delete libraries by right-clicking on one. Adding a folder to a library does not physically
move the folder on the computer it simply associates the folder with a certain library. To add a folder to a
library right-click the folder and select Include in library and select a library.
Users may add network folder locations to libraries. However, users will only be accessible when the
computer can connect to that networked location. They cannot be accessed in offline scenarios.
Note: Homegroups, first introduced in Windows 7, are retired, and no longer available as of v1803.
OneDrive and OneDrive for Business

OneDrive is a service that enables the ability to store and access files from all your devices. It is a free
cloud-based file service that is available to Microsoft account holders, with the option to purchase
additional storage space. Microsoft 365 subscriptions include 1TB of storage per user or more depending
on the plan. You can use OneDrive to save personal files in your private store or in your public store, so
that you can share files with anyone.
OneDrive is the consumer-focused version, intended for personal use to share and store documents,
photos and music easily with friends and family, as well as access them from other devices, using a free
Microsoft account.
OneDrive for Business is available for purchase separately or is included with certain Microsoft 365 Plans.
OneDrive for Business is very similar to OneDrive, but offers additional functionality, most notably, the
option to store files in SharePoint. While either OneDrive or OneDrive for Business can store in the cloud,
OneDrive for Business can synchronize with a customer’s SharePoint deployment (either cloud or
on-premise). With many organizations concerned with how employees are sharing files and storing them
in the cloud, OneDrive for Business is particularly attractive for organizations, as it many data governance
features inherit with SharePoint, yet still provides a seamless experience in File Explorer that end users are
already accustomed to.
OneDrive and OneDrive for Business can co-exist on the same device. Users can manage and access their
personal files stored in their OneDrive account, as well as work with business files managed with
OneDrive for Business.
One Drive Features

Below is a list of just some of the features that OneDrive offers:
●● Known Folder Move. This redirects the common Windows known folders (Desktop, Documents,
Pictures, Screenshots, and Camera Roll) to OneDrive for Business. Users can continue with their daily
work habits, while gaining the benefits of OneDrive.
●● OneDrive Files On-Demand. You can choose the storage preferences for individual files and folders.
You can either synchronize between local and cloud storage for scenarios like offline access, and or
keep files online only, making them available on-demand, to help free up space on the local device, or
choose to always retain a synchronized copy locally.
●● Files Restore. The OneDrive Files Restore feature enables users to restore files to any point over the
past 30 days. Users can view a histogram and select any point in time they wish to roll back to.
●● Recycle Bin. OneDrive has a recycle bin similar to the one available on the Windows desktop. Deleted
files are moved to the recycle bin and kept for a designated time before being permanently deleted.
For work or school accounts, deleted files are purged after 93 days unless configured otherwise.
●● Auditing & Reporting. OneDrive has detailed reporting and auditing capabilities for files it stores as
well as for those files stored through other services that use OneDrive for storage, such as Microsoft
SharePoint Online. In addition, you can audit individual file actions, including downloads, renames,
and views.
●● Encryption of data in transit and at rest. OneDrive uses advanced data-encryption methods
between your client and the data center, between servers in the data center, and at rest. At rest,
OneDrive uses disk encryption through BitLocker Drive Encryption and file encryption to secure your
data. Each file chunk is then randomly distributed among Microsoft Azure storage containers, making
it highly improbably for attackers to access the file.
Accessing OneDrive
There are several different methods and operating systems that you can use to access OneDrive. You can
access it from any currently supported device, as well as through a web browser at http://www.OneDrive.
com.
The OneDrive Sync client is already installed with Windows 10. OneDrive supports Windows 7 and higher,
and the latest sync client can be installed from the download page of the OneDrive website. The
OneDrive client is also available for Mac OS X 10.12 or later, and supported versions of Android and iOS
from their respective app stores. Both OneDrive and OneDrive for Business use the same client (OneDrive.
exe).
Note: Older versions of Windows may have the previous OneDrive for Business client (groove.exe)
installed. Administrators should consult OneDrive documentation for transition guidance.
Additional reading: To learn more about OneDrive select here: http://aka.ms/lv5n2s
Enabling OneDrive
Before you can use OneDrive from the Windows 10 OneDrive tile, you must connect your domain or local
account with your Microsoft account. To begin the process, select the OneDrive item in the File Explorer
console tree. You then will receive a prompt to sign in with your Microsoft account or to create an
account if you do not have one.
If you want to configure your synchronization settings, you will need to connect OneDrive to your
Microsoft account by performing the following procedure:
1. From the taskbar, open File Explorer, and then select the OneDrive node.
2. In the Welcome to OneDrive Wizard, select Get started.
3. In the Sign in page, type your Microsoft account and password.
4. After you successfully sign in, in the Introducing your OneDrive folder page, you can apply the
default local folder location, which is C:\users\username\OneDrive. Alternatively, you can select
another location by selecting Change. However, if you accept the default location, simply select Next.
5. If you select Change, the Browse for folder window appears, where you can select a different
location from a file tree or create a new folder. After selecting the location, select OK, and then Next.
6. The Sync your OneDrive files to this PC page shows all your OneDrive folders, with a check box next
to each. You can leave the folder check boxes selected to sync them, or clear the folder check boxes to
skip syncing. The bottom of the window indicates how much free space you have remaining on the
local hard drive. After making your selections, select Next.
7. On the Fetch your files from anywhere page, select Done to sync your OneDrive contents to your
hard drive.
You can manage, share, and synchronize your OneDrive files and folders from the OneDrive node in File
Explorer. To do so, right select any of the OneDrive folders in the node, and then select one of the
following options:
●● Share a OneDrive link. This option creates and saves a link in the Clipboard. To provide others with
instant access, you need to paste the link into an email, instant message, or document.
●● More OneDrive sharing options. This option opens the OneDrive webpage, which provides more
traditional OneDrive web-based sharing functionality.
●● View online. This option opens the OneDrive.com web-based version of the folder that you right-
click within File Explorer.
●● Always Keep On This Device (Checked). This will maintain a synchronization between OneDrive and
the device’s local storage, making files available for offline use. In Windows Explorer, the Status icon
will show a solid green checkmark.
●● Always Keep On This Device (Unchecked). This will essentially become a one-way sync. Existing and
new files on the local device will remain on the local device and synchronized with OneDrive. Their
status will show an open green checkmark. Files and folders added directly to OneDrive will show in
Windows Explorer and the status will indicate this with a cloud icon. This means they are available, but
are not stored locally. Theywill only be downloaded to the local device when opening (which will then
change the status to an open checkbox).
●● Free Up Space. Selecting on this option will delete the file/folder from the local device, making them
available in the cloud for download on demand.
Restricting access to OneDrive

As an IT administrator, you might wish to prevent your users from accessing OneDrive from organization-
al systems. You can accomplish this by using Group Policy. In the appropriate GPO, go to the Computer
Configuration\Policies\Administrative Templates\Windows Components\OneDrive node, and
enable the Prevent the usage of OneDrive for file storage policy setting.
When this Group Policy setting applies to the client system, if users try to start OneDrive, they will receive
a notification that the system administrator has blocked the use of OneDrive. If you need to block access
to OneDrive for all devices, including users’ personal devices, you could create a URL block list on your
organizational firewall.
Work Folders
With Work Folders users can store and access work files on personal computers and devices, often
referred to as bring-your-own device (BYOD), in addition to corporate PCs. Users gain a convenient
location to store work files, and they can access them from anywhere. Organizations maintain control
over corporate data by storing the files on centrally managed file servers, and optionally specifying user
device policies such as encryption and lock-screen passwords.
Work Folders can be deployed with existing deployments of Folder Redirection, Offline Files, and home
folders. Work Folders stores user files in a folder on the server called a sync share. You can specify a folder
that already contains user data, which enables you to adopt Work Folders without migrating servers and
data or immediately phasing out your existing solution.
Components of Work Folders

If you want to use Work Folders, several components must be available in your environment:
●● A Work Folders server. You need a file server that is running Windows Server 2016 or newer. The file
server must be a member of an Active Directory domain, and it must have the Work Folder role
service installed, which is part of the File and Storage Services role. When you install the role service,
this adds an additional access protocol and extends Server Manager. You can use Server Manager to
create and manage sync shares, which contain users’ Work Folders. You also can use Server Manager
to view who can access sync shares, when and from which devices users can access them, and to
perform other tasks, such as setting quotas and managing volumes. Users can access and sync their
Work Folders by using the HTTPS encapsulated access protocol. Synchronization uses https encryp-
tion, so the file server must have an installed Secure Sockets Layer (SSL) certificate, and the devices
from which users access the Work Folders must trust that certificate.
●● A sync share. A sync share is a unit of synchronization between the Work Folders server and client
devices. You can create multiple sync shares on a Work Folders server, and each sync folder maps to
the physical folder on the file server. Each user who uses Work Folders has a personal subfolder inside
the sync share, and users can access and sync only the content of their subfolders. You can configure
who can access a sync share, and then specify a device policy. For example, you can create a policy
that requires the encryption of the local copy of Work Folders data on client devices. Although users
can have permissions to access multiple sync shares, they can access a single sync share only. By
default, you can access a sync share only by using the Work Folders feature, but an administrator also
can create a SMB share that uses the same folder as a sync share. If users can access sync share
content by using SMB access, they can view synced content from devices that do not use Work
Folders. A file server stores the sync share, so you can use features such as dynamic access control,
quotas, and file screening when managing the sync share’s content.
●● User devices. These are the devices from which you can access, modify, and sync content that Work
Folders are storing. You can access Work Folders from workgroup devices, devices that are work-
place-joined, or domain-member devices. Windows 10 and Windows 8.1 devices support Work
Folders by default, and you can add Work Folders support to Windows 7, Android, iPad, and iPhone
devices. Devices also must trust the SSL certificate that the Work Folders server is using. If you
configure devices to use Work Folders, Windows detects the changes to the local copies of data, and
then synchronizes them with the server. By default, devices check the Work Folders server every 10
minutes and sync changes with local copies of the Work Folders data.
Practical applications
Administrators can use Work Folders to provide users with access to their work files while keeping
centralized storage and control over the organization's data. Some specific applications for Work Folders
include:
●● Provide a single point of access to work files from a user's work and personal computers and devices
●● Access work files while offline, and then sync with the central file server when the PC or device next
has Internet or intranet connectivity
●● Deploy with existing deployments of Folder Redirection, Offline Files, and home folders
●● Use existing file server management technologies, such as file classification and folder quotas, to
manage user data
●● Specify security policies to instruct user's PCs and devices to encrypt Work Folders and use a lock
screen password
●● Use Failover Clustering with Work Folders to provide a high-availability solution
Comparing Solutions
The following table discusses how various Microsoft sync technologies are positioned and when to use
each.
Work Folders Offline Files OneDrive for OneDrive

Business
Technology Syncs files that are Syncs files that are Syncs files that are Syncs personal
summary stored on a file stored on a file stored in Microsoft files that are
server with PCs server with PCs 365 or in Share- stored in OneDrive
and devices that have access to Point with PCs and with PCs, Mac
the corporate devices inside or computers, and
network (can be outside a corpo- devices
replaced by Work rate network, and
Folders) provides docu-
ment collaboration
functionality
Work Folders Offline Files OneDrive for OneDrive

Business
Intended to Yes Yes Yes No
provide user
access to work
files
Cloud service None None Microsoft 365 Microsoft
OneDrive
Internal network File servers File servers SharePoint server None
servers running Windows (optional)
Server 2012 R2 or
Windows Server
2016
Supported clients PCs, iOS, Android PCs in a corporate PCs, iOS, Android, PCs, Mac comput-
network or Windows Phone ers, Windows
connected through Phone, iOS,
DirectAccess, Android
VPNs, or other
remote access
technologies

Lab 0701: Configuring and Managing Permissions and
Shares
Summary
In this lab you will learn how to create folders and manage local and share permissions.
Scenario
You need to create file shares for the Marketing and IT department to enable users to store their shared
files. You have to ensure that only people from the specific departments have access to the files. You
decide to create both shares on SEA-CL1 in the E:\Data folder. The IT department requires that the share
and local folder is only accessible to members of the IT group. You advise Bruce Keever and Briana
Hernandez to test the file shares and local access to the files.
Lab 0702: Using Conditions to Control Access and Effective

Permissions
Summary
In this lab you will learn how to use conditions to dynamically control access to files based on specific
criteria.
Scenario
Members of the IT, Marketing, and Research departments all require access to file shares located on
SEA-CL1, but require different permissions for the data they use. You've been instructed to create a new
shared folder in E:\Data named Research. The Research shared folder should only be accessible by users
in the Research Department. The IT shared folder should only by accessible by employees located in the
United States who are members of the IT Department. The Active Directory administrator has already
configured Dynamic Access Control to allow for you to assign Department and Country based Claim
Types to permissions on shared folders.
Lab 0703: Work Folders
Summary
In this lab you will learn how to configure Work Folders as a method of synchronizing files to provide
access from multiple devices.
Scenario
Members of the Marketing group often use multiple devices for their work. To help manage file access
you decide to implement Work Folders. This allows for files to be stored in a central location and syn-
chronized to each device automatically. To implement this solution, first you will install and configure the
Work Folders server role on SEA-SVR1 and store the content in a shared folder named C:\syncshare1. To
enable the Work Folders for all marketing users, you configure a Group Policy Object to point to https://
SEA-SVR1.Contoso.com. You have asked Bruce Keever to test the solution on a domain-joined device
named SEA-CL1 and a stand-alone device named SEA-WS3. Bruce will validate synchronization and
identify how synchronization conflicts are handled.
Lab 0704: Synchronizing files with OneDrive
Summary
In this lab you will learn how to synchronize content between devices using OneDrive.
Scenario
Your organization would like to leverage OneDrive as a method for accessing user files from any device.
You test this solution by signing in with your Microsoft account and creating a file on SEA-WS2 and
verifying that the file automatically synchronizes to SEA-WS1.
Module Review
1. You are configuring the storage on a Windows 10 computer. You format a 32 GB volume with FAT32.
What is the maximum file size supported on this volume?
A. 32 GB
B. 4 GB
C. 8 GB
D. 16 GB
E. 16 exabytes
2. You are configuring a Windows 10 desktop computer. You added a new hard disk drive to the com-
puter. You need to configure the drive to support quotas. Which file system should you format the
new drive with?
A. FAT
B. FAT32
C. exFAT
D. NTFS
E. ReFS
3. As an IT support professional, you need to create a network share that can be used by the Executives.
The folder you are sharing is on a ReFS volume. Which of the following are features you can take
advantage of? (select two)
A. Auditing
B. Quota
C. Compression
D. EFS encryption
E. Security
F. Volume shrinking
4. Your organization has created a number of security groups. You need to assign permissions to one of
the security groups that will allow the group members to:
●● see folder content
●● read files
●● start programs
A. What are the minimum permissions you must assign?

B. Modify
C. Read & execute
D. Read
E. Write
F. Full control
5. You need to determine if a user named Sally, who is a member of the HR security group, can access
the HR folder on an NTFS drive. You open the Advanced Security Settings feature on the HR folder.
What will you be able to determine? (select four)
A. The permissions assigned to Sally.
B. The effective access permissions Sally has on the folder.
C. If Sally is using a 64-bit operating system. D. The permissions assigned to the HR group.
E. The effective access permissions the HR group has on the folder.
E. The effective access to the drive.
F. How many times Sally has tried to access the folder.
6. You need to free up space on the D drive of a Windows 10 computer. You move one of the folders
from the D drive to the E drive. Both drives are formatted with NTFS. In which scenario will the folder
you move inherit the permissions of the destination folder? (select four)
A. When D and E are on a single volume.
B. When D and E are on different volumes.
C. When D and E are on different computers. D. When D and E are on the same computer.
E. When D is a hard-disk drive and E is a USB drive.
F. When D is a USB drive and E is a solid-state drive. G. When D is a network share and E is a USB
drive.
7. You are an IT Support professional for a medical facility. One of the physicians needs to move a file to
another folder on the file server. You determine that the folders are on the same volume. What
permissions, at a minimum, must the physician have?
B. Write for the destination folder and Modify for the source file
C. Write for the destination folder and Read for the source file
D. Full control for the destination folder and Read for the source file
E. Full control for the destination folder and Modify for the source file
8. As an IT Support professional, you share folders for your organization on a regular basis. You need to
create a new shared folder on a Windows 10 computer. Which of the following can be used to share
the folder? (select four)
B. The Shared Folders snap-in
C. File Explorer
D. A USB drive
E. Device Manager
F. Windows Recovery
G. A Command prompt
H. Windows PowerShell
9. B 2) D 3) A,E 4) B 5) A,B,D,E 6) A,B,C,E 7) A 8) A,B,G,H
Module 8 Managing Apps in Windows 10
Providing Apps to Users

Lesson Introduction
In your organization, you may face scenarios in which certain app-deployment methods are better for
your organization than other methods. In this lesson, you will learn about traditional app-deployment
methods, as well as methods that you can use to help to automate app deployment.
Lesson Objectives
●● Differentiate between the types of apps in Windows 10.
●● Describe manual app installation.
●● Explain the methods for automating installation of desktop apps.
Types of Windows 10 Apps

There are generally two types of apps that can be installed on a Windows 10 client: Desktop apps and
Universal Windows Platform (UWP) apps, also sometimes referred to as Windows Store apps. Users install
and manage these two types of apps in different ways. Furthermore, network administrators can make
Azure RemoteApp apps available for users. The following sections outline the differences between these
types of apps.
Desktop apps
Desktop apps are traditional apps, such as Microsoft Office. Most users and network administrators are
familiar with desktop apps (sometimes referred to as Win32 apps). An administrator can install desktop
apps on Windows 10 computers locally by using one of two methods:
●● Launching an .exe or .msi file from either product media, network location share, or downloaded from
a website.
260 Module 8 Managing Apps in Windows 10
●● As a package distributed from application management solution such as System Center Configuration
Manager, typically used to automate & manage installations in an organization.
Universal Windows Platform apps

UWP apps are distributed using a packaging system that installs the app that protects the user, device,
and system. They are simple to install (usually one-click), and uninstall just as easily, without leaving
“artifacts” that Win32 apps typically do. The Windows Store is the most common place to find UWP apps.
UWP apps have several benefits:
●● More Secure. UWP apps include manifest that explicitly defines what device data and resources the
app can use.
●● Cross-device Windows 10 support. A common API set enables developers to create a single app
that can be installed on Windows 10 desktops, Mobile, Xbox, and Mixed-Reality headsets.
●● Easy Distribution. Developers can distribute apps through the Windows Store, giving their apps
exposure, simplified install, and the ability to monetize the app as well.
●● Private Distribution. Organizations can create internal UWP apps that can also be distributed
through the Windows Store for Business or side-loading the app.
UWP apps are packaged in the .appx file format and must be digitally signed. Existing desktop apps can
also be packaged as UWP apps using the MSIX Packaging Tool, enabling some of the benefits of UWP
apps without requiring additional development.
Note: While Windows 8 can install Windows Store apps, not all UWP apps can be installed on Windows 8.x.
The Windows Store will not show incompatible apps on a Windows 8.x device. Windows 7 does not support
UWP apps.
App-V apps
Like UWP apps, application virtualization is designed to achieve similar goals such as simplified applica-
tion installations and minimizing the impact to the OS. However, the architecture of an App-V app is
quite different. App-V is used to deliver Win32 apps virtually to clients - either automatically, or on-de-
mand. Unlike UWP or desktop apps, the application is never installed on the client OS.
The App-V client simulates an operating system environment and specially prepared virtualized applica-
tions run within that simulated environment. Virtualized applications do not interact directly with the
client operating system but instead interact with the App-V client. The App-V client functions as a proxy
through which the application uses operating system resources.
The end user experience is no different than a traditionally installed app, and since the application uses
the local client hardware, performs no differently either.
App-V provides the following benefits over traditionally-deployed, locally-installed applications:
●● Run multiple versions of applications. You can use App-V to run different versions of applications
concurrently on the same client computer without conflicts.
●● Minimize application conflict. When you install applications as App-V applications, there are no
application conflicts, because each App-V application runs in its own isolated environment.
●● Simplify application removal. App-V applications are not installed locally, which means that you can
remove them completely and more easily.
●● Simplify application upgrades. The modular nature of virtualized applications means that you can
replace one version of an application with an updated version with less effort. The App-V client is
Providing Apps to Users 261
included in Windows Enterprise and Education editions, however it must still be enabled using either
Group Policy or PowerShell using the Enable-Appv command. While most Win32 applications can be
virtualized, this is not always practical. Because they run in an isolated environment by design, and
many apps can be dependant on services provided by the OS or other applications. While there are
methods and considerations for this, not all applications are suited to be virtualized.
RemoteApp apps
Windows Server RemoteApp apps display locally but run remotely. Instead of apps being installed on the
client, they are only installed on a server. The RemoteApp apps uses the resources of the server where it's
installed, while using minimal client resources. From a user's perspective, a RemoteApp app appears and
functions as if it were installed on the local client. RemoteApp scenarios include:
●● Insufficient client hardware. Thin clients or devices that do not meet the minimum hardware
requirements for an application.
●● Incompatible OS. Devices that do not have the OS required for the app, such as a tablet, or devices
that run a different architecture, such as an x86 OS that needs to run an x64 app.
●● BYOD scenarios. Organizations want to allow access to corporate apps from personal devices, but do
not want the app installed on the device. Because it is a remote connection, it's not suitable for
scenarios where offline access to apps is required.
Methods for Deploying Desktop Apps

Deploying desktop apps is a critical part of supporting users. Generally, the application deployment
process should be automated. From a user’s perspective, this simplifies the process and makes it possible
to repeat installations. Methods for deploying desktop apps include the following:
●● Manual installation. This method requires a local administrator (either a user or a support person), to
know the location of the setup files, and then initiate installation. This method of installation is
suitable only when you install desktop apps on a small number of computers. Some apps install to the
users’ profile and do not require local administrator rights to install.
●● Group Policy. This method uses a Group Policy Object (GPO) to automate desktop app installation
using the Windows Installer package file format (.msi file) from a network share. You can make
desktop apps available for users to install via Control Panel, or you can configure desktop apps so that
they install automatically for specific users, or on specific computers. To automate the installation
process, some desktop apps require you to create a Windows Installer transform file (.mst file).
●● Microsoft Endpoint Configuration Manager. This method uses the application deployment capabil-
ities of Configuration Manager to automate desktop app installation from a network share. The main
benefits of Configuration Manager versus deploying with Group Policy are increased flexibility and
detailed reporting. You also can use Configuration Manager to distribute application updates.
●● Microsoft Intune. Intune is Microsoft’s cloud –based solution for managing desktop and mobile
devices. Intune supports deployment of UWP, AppX, and has recently added support for Win32 apps
such as simple MSI files. While not as robust as Configuration Manager, Intune is significantly less
effort to setup and manage. Intune also manages deployment of apps to non-windows devices such
as iOS, Android and MacOS, as well as deployment to unmanaged (BYOD) devices.
●● Virtualized applications. Microsoft Application Virtualization (App-V) can make applications availa-
ble on desktop computers without installing the applications directly. You use the Microsoft Applica-
tion Virtualization Sequencer (Sequencer) to capture and later stream the application to the computer.
The App-V Sequencer is part of Windows 10 Assessment and Deployment Kit (Windows ADK).
●● Remote applications. With the RemoteApp feature in Windows Server 2012 R2, you can avoid having
applications installed on desktop computers. An icon on the user’s desktop opens a Remote Desktop
Protocol (RDP) session to a server that hosts the application. The application is remote controlled in a
window. This simplifies updates, because you must update only a single central copy of the applica-
tion. This method works best with desktop apps that need to access data in a central location.
●● Inclusion in a Windows operating system image. Many organizations include common applications
in the base Windows operating system image that they deploy to desktop computers. With this
method, you can avoid having a specific deployment process for the desktop app. However, this
method also results in increased image maintenance over time as your organization releases updates
and new versions of the desktop app.
Installing Desktop Apps Manually

To install a desktop app from local media, you insert a product media that contains a desktop app, and
then Windows 10 prompts you with the next steps. Typically, you choose to run Setup.exe.
Note: You also can install desktop apps by using Control Panel. If a network administrator has made apps
available for network installation, you can open Control Panel, and then select Get Programs. A list of
apps that are available for network installation displays. Windows 10 makes these apps available by using
Group Policy Objects (GPOs) and software distribution points.
The installation process for a desktop app begins, and the app installs. By default, all users run as stand-
ard users. Windows 10 prompts you to elevate to full administrator privileges through User Account
Control (UAC) to install the app.
Note: Apps that you install across a network can install automatically without your intervention, depend-
ing on the app package’s configuration.
The Windows Installer service

Windows Installer is the Windows 10 desktop-app installation and configuration service, and provides
Windows Installer app packages in an .msi file format. However, vendors already may have made apps
available in the .msi format. You also can use non Microsoft app-packaging products to convert app
installers from the .exe file format to Windows Installer packages that are in the .msi format.
A Windows Installer package in the .msi format includes the information that is necessary to add, remove,
and repair an app. You can install an app installer in the .msi format locally, or you can deploy it through
an automatic app-deployment solution, such as Group Policy or System Center Configuration Manager.
Because of the way that Windows Installer packages manage changes to an operating system, apps that
you deploy from these packages are more likely to uninstall cleanly than those that you deploy by using
apps installers in executable files. This is important from an app-management perspective, because the
ability to remove an app cleanly, without leaving any trace of it on a device, is as important as installing it
correctly in the first place.
If an app is packaged as an .msi file, and is accessible from the target device, you can run Msiexec.exe
from an elevated command prompt to install a desktop app. For example, to install an app from a shared
folder, type the following command at a command prompt, and then press Enter:
Msiexec.exe /i \\lon-dc1\apps\app1.msi
Administrators also can use Windows Installer to update and repair installed desktop apps.
Installing Desktop Apps Automatically

A single, user-directed installation process works for scenarios in which a desktop app will be installed
only once or twice. However, for larger and more complex installations, you should plan and perform an
automated desktop-app deployment. Several options exist for automating desktop-app deployment to
Windows 10 computers.
Automating installation by using Group Policy

Group Policy software deployment enables you to deploy desktop apps in the Windows Installer .msi file
format to computers that belong to an Active Directory Domain Services (AD DS) environment. Group
Policy software deployment offers the most basic form of automated app deployment. To perform Group
Policy software deployment, you configure a GPO. Use Group Policy as a software-deployment method in
small organizations where the desktop apps that you want to deploy already are packaged in the Win-
dows Installer format. Group Policy software deployment has the following requirements and properties:
●● The target computers must belong to an AD DS domain.
●● You must package the software in the Windows Installer .msi file format.
●● User and computer accounts can be the targets of an app deployment.
●● You can target a deployment at the domain level, the site level, or the organizational unit (OU) level.
Group Policy software deployment supports the following deployment types:

●● Assign. You can assign apps to users or computers. When you assign an app to a user, the app installs
when the user signs in. When you assign an app to a computer, the app installs when the computer
starts.
●● Publish. You can publish apps to users. Doing so makes an app available through the Programs and
Features item in Control Panel. You cannot publish apps to computers.
Group Policy software deployment has the following drawbacks:
●● It can be difficult to determine whether a deployment is successful. Group Policy software deployment
does not include reporting functionality. The only way to determine whether an app has installed
correctly is to check it manually.
●● There is no prerequisite checking. Group Policy software deployment does not enable you to perform
prerequisite checks directly. You can use Windows Management Instrumentation (WMI) queries to
perform these checks. However, this complex operation requires significant expertise and time.
●● There is no installation schedule. Deployment will occur the next time a Group Policy refresh occurs.
You cannot schedule Group Policy software deployment to occur at a specific date and time.
Automating installation by using MDT

Microsoft Deployment Toolkit (MDT) is a solution accelerator that you can use to automate the deploy-
ment of operating systems and apps to devices. You can use MDT to perform lite-touch installation (LTI).
LTI requires that you trigger an operating system deployment or app installation on each computer, but it
requires minimal intervention after the deployment begins. You can use MDT to perform automated app
and operating-system deployment without deploying Configuration Manager. However, you can use
MDT when you integrate it with Configuration Manager to perform zero-touch installation (ZTI). ZTI
enables app and operating-system deployment and migration without requiring any intervention.
The LTI process requires only the tools that are available in MDT. You do not need to deploy Configura-
tion Manager in your environment to perform LTI. To perform LTI by using MDT, perform the following
steps:
1. Deploy MDT on a computer that will function as the management computer, create a deployment
share on this computer, and then import the image files that you will use.
2. Create a task sequence and a boot image for the computer that will function as the reference com-
puter.
3. Start the reference computer by using the medium that contains MDT. The task sequence files, task
sequence, and boot image transfer to the reference computer.
4. Use the Windows Deployment Wizard to deploy the operating system and required apps. After
deployment, capture the reference computer as an image.
5. Transfer the captured image to the management computer.
6. Create a new boot image and task sequence for deployment to the target computers.
7. Start the deployment target computers by using the medium that contains MDT. The task sequence
files, task sequence, and boot image transfer to the reference computer.
8. Run the Windows Deployment Wizard to deploy the prepared image.
Automating installation by using Microsoft Intune

With Windows 10, organizations can use Microsoft Intune to manage Windows PCs either as mobile
devices with mobile device management (MDM) or as computers with the Intune software client. Win-
dows Vista, 7, and 8 can only be managed as computer and requires the Intune software client. Windows
10, Mac OS X, iOS, Android, Windows Phone can be managed using Intune’s MDM management capabil-
ities.
Microsoft recommends that customers use the MDM management solution whenever possible. For more
information on the differences between managing Windows as a computer or as a mobile device with
Intune, see http://aka.ms/AA3tzmy.
Once clients are enrolled in Intune, administrators can:
●● Make software available as an optional installation or configure it as a required installation.
●● Use reporting features of Microsoft Intune. This provides reporting on the success and failure of
targeted app deployment, and it means that you can determine how many clients out of the target
group successfully installed the deployed app.
●● Remove apps that previously were deployed to client computers.
●● Setup app protection policies for installing or launching an app. An example would be requiring the
devices PIN locking be enabled before it can use Outlook with the organization’s Exchange server.
Note: You must upload apps to Microsoft Intune before you can deploy them.
Installation by using Configuration Manager

Configuration Manager provides a comprehensive platform for app deployment and management, and it
supports deploying apps in the .exe, .msi, .appv, and .appx file formats. Configuration Manager enables
administrators to target deployments to groups of users and computers, and to configure deployments
to occur at specific dates and times. Computers must have the Configuration Manager client installed to
receive software that Configuration Manager deploys. Using Configuration Manager provides you with a
number of benefits, including:
●● Collections. Configuration Manager enables you to create collections that consist of manually created
groups of users or computers, or collections based on the results of queries of user or computer
properties. You then can target app deployment to these collections. For example, you can create a
collection that includes only the computers that are located at a specific site with a certain deployed
app and a specific piece of installed hardware.
●● Multiple deployment types. Configuration Manager enables you to use multiple deployment types.
With this feature, you can configure a single app deployment but make it possible for that deploy-
ment to occur in different ways, depending on the conditions that apply to the target computer or
user. For example, you can configure an app to install locally if a user is logged on to his or her
primary device, but to stream as an App-V app if the user is logged on to another device.
Note: App V, which is included in the Enterprise and Education editions of Windows 10. It is a Microsoft
solution that allows users to run virtualized applications on their computers without having to install or
configure them locally.
Deployment types also enable you to configure the deployment of the x86 version of an app if the target
computer has a 32-bit processor, or to configure the deployment of the x64 version if the target comput-
er has a 64-bit processor.
●● Reporting. This feature enables you to determine how successful an app deployment was after its
completion. Configuration Manager also enables you to simulate app deployments before performing
them, enabling you to determine if any factors that you have not considered might block a successful
app deployment.
●● Wake on LAN (WOL). Instead of interrupting a user with an app installation that might require a
restart, which could disrupt his or her current productivity WOL functionality allows you to schedule
app deployment to occur after normal business hours. Typically, users are done working during this
time, and compatible computers are in a low power state.
●● Software inventory, software metering, and Asset Intelligence. A software inventory provides you with
a list of which apps are installed on your organization’s computers. You can use software metering to
monitor how often particular apps are used. You can use the Asset Intelligence feature to check
software-licensing compliance. This helps you ensure that the number of apps deployed in your
organization equals the number of software licenses that you have available.
Office 365
Microsoft 365 is a subscription version of Office. Whether your business is small or large, there are
monthly or annual subscription plans to fit your organization's needs. Office 365 is also available for
home users, education, government, and non-profit organizations.
Microsoft 365 Apps includes productivity services that require an Internet connection, such as Teams web
conferencing, Exchange Online hosted email for business, SharePoint, and online storage with OneDrive.
Not all Microsoft 365 plans include all productivity services.
Most Microsoft 365 plans also include a version of the Office apps that you can install. The list of applica-
tions includes Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft OneNote, and Microsoft
Outlook, as well as Microsoft Access and Microsoft Publisher for PCs.
You can install Microsoft 365 on up to 5 personal computers (PCs) or Macs per user. You can also install
the Office Mobile apps for iOS and Android on up to five tablets and phones per user. When you have an
active Microsoft 365 subscription that enables you to install the desktop version of Office, you will receive
updates, which provide you with up-to-date versions of the applications.
Many plans that enable installed applications are limited to five installations on a PC or Mac, and five
tablets and five phones per user. Other plans only allow access to web-based Office apps.
Microsoft 365 plans

There are more than 20 different Microsoft 365 plans that that are suitable for organizations of all
different types and sizes. The following table lists some of the most common plans together with some of
the features for each plan.
Feature Microsoft 365 Microsoft 365 Office 365 Office 365

Apps Business Premi- Enterprise E1 Enterprise E5
um
Desktop versions Yes Yes No Yes
of Office applica-
tions
Office mobile apps Yes Yes Yes Yes
for tablets/phones
Web versions of Yes (except Yes Yes Yes
Office Outlook)
File storage per 1 TB 1 TB 1 TB Unlimited
user
Feature Microsoft 365 Microsoft 365 Office 365 Office 365

Apps Business Premi- Enterprise E1 Enterprise E5
um
E-Mail Hosting No 50 GB per mailbox 50 GB per mailbox 100 GB per
mailbox
FastTrack deploy- Yes Yes Yes Yes
ment support
(included with
150+ seats)
Information No No No Yes
Protection
Additional Reading: For more information, refer to: http://aka.ms/R5pqy4
Microsoft 365 deployment options

The locally installed version of Microsoft 365 requires Windows 7 or newer Windows client operating
system, or Windows Server 2008 R2 or newer Windows Server operating system. You can use some of the
same methods to deploy Microsoft 365 that you use to deploy desktop apps. These deployment options
include the following:
●● Click-to-run. You download Microsoft 365 directly from the Microsoft website. Click-to-run uses the
same streaming and virtualization technologies as App-V, so you can use the Microsoft 365 apps
before the installation completes.
●● Configuration Manager. This provides native integration for deployment of Microsoft 365, providing
extensive control over installation, updates, and settings.
●● Microsoft Intune. You can assign Microsoft 365 Apps apps to devices manage by Intune.
●● The Office Deployment Tool (ODT) is a command-line tool that you can use to download and custom-
ize your deployment of Microsoft 365 Apps. The ODT can be used to customize and manage Click-to-
run deployments as well.
●● App-V. You create Microsoft 365 App-V packages using the Office Deployment Tool.
●● Remote Desktop Service (RDS). You can install Microsoft 365 on a computer that runs RDS.
●● Group Policy. You deploy Microsoft 365 as a startup script to the computers that need to have
Microsoft 365 installed.
Additional Reading: For more information, refer to the “Office 2016 Deployment Tool” at: http://aka.ms/
AA60326
Managing Universal Windows Apps

Lesson Introduction
The Windows Store is where you acquire Universal Windows apps. Typically, these apps do not consume
much memory or have excessive processor demands. In Windows 8 and Windows 8.1, Universal Windows
apps run in full-screen mode in the new Windows UI. In Windows 10, Universal Windows apps run in
resizable windows similar to traditional desktop apps.
It is important that you know how to manage user access to the Windows Store, which enables you to
control the installation and use of these applications. Windows 10 introduces the Windows Store for
Business where enterprises can create their own private section of the Windows Store that contains
pre-approved and custom applications.
Lesson Objectives
●● Describe the Universal Windows apps, Windows Store, and Windows Store for Business.
●● Explain how to manage and restrict access to Windows Store.
●● Explain how to resolve issues related to Universal Windows apps.
●● Explain how to configure assigned access to a Universal Windows app.
●● Describe the process of using AppLocker to control Universal Windows apps.
Microsoft Store and Microsoft Store for Business

The Microsoft Store provides a convenient, single location where users can browse, install, and update
applications. Many Universal Windows apps from the Windows Store are free, while others are available
for purchase, or for free trial period. Users can access the Microsoft Store from both the desktop taskbar
and the Start menu.
Note: To access the Microsoft Store, users must sign in by using a Microsoft account. Users can create
this account during the Windows 10 installation, or after installation. You also can access the Microsoft
Store by connecting your Microsoft account to your AD DS user account. The built-in administrator
account cannot access the Microsoft Store or run any Universal Windows apps by default.
Managing Universal Windows Apps 269
Universal Windows apps

The Microsoft Store design enables users to access and install Universal Windows apps. Universal Win-
dows apps are not like desktop apps, such as Office 2016 apps that run only on PC editions of Windows
10. Universal Windows apps run on all editions of Windows 10, including Windows 10 Mobile.
Universal Windows apps can communicate with one another and with the Windows 10 operating system,
making it simpler to search for and share information such as photographs. When you install a Universal
Windows app, you can pin tiles to the Start menu, some of which update continuously with live app
information or status.
Microsoft developed a procedure that provides the ability to convert desktop apps to Universal Windows
apps targeting Windows 10 Enterprise and Professional editions. The conversion functionality relies on
two components. The first component is the Desktop App Converter, which is a tool that repackages an
existing binary into the Universal Windows Platform (UWP) format. The resulting package contains the
same base code that runs the desktop app. The second component is the runtime that Microsoft intro-
duced in the Windows 10 Anniversary Update. The runtime allows UWP packages to operate with the full
trust level, rather than in an app container. It also assigns a package identity to a converted app,
The conversion provides numerous benefits. It gives you the ability to apply a consistent app deployment
methodology that uses sideloading and offers a straightforward and clean uninstallation process. It
allows developers to enhance legacy desktop apps with UWP features, including, for example, visual
enhancements or support for background tasks. It also provides integration with the Microsoft Store
licensing and update functionality.
Locating Universal Windows apps

When users connect to the Microsoft Store, the initial page they see is known as the landing page. This
page makes it easier to locate and receive information on applications. The Microsoft Store divides
applications into categories such as Games, Entertainment, and Music & Videos.
Users also can search the Microsoft Store for specific Universal Windows apps. For example, if a user
needs an application that provides video editing capabilities, the user can type the search text string in
the search text box of the Microsoft Store app. The Microsoft Store lists the applications from which the
user can choose.
Note: Not all applications are available in all geographic locations or in every language.
Installing Universal Windows apps

Installing Universal Windows apps is a single-step process for users. A single select on the appropriate
application in the Microsoft Store will install the application. The application installs in the background, so
the user can continue browsing the Microsoft Store. After the application installs, a shortcut to the
application displays in the user’s Start menu under All apps. The user then can select to pin the applica-
tion to the Start menu, to the taskbar, or both.
Updating Universal Windows apps

Windows 10 checks the Microsoft Store daily for updates to installed Universal Windows apps. When
updates for installed applications are available, the user can open the Microsoft Store app and select to
update one, several, or all of their installed applications.
Note: By default, Windows will update installed applications automatically. However, users can change
this setting if they want only to update specific applications.
Installing Universal Windows apps on multiple devices

Many users have multiple devices—for example, a desktop and a laptop computer. The Microsoft Store
allows 10 installations of a single application so that users can run the same application on each of their
devices. If users attempt to install an application on an 11th device, they receive a prompt that they must
first remove the application from another device. In Windows 8.1, the limit is 81 devices.
Microsoft Store for Business

Microsoft Store for Business is a store that enterprises can customize. Windows Store for Business
consists of two parts. The first part is a web portal hosted in Microsoft Azure, known as the Business Store
portal, where information technology (IT) administrators can purchase, approve, and distribute applica-
tions for the entire enterprise. The second part is the Microsoft Store app, with an enterprise-managed
private section that only employees of that enterprise can access. Any Universal Windows app that you
want to be available in the Microsoft Store for Business must be uploaded to the Microsoft Store. Howev-
er, it will only appear in the Microsoft Store app for users in that enterprise, and not in the retail version
of the Microsoft Store.
Microsoft Store vs. Microsoft Store for Business

The Microsoft Store is primarily for end-users’ use when not necessarily working for an enterprise,
whereas the Microsoft Store for Business gives enterprise employees a way to install work-related
Universal Windows apps. The following table highlights some of the differences between the Microsoft
Store and the Microsoft Store for Business.
Microsoft Store Microsoft Store for Business

Purchasing requires a Microsoft account. Purchasing requires an Azure AD account.
Each user purchases their own license for an An administrator can purchase multiple applica-
application. tion licenses.
You can deploy applications only through the You can deploy applications through the Microsoft
Microsoft Store. Store and by using deployment tools.
Applications acquired will work on the Windows 8 Applications acquired in the Microsoft Store for
Phone, and the Windows 8, Windows 8.1, and Business will work on Windows 10 only.
Windows 10 operating systems.
The store contains Universal Windows apps only. The store contains Universal Windows apps,
desktop apps, and Android apps.
Available in all Windows 10 editions. The store is available only in Windows 10 Pro,
Enterprise, and Education editions.
Note: The Microsoft Store was formerly named the Windows Store. Some UIs and settings may still reflect
this.
Managing Access to the Microsoft Store

While it might be convenient to enable users to search for and install applications themselves, this
method poses potential problems for system administrators who want to control application installation,
or impose a rigid desktop standard on network-connected computers. For these reasons, you can prevent
users from accessing the Microsoft Store.
Note: This functionality requires the Windows 10 Enterprise edition.
Preventing users from installing applications from the Mi-

crosoft Store
To disable user access to the Microsoft Store, perform the following procedure:
1. Run regedit.exe.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore. (If the
WindowsStore key is not there, you will need to create it.)
3. Create a new DWORD value named RemoveWindowsStore, and change the value to 1.
4. Before this setting can take effect, you must restart the computer and sign back in.
In Windows 8 and Windows 8.1, you can configure this setting via a Group Policy setting, but the Win-
StoreUI.admx and .adml files are not present in Windows 10. Because Windows 10 introduces the Micro-
soft Store for Business, preventing access to the Microsoft Store app is not as relevant in Windows 10 as
it is in Windows 8.1. However, you can prevent users from signing in with a Microsoft account by using
Group Policy, and thereby preventing users from downloading apps from the Microsoft Store.
Users will receive the following message when access to the Microsoft Store is blocked:
Controlling the applications that users can install

Windows 10 Enterprise and Windows 10 Education editions enable you to use AppLocker to control
which Universal Windows apps users can install and run. In AppLocker, you configure which Universal
Windows apps to allow or deny, under the category Packaged Apps.
Managing updates
IT administrators have limited control over updates for installed Universal Windows apps. You cannot
control which updates are available. By default, applications installed from the Microsoft Store update
automatically.
Configuring Assigned Access to a Single Store

App
In some situations, you might want to lock down a computer so that it can run only a single Universal
Windows app. A computer that is configured this way might be in a public area, such as in a library, at a
kiosk, or in a coffee shop. In fact, it is the user account that you are restricting rather than the computer.
To restrict a user account to run a single Universal Windows app, perform the following procedure:
1. From the Start menu, select Settings.
2. Select Accounts, and then select Other people.
3. In the right pane, select Set up assigned access.
4. Select Choose an account, and then select the account that you want to restrict.
5. Select Choose an app, and then select the installed application to which you want to restrict the
account.
6. Sign out from the computer to make the changes effective.
When the user signs in to the computer, they will be able to access only the assigned application. You can
assign access only to users that have previously signed in to that computer and have the application
installed.
Sideloading UWP Apps

If your organization has developed custom Windows Store apps, you can use sideloading to install these
apps. When sideloading a Windows Store app, you use an .appx installer file. You can use Dism.exe or the
Windows PowerShell command-line interface to sideload and manage Windows Store apps.
Note: For large-scale deployment of sideloaded apps, an enterprise organization can use Microsoft
Intune to deploy Windows Store apps by using the Self-Service Portal. They could also use Microsoft
System Center Configuration Manager.
To prevent malware from deploying through the sideloading process, Windows 10 only allows installation
of apps that the developer has signed by using a trusted root certificate. If your organization creates a
line of business (LOB) app, it must be signed by using the organizational trusted root certificate.
Note: You can use a self-signed certificate to sideload an app, but this is not a best practice in a produc-
tion environment.
The process of sideloading apps

To sideload an app, you first must enable the Windows 10 sideloading feature by performing the follow-
ing procedure:
●● Open Settings, and then tap Update & security.
●● On the For developers tab, select Sideload apps.
●● In the Use developer features dialog box, tap Yes.
Note: In Windows 8.1, it is necessary to either edit the device’s registry or use GPOs to configure this
behavior by enabling the Allow all trusted apps to install option in the App Package Deployment node.
If the app is signed with a trusted certificate, proceed to installing the app. However, if the app is signed
by a certificate that your device does not trust, you must install the certificate into the computer’s Trusted
Root Certification Authorities node. To do this, perform the following procedure:
1. Open File Explorer.
2. Locate the certificate that came with the app. Tap and hold the certificate, and then tap Install
Certificate.
3. On the Certificate Import Wizard page, tap Local Machine, and then tap Next.
4. On the Certificate Store page, tap Place all certificates in the following store, tap Browse, tap
Trusted Root Certification Authorities, tap OK, tap Next, and then tap Finish.
5. In the Certificate Import Wizard dialog box, confirm that the import was successful, and then tap
OK.
You now can install the app by performing the following procedure:
1. Open Windows PowerShell.
2. Run the add-appxpackage PATH\APP.appx cmdlet, replace PATH with the full pathname to the app,
and then replace APP.appx with your app’s name.
The app now should appear in Start.
Web Browsers in Windows 10 275
Web Browsers in Windows 10

Lesson Introduction
Microsoft provides two web browsers in Windows 10: the new Microsoft Edge browser, and Internet
Explorer 11. The Microsoft Edge browser provides a consistent browsing interface across devices, includ-
ing Windows Phones, tablets, and laptops. Internet Explorer provides backwards compatibility with
websites that require some features that Microsoft Edge does not support. This lesson explores the
features of both web browsers.
Lesson Objectives
●● Describe Internet Explorer 11.
●● List and explain the Internet Explorer 11 privacy features.
●● List and explain the Internet Explorer 11 security features.
●● Explain how to manage add-ons in Internet Explorer 11.
●● Use the Compatibility View feature in Internet Explorer 11.
●● Configure and use Internet Explorer.
●● Describe the features of Microsoft Edge.
●● Configure and use Microsoft Edge.
●● Discuss the appropriate browser to use in your organization.
●● List the productivity features in Microsoft Edge.
Internet Explorer 11 and Microsoft Edge

Windows 10 comes with two web browsers: Internet Explorer 11, and Microsoft Edge. Internet Explorer 11
provides compatibility with legacy web applications, while Microsoft Edge provides a more secure
browsing experience.
Microsoft Edge
User experiences with Internet Explorer have been the foundation for designing a new Microsoft browser.
Microsoft Edge is the default browser in Windows 10. It supports annotations that you can save to
OneNote, or share with Universal Windows apps that support sharing.
Microsoft Edge also supports integration with Cortana, the personal assistant in Windows 10. It also has a
special reading mode that makes it easier to read long portions of text on webpages. Starting with
Windows 10 Anniversary Update, Microsoft Edge also offers support for extensions, which you can
download from the Windows Store. These are lightweight software components that extend the existing
functionality, thereby improving the overall browsing experience. For example, you can use extensions to
view, edit, and create Office files directly in the browser window, block unwanted ads, or translate
webpages.
Microsoft Edge (Chromium-based)
Microsoft Edge was originally an HTML-based browser. Starting with Edge version 77, released in January
2020, Edge is now built based on the open source Chromium project. In addition to new features such as
tracking prevention and collections, Edge Chromium offers better website viewing compatibility and
supports the large ecosystem of plugins available to chrome-based browsers.
Microsoft is distributing Chromium-based edge to all Windows Update-connected devices running
Windows 10 version 1803 and newer. Devices that are Windows Server Update Services (WSUS) or
Windows Update for Business (WUfB) managed will be excluded from this automatic update, and can
manage the rollout of the newer Edge browser in their environment.
Internet Explorer 11
Internet Explorer 11 is the web browser that you can run on all supported versions of the Windows
operating system. Using Internet Explorer 11 makes the transition to Windows 10 easier, because there is
no change in the browsing or managing experience. Internet Explorer 11 still supports Microsoft Silver-
light, ActiveX, and other non-Microsoft extensions, and provides compatibility support for previous
versions of Internet Explorer. Internet Explorer 11 is the preferred browser when you need to support
legacy web applications, for example by using Internet Explorer Enterprise Mode.
Most companies will use both browser types: one for current websites, and one for legacy web applica-
tions. The following table compares the two browsers in Windows 10.
Internet Explorer 11 Microsoft Edge

Supports ActiveX extensions Supports extensions that are available from the
Windows Store based on the HTML, JavaScript,
and CSS extension model
Runs in user mode, Protected Mode can be Runs in sandbox mode, making it harder for
enabled malware infection
Supports compatibility with earlier versions of No compatibility support
Internet Explorer
Same browser on other Windows operating New browser
systems
Granular customization with Group Policy and Common settings are configurable with Group
Internet Explorer Administration Kit (IEAK) Policy
Save page as HTML Cortana integration, reading pane, and annota-
tions
Microsoft Edge Browser

The new Microsoft Edge browser is a cross-platform browser that is available for Windows 10. The
interface is more simple and intuitive to use, with options that users can configure with touch on or off.
New or improved features

Microsoft Edge includes a number of features that make it easier to use on a touch device, including:
●● Reading mode, which allows you to view webpages in a simplified layout. You can configure the style
that optimizes the viewing layout. .
●● The Hub, which is a central location in which Microsoft Edge consolidates several items, including a
user’s:
●● Favorites
●● Reading list
●● Browser history
●● Downloads
●● Web notes, which you can enable for webpages that you visit. In tablet mode, you can use tools to
take notes, write, draw, and highlight webpage elements. You then can store these notes in OneDrive
or locally in your Favorites.
Microsoft Edge improves browsing in Windows 10 partly due to some of the following features:
●● Better accessibility features
●● Improved battery life
●● Better browsing experience in popular websites as a result of improved HTML5 compatibility and now
based on Chromium
●● Improved security by using kernel attack protection, which makes attacks on the kernel less successful
●● Better management of favorites including creating folders for favorites and importing favorites from
other browsers
Microsoft Edge stores favorites in a database in the following folder: %LocalAppData%\Packages\

Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nous-
er1\120712-0049\DBStore.
Because favorites are stored in a database, you cannot use File Explorer to manage your favorites in
Microsoft Edge.
Options and settings

Internet Explorer has an extensive range of settings that you can configure to control your browsing
experience. Microsoft Edge streamlines these settings, and you can configure options and settings by
using the More actions link. This opens a window on the right, where some of the options that display
are:
●● Open a New InPrivate window. This provides the same privacy benefits of InPrivate browsing in
Internet Explorer 11.
●● Zoom. This allows you to zoom in or out.
●● Find on page. This is a text box in which you can enter text to search for, on the open webpage.
●● Print. This allows you to print your webpage.
●● Extensions. This shows the installed extensions, and includes a link to Windows Store for installing
additional extensions.
●● Help and feedback > What's new and tips. This opens the Microsoft Edge Tips page where you can
learn how to use Microsoft Edge more efficiently.
●● Settings. Some of the settings you can configure in Microsoft Edge are:
●● Appearance. This allows you to choose between light and dark themes, show favorites bar,
collections, feedback button, and setting the Home button.
●● Profiles. This allows you to manage your account, sync, passwords, stored payment information,
import favorites, and multiple profile preferences.
●● Privacy and services. This is where you define privacy settings. This can include tracking level,
allowing what data to send, smart screen settings, and clearing history and saved data.
●● Phone and other devices. This option allows you to setup sync of settings between other devices
you use.
Managing Extensions
When you use Microsoft Edge without any add-ons or modifications, most websites will display normally.
Beginning with Windows 10 Anniversary Update, Microsoft Edge can use only those extensions that are
installed from the Windows Store. However, because you install extensions from the Windows Store, you
must have a Microsoft account to install the extensions.
Extensions are web add-ons that you can use to customize your browser. Microsoft and other software
vendors have released extensions in various categories. Some of the categories of extensions include:
●● Translation
●● Password management
●● Ad blocking
●● Web clippers
●● Page analyzing
●● Web shop improvements
You can install extensions by performing the following steps:
1. Open Microsoft Edge.
2. On the Settings and More menu (the ellipsis, ... , in the top-right corner), and select Extensions.
3. In the Extensions dialog box, select Get extensions from Microsoft Store.
4. In the Edge Add-ons site, select the extension that you want to install.
Microsoft Edge Productivity Features

Microsoft Edge has many features that allow you to be more productive when browsing websites. These
features can improve reading speed, accomplish actions quicker, and help to browse websites more
easily.
Pinned tabs
In Microsoft Edge, you can pin tabs to the tab row. Pinned tabs take up less space because they only
display the site icon, and they reappear when you close and reopen Microsoft Edge.
Paste and go
If you copy a link to the clipboard, you can right-click in the Microsoft Edge address bar, and then select
Paste and go. This will make Microsoft Edge instantly go to the site. If the text that you have in the
clipboard is not a link, then the option that appears will be Paste and search. Microsoft Edge will then
use the default search engine to search for the clipboard text.
Improved battery life

While browsing using Microsoft Edge, the device uses less battery life because Microsoft Edge uses
minimal resources when a page is not in use.
Windows Hello authentication
Compatible sites can use Windows Hello to improve user authentication for a faster sign-in experience.
Web notifications
Notifications in the Action Center can be from sites that support notifications. Notifications will make it
possible for you to respond more quickly. You can configure which sites display notifications. If you have
a site open in an InPrivate window, then notifications from that site will not display in the Action Center
due to security reasons.
Reading view (Immersive Reader in Edge Chromium)

Microsoft Edge includes a reading view that focuses on the text displayed on the page, and if possible,
removes the pictures. This can improve your reading speed. You can switch the reading view on and off
by selecting on the book icon in the address bar. You can also use the hotkey Ctrl+Shift+R.
Collections
New with Edge Chromium is Collections, which allow you to easily collect, organize and share content
that you find across the web. Collections provides a side panel that allows you to add pages or drag
objects into the panel. This provides an easy way to perform actions such as comparing items when
shopping or collecting information for planning a trip or event.
Synchronization of settings
By default, Microsoft Edge (HTML-based) favorites will synchronize to OneDrive, if you have a Microsoft
account. This will help in easier management of favorites, and in transferring favorites between devices
and computers. In organizations using Azure AD, customers can use Enterprise State Roaming to sync
Windows settings, which include browser settings.
With the new Microsoft Edge Chromium, the sync solution isn’t tied to Windows sync ecosystem. This
enables us to offer Microsoft Edge across all the platforms, such as Windows 7, Windows 8.1, iOS,
Android and macOS. This also enables us to offer sync for non-primary accounts on Windows. The data
supported by sync includes:
●● Favorites
●● Passwords
●● Addresses and more (form-fill)
●● Collections
●● Settings
Internet Explorer 11
Windows 10 includes Internet Explorer to ensure that any legacy or LOB apps that your organization uses
can continue to function.
Internet Explorer includes a number of security and compatibility features that enable users to browse
with safety and confidence. This in turn helps maintain customer trust in the Internet and the apps based
on Internet technologies. Additionally, it helps protect your IT environment from the evolving threats that
the web presents.
Internet Explorer 11 specifically helps users maintain their privacy with features such as:
●● InPrivate Browsing
●● InPrivate Filtering
The SmartScreen Filter provides protection against social-engineering attacks by:
●● Identifying malicious websites that try to trick people into providing personal information or installing
malware.
●● Blocking malware downloads.
●● Providing enhanced antimalware support.

Other security features of Internet Explorer 11 include:
●● Active X controls, which help prevent a browser from becoming an attack agent. You can use the
following features for more detailed control over the installation of ActiveX controls:
●● Per-site ActiveX features
●● Per-user ActiveX features
●● The cross-site scripting filter, which protects websites from attacks.
Internet Explorer also includes the Compatibility View feature, which allows users to view websites and
web apps based on older web technologies.
Privacy Features in Internet Explorer 11

One of the biggest concerns for users and organizations is the issue of security and privacy with respect
to the Internet. Internet Explorer 11 helps users maintain their security and privacy. For enterprises that
want their users to able to browse without collecting browsing history, Internet Explorer 11 has a privacy
mode called InPrivate Browsing. This allows users to surf the web without leaving a trail. As an alternative
to InPrivate Browsing, a user can use the Delete Browsing history option found in the Internet options
dialog box to delete their browsing history manually without losing site functionality.
The InPrivate Browsing feature

InPrivate Browsing helps protect data and privacy by preventing the browser from locally storing or
retaining browsing history, temporary Internet files, form data, cookies, user names, and passwords. This
leaves virtually no evidence of browsing or search history as the browsing session does not store session
data.
From an enterprise and IT professional perspective, InPrivate Browsing is inherently more secure than
using the Delete Browsing history option to maintain privacy. This is there are no logs kept or tracks
made during browsing. InPrivate Browsing is a proactive feature that allows users to control what is
tracked in a browsing session. InPrivate Browsing is also useful when credentials are cached, and you wish
to sign-in with different credentials without clearing the cached credentials.
Note: Some users might attempt to use InPrivate Browsing to conceal their tracks when browsing prohib-
ited or websites that do not pertain to work. However, you can use Group Policy to configure how your
organization uses InPrivate Browsing, to provide you with full manageability control on users’ work
devices.
The Tracking Protection feature

Most websites today contain content from several different sites. The combination of these sites, known
as a mashup, is an integration that users have come to expect, and can include an embedded map from a
mapping site, and greater integration of advertisements or multimedia elements. Organizations try to
offer more of these experiences because it draws potential customers to their site. This capability makes
the web more robust, but it also provides an opportunity for a hacker to create and exploit vulnerabilities.
Every piece of content that a browser requests from a website discloses information to that site, some-
times even if a user blocks all cookies. Often, users are not fully aware that websites are tracking their
web- browsing activities are tracked by websites other than those they have consciously chosen to visit.
Tracking Protection monitors the frequency of all third-party content as it appears across all websites that
a user visits. You can configure a frequency level or alert which by default is set to 10. The Tracking
Protection feature blocks third-party content that appears with high incidence when users reach the
frequency level. Tracking Protection does not discriminate between different types of third-party content.
It blocks content only when it appears more than the predetermined frequency level.
Note: Tracking Protection Lists can help increase your browsing privacy. When you install a Tracking
Protection List, you will prevent the websites specified in the list from sending your browsing history to
other content providers. Microsoft maintains a website that contains Tracking Protection Lists that you
can install.
The Delete Browsing History dialog box

Cookies and cookie protection are one aspect of online privacy. Some organizations write scripts to clean
up cookies and browsing history at the end of a browsing session. This type of environment might be
necessary for sensitive data, for regulatory or compliance reasons, or for private data, such as in the
healthcare industry.
The Delete Browsing History dialog box in Internet Explorer 11 enables users and organizations to delete
browsing history selectively. For example, you can remove the history for all websites except those in a
user‘s Favorites list by using the Preserver Favorites feature. You can switch this feature on and off in the
Delete Browsing History dialog box.
You can configure Delete Browsing history options by using Group Policy. You also can configure which
sites the Preserve Favorites feature includes automatically in a user’s Favorites list. This allows you to
create policies that help ensure security, without affecting users’ daily interactions with their preferred
and favorite websites. The Delete browsing history on exit check box in Internet options allows you to
delete your browsing history automatically when Internet Explorer 11 closes.
Security Features in Internet Explorer 11

Internet Explorer includes a number of security features, including:
The SmartScreen Filter

Businesses put a lot of effort into protecting computer assets and resources. Phishing or social-engineer-
ing attacks often can evade those protections, which results in users unwittingly revealing personal
information. The majority of phishing scams target individuals in an attempt to extort money or perform
identity theft. The SmartScreen Filter helps protect against phishing websites, other deceptive sites, and
sites known to distribute malware.
The SmartScreen Filter consists of a range of defensive tools, including:
●● Windows SmartScreen, which is a client feature. You can configure these settings from within Control
Panel.
●● SmartScreen Filter, which is the spam-filtering solution that is built into Microsoft email solutions.
●● The Internet Explorer 11 SmartScreen Filter.
The SmartScreen Filter component of Internet Explorer 11 relies on a web service that is backed by a
Microsoft-hosted URL reputation database. The SmartScreen Filter’s reputation-based analysis works with
other signature-based antimalware technologies, such as Windows Defender, to provide comprehensive
protection against malware.
When you enable the SmartScreen Filter, Internet Explorer 11 performs a detailed examination of an
entire URL string, and then compares it to a database of sites known to distribute malware. The
SmartScreen Filter then checks the website that a user is visiting against a dynamic list of reported
phishing and malware sites. If the SmartScreen Filter determines that the website is unsafe, it blocks the
site, and notifies the user.
Controls and management features to mitigate ActiveX.

Improvement to controls and management features allow you to increase security and trust by con-
trolling how and where an ActiveX control loads and which users can load them. ActiveX controls are
relatively straightforward to create and deploy, and they provide extra functionality beyond regular
webpages. Organizations cannot control the inclusion of ActiveX controls or how they are written.
Therefore, organizations need a browser that provides flexibility in dealing with ActiveX controls, so that
they are usable, highly secure, and pose as small a threat as possible. The improved ActiveX controls
include:
●● Per-user ActiveX. By default, Internet Explorer 11 employs ActiveX Opt-In, which disables most
controls on a user's computer. Per user ActiveX makes it possible for standard users to install ActiveX
controls in their own user profile without requiring administrative permissions. This helps organiza-
tions realize the full benefit of UAC, and allow standard users the ability to install ActiveX controls that
are necessary in their daily browsing. In most situations, if a user installs a malicious ActiveX control,
the overall system remains unaffected because the control is installed under the user‘s account only.
Therefore, because installations are restricted to a user profile, you are lowering the cost and risk of a
compromise significantly.
●● When a webpage attempts to install a control, an information bar displays to the user, who then can
install the control system-wide or only for his or her user account. The options in the ActiveX menu
vary depending on a user’s rights, which you manage by using Group Policy settings, and whether the
control allows per-user installation. You can disable this feature in Group Policy.
●● Per-site ActiveX. When a user navigates to a website that contains an ActiveX control, Internet Explor-
er 11 performs a number of checks, including a determination of where a control has permission to
run. If a control is installed, but does not have permission to run on a specific site, an information bar
appears that asks the user’s permission to run on the current website or on all websites. Administra-
tors can use Group Policy to preset Internet Explorer configurations with allowed ActiveX controls and
their related trusted domains.
Cross-Site Scripting Filter.

The Cross-Site Scripting Filter helps block cross-site scripting attacks, one of the most common website
vulnerabilities today. Most sites include a combination of content from local site servers and content
obtained from other sites or partner organizations. Cross-site scripting attacks exploit vulnerabilities in
web applications, and attackers then can control the relationship between a user and a website or web
application that they trust. Malicious users who utilize cross-site scripting can enable attacks, including
the following:
●● Stealing cookies, including session cookies, which can lead to account hijacking.
●● Monitoring keystrokes.
●● Performing actions on the victim website on behalf of the victim user.
●● Using cross-site scripting, which utilizes a victim‘s website to subvert a legitimate website.
Internet Explorer 11 includes a filter that helps protect against cross-site scripting attacks. The Cross-Site
Scripting Filter has visibility into all requests and responses that flow through a browser. When the filter
discovers suspected cross-site scripting in a request, it identifies and neutralizes the attack if it replays in
the server’s response. The Cross-Site Scripting filter helps protect users from website vulnerabilities. It
does not ask difficult questions that users are unable to answer, nor does it harm functionality on a
website.
Data Execution Prevention (DEP)

DEP is enabled by default to help prevent system attacks in which malware exploits memory-related
vulnerabilities to execute code. Internet Explorer 7 introduced the DEP/NX option in Control Panel to
provide memory protection that helps mitigate online attacks. DEP or no execute (NX) helps thwart
attacks by preventing code that is marked as non-executable from running in memory, such as a virus
disguised as a picture or video. DEP/NX also makes it harder for attackers to exploit certain types of
memory-related vulnerabilities, such as buffer overruns.
DEP/NX protection applies to both Internet Explorer and its add-ons. No additional user interaction is
required to activate this protection. Unlike Internet Explorer 7, Internet Explorer 11 enables this feature by
default.
Enhanced Protected Mode

You can reduce the amount of permissions that a browser has to modify system settings or to write to a
computer’s hard disk by using Enhanced Protected Mode, which is turned on by default in Internet
Explorer 11.
Internet Explorer Security Zones and Add-ons

Internet Explorer 11 includes security zones that allow you to control security settings for groups of
websites. Depending on the security zone in which a website is included, Internet Explorer enables you to
use different security settings. For example, some zones enable Protected Mode or do not allow ActiveX
controls.
The security zones in Internet Explorer 11 include the following zones:
●● Internet. This zone is the default zone for all websites. It has medium-high security settings, which
enables users to perform most tasks. However, users might receive prompts to accept some riskier
behaviors such as downloading signed ActiveX controls and submitting unencrypted form data.
●● Local intranet. This zone is only for websites that have a single label name. It has medium-low
security settings that allow most websites to run without any end-user prompts, because it assumes
the sites are trustworthy. Additionally, this zone does not use Protected Mode.
●● Trusted sites. This zone has no websites, by default. You must add sites manually to the Trusted sites
zone. This zone has medium security settings, which enables users to run most web-based applica-
tions. It does not use Protected Mode. Typically, you use this zone for web-based applications that are
hosted externally.
●● Restricted sites. This zone has no websites, by default. You must add sites manually to the Restricted
sites zone. This zone has high security settings, and is suitable for browsing websites that you are
concerned might contain malware.
Other Internet Explorer settings that you should consider regarding web-based applications include:
●● InPrivate Browsing. This setting helps protect data and privacy by preventing browsing history,
temporary Internet files, form data, cookies, usernames, and passwords from being stored or retained
locally by the browser. This leaves virtually no evidence of browsing or search history because the
browsing session does not store session data after the InPrivate window is closed. From the enterprise
and IT professional perspective, InPrivate Browsing is inherently more secure than using Delete
Browsing History to maintain privacy, because there are no logs kept or tracks made during browsing.
InPrivate Browsing is a proactive feature, because it enables you to control what is tracked in a
browsing session. However, some users might use InPrivate Browsing in an attempt to conceal their
tracks when browsing to prohibited or non-work websites. Nonetheless, you have full manageability
control, and you can use Group Policy to configure how InPrivate Browsing is used in your organiza-
tion.
●● Pop-up Blocker. The purpose of the Pop-up Blocker in Internet Explorer is to prevent unsolicited
advertisements from displaying. However, some web-based applications use these pop-ups, so you
might need to allow them for websites that are hosting a web-based application.
●● Advanced settings. Individual web-based applications might require unusual security settings that
you can adjust only in Advanced settings. For example, an externally-hosted website might require the
use of an older version of Secure Sockets Layer (SSL).
Add-ons
Most websites will display normally when you use Internet Explorer without any add-ons or modifications.
Internet Explorer 11, which Windows 10 includes by default, provides an experience that is free from
add-ons. Add-ons that enhance the browsing experience by providing multimedia content also are
referred to as:
●● ActiveX controls
●● Plug-ins
●● Browser extensions
●● Browser helper objects
●● Toolbars
●● Explorer bars
●● Search providers
●● Accelerators
●● Tracking Protection Lists
The following are examples of plug-in based technology:
●● Microsoft Silverlight
●● Apple QuickTime
●● Java applets
●● Adobe Flash Player
●● Skype Select to Call
Two popular multimedia extensions–HTML5 and Adobe Flash–are supported out-of-box as a platform
feature on Internet Explorer. In previous Internet Explorer versions, some multimedia add-ons could cause
security concerns, which Internet Explorer 11 addresses with the Automatic Updates feature, which
provides updates to help remediate problems quickly when identified.
Sometimes an add-on, such as a pop-up advertisement, can annoy users or create problems that affect
browser performance. A user can disable an individual add-on or all add-ons within Internet Explorer 11
by using the Manage Add-ons dialog box. To do this, a user would perform the following steps:
1. Open Internet Explorer.
2. On the Tools menu, select Manage add-ons.
3. In the Manage Add-ons dialog box, in the Show list, select All add-ons.
4. Find the name of the add-on that you want to modify in the reading pane. To disable an add-on, tap
or select it, and then select Disable. To enable an add-on, tap or select it, and then select Enable.
Close the Manage Add-ons dialog box.
Internet Explorer Compatibility View

None of the improvements in Internet Explorer 11 matter if websites look bad or work poorly. Internet
Explorer 11 includes features that comply with web standards and that allow websites to display better
and operate more predictably. Each new version of Internet Explorer must try to maintain compatibility
with existing websites. Internet Explorer 11 includes multiple layout engines, which provides web devel-
opers with the ability to determine whether Internet Explorer 11 needs to support legacy behaviors or
strict standards, by allowing them to specify which layout engine to use on a page-by-page basis.
Internet Explorer 11 provides an automatic Compatibility View feature that invokes an older Internet
Explorer engine to display webpages whenever it detects a legacy website. This helps improve compati-
bility with applications written for older Internet Explorer versions. If you do not see the Compatibility
View button appear in the Address bar, there is no need to turn on Compatibility View because Internet
Explorer 11 will have detected that the webpage has loaded correctly.
Note: By default, intranet sites and apps continue to run in Internet Explorer 11, which supports the
Compatibility View feature.
The Compatibility View feature in Internet Explorer 11 helps display a webpage as the web developer
intended. This view provides a straightforward way to fix display problems, such as out-of-place menus,
images, and text. The main benefits of the Compatibility View feature include:
●● Internet websites display in Internet Explorer 11 standards mode by default. You can use the Compati-
bility View button to fix sites that render differently than expected.
●● Internet Explorer 11 remembers sites that have been set to Compatibility View so that a user only
needs to press the button once for a site. After that, the site always renders in Compatibility View
unless users remove it from the list.
●● Intranet websites display in Compatibility View by default. This means that internal websites that were
created for older Internet Explorer versions will work correctly.
●● You can use Group Policy to set a list of websites to render in Compatibility View.
●● Switching in and out of Compatibility View occurs without requiring that a user restart the browser.
The Compatibility View button displays only if is not stated clearly how the website is to render. In other
cases, the button is hidden. These cases include viewing intranet sites or viewing sites with a tag or a /
HTTP header that indicates Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, or Internet
Explorer 10 standards.
When you activate Compatibility View, the page refreshes, and a balloon tip in the taskbar notification
area indicates that the site is now running in Compatibility View.
Configuring Compatibility View

You can use the Compatibility View settings option in the Tools menu to customize the Compatibility
View to meet enterprise requirements. For example, you can configure it so that all intranet sites display
in Compatibility View (the default), or you can configure it so that all website are viewed in Compatibility
View.
Internet Explorer Enterprise Mode

Enterprise Mode is a compatibility mode in Internet Explorer 11. While compatibility mode is designed to
render older sites properly, Enterprise Mode allows IE11 to emulate either IE7 or IE8, addressing some
issues that compatibility mode alone does not address or sites written specifically for older versions of
Internet Explorer.
You specify which web application should use Enterprise Mode through an XML file that is stored on a
website, or you can use a locally stored file. You use Group Policy to configure Enterprise Mode, and to
configure Enterprise Mode to collect locally configured Enterprise Mode data. This way you can gather
compatibility modes from users to help configure your central site list.
If you update the central site list, Internet Explorer 11 will look for an updated file at startup and use this
list. Internet Explorer does not check for an updated file until you restart the browser.
Note: Internet Explorer Enterprise Mode is not available in the Windows 10 Home edition.
Enterprise Mode Site List Manager

The Enterprise Mode Site List Manager is a tool that you use to configure the XML file that contains the
list of websites and compatibility modes. The Enterprise Mode Site List Manager is available to download
from the Microsoft Download Center. A new version of this tool is available for Windows 10. The Enter-
prise Mode schema now works in version 2, which is not compatible with previous versions of Windows.
You must use the correct version of the tool, depending on which versions of the Windows client you
support.
Additional Reading: For more information refer to: “Enterprise Mode Site List Manager for Windows 10
download” at: http://aka.ms/ugm8g0
Configuring Enterprise Mode

You can configure Enterprise Mode for both users and computers. To enable Internet Explorer Enterprise
Mode, you must configure the appropriate Group Policy settings in Computer Configuration \Adminis-
trative Templates\Windows Components\Internet Explorer. This is where it is enabled, as well as the
location of the XML file with a list of websites that should be displayed in Enterprise Mode.

Lab 0801: Installing Apps in Windows 10
Summary
In this lab you will learn how install and update Microsoft Store Apps and how to install Microsoft 365
Apps for enterprise from Microsoft 365.
Dependency Note: To complete this lab, you need to have a Microsoft account. You can use the Microsoft
Account that you configured previously in the Module 3 lab: Synchronizing settings between devices lab. You
will also use the User2 Microsoft 365 user account, which was created in Module 2 lab: Managing Azure AD
Authentication.
Exercise 1: Installing and updating Windows Store apps
Scenario
You need to test the download and update functionality of the Microsoft App Store. You will download
and install an app named the Microsoft To Do: Lists, Tasks & Reminders. You also need to validate how
Microsoft Store apps are updated and uninstalled.
Exercise 2: Install Microsoft 365 Apps for Enterprise from

Microsoft 365
Scenario
You have been asked to configure the deployment of the Office 365 apps included in your subscription.
You will first assign an Office 365 E5 license to User2 and configure Office installation options. Finally
User2 will validate that Office 365 can be downloaded and installed from the Microsoft 365 portal.
Lab 0802: Configuring Microsoft Edge to support Internet

Explorer Enterprise Mode
Summary
In this lab you will learn how to configure the Internet Explorer Enterprise Mode to provide compatibility
for Microsoft Edge to open legacy web sites.
Dependency Notice: This lab requires that a DNS CNAME entry for intranet.Contoso.com be added which
resolves to SEA-SVR1.Contoso.com, as instructed in the Module 5: Configuration and Testing Name Resolu-
tion lab. If you did not complete the module 5 lab, complete Exercise 2: Task 2 from that lab before continu-
ing. Also note that Microsoft Edge .admx templates have already been installed to allow for the creation of
Microsoft Edge Chromium group policy settings.
Scenario
Contoso uses a web site located at intranet.contoso.com. This site currently only works properly using
older Internet Explorer versions. As you recently upgraded all devices to Windows 10 and Microsoft Edge
Chromium, you must ensure that this web site still opens and works with compatibility mode.
Module Review
1. You are an IT Support professional for a small start-up company. You need to install desktop apps on
Windows 10 computers locally.
A. Which methods can you use? (select three)
B. Using a product DVD that contains a desktop app
C. Connecting to a network share
D. Downloading an app from a vendor’s website
E. Using Windows Store
F. Connecting to the Azure Content Delivery Network (CDN)
2. Which of the following statements is true regarding RemoteApp apps?
A. Windows Server RemoteApp apps require a separate user name and password.
B. Users can differentiate between a RemoteApp app and other apps that runs on a computer.
C. You should consider deploying RemoteApp in situations where an app does not run on a client
computer.
D. All statements are true.
3. You need to plan and perform an automated desktop-app deployment. You want to determine the
best method for your organization. What is the potential drawback for using Group Policy? (select
three)
A. It can be difficult to determine whether a deployment is successful.
B. There is no prerequisite checking. C. Group Policy is difficult to implement.
D. There is no installation schedule.
E. It takes to long to implement.
4. You are an IT Support Professional in an organization with over 10,000 computers. Your organization
has just recently implemented Configuration Manager to replace Group Policy for deploying software.
Which are some of the benefits that Configuration Manager provides?. (select five)
A. Collections
B. Multiple deployment types
C. Publish
D. Wake on LAN
E. Software inventory
F. Reports
G. Lite-touch installation (LTI)
H. Scheduling
5. As an IT Support Professional, you have been tasked with supporting the HR department's computers
in your organization. All HR computers run Windows 10 with Internet Explorer 11. The HR department
requires the highest level of privacy. Which Privacy Features should the department use? (select three)
A. InPrivate Browsing
B. Tracking Protection
C. The Delete Browsing History dialog
D. Search Providers
E. Compatibility View Settings
6. The Compatibility View feature in Internet Explorer 11 helps display a webpage as the web developer
intended. The webpage will refresh after you activate the Compatibility View. After this, how do you
know that the site is running in Compatibility View?
A. By pressing the F4 key
B. Check IE Settings
C. No errors on the website
D. The balloon tip in the taskbar notification area
7. Internet Explorer Enterprise Mode features include: (Select two)
A. Users choose when to enable it
B. Emulates a specific version of Internet Explorer
C. Is configured using an XML file
D. Automatically enables when a site header specifies a specific version of Internet Explorer.
8. A,B,D 2) C 3) A,B,D 4) A,B,D,E,F 5) A,B,C 6) D 7) B,C
Module 9 Configuring Threat Protection
Malware and Threat Protection

Lesson Introduction
A computer that is running Windows 10 is more likely to face threats that originate from the network
than from any other location. This is because attacks from the network can target a large number of
computers and malicious users perform them remotely, whereas other forms of attacks require physical
access to the computer.
In this lesson, you will learn about malware and common network-related security threats and the steps
that you can take to mitigate them.
Lesson Objectives
●● Describe malware.
●● Understand the sources of malware.
●● Describe ways of mitigating malware.
●● Identify common network-related security threats.
●● Describe the methods by which you can mitigate these common security threats.
●● Describe tools for securing users identity.
●● Describe tools for securing data on Windows 10.
●● Describe tools for securing Windows 10 devices.
What Is Malware
Malicious software, or malware, is software that attackers design to harm computer systems. Malware can
do many things, from causing damage to the computer, to allowing unauthorized parties remote access
294 Module 9 Configuring Threat Protection
to the computer, to collecting and transmitting sensitive information to unauthorized third parties. There
are several types of malware, including:
●● Computer viruses. This type of malware replicates by inserting a copy of its executable code into
other applications, operating-system files, data files, or hardware components, such as the BIOS or
boot sector files.
●● Computer worms. Worms are a special form of malware that replicate without direct intervention.
Worms spread across networks and can infect other computers on a network, without requiring a user
to open an email attachment or file.
●● Trojan horses. This type of malware provides an attacker with remote access to the infected comput-
er.
●● Ransomware. This type of malware encrypts user data, and you can recover your data only if you pay
a ransom to the malware authors.
●● Spyware. This type of malware tracks how a computer is used without the user’s consent.
Possible Mitigations for Malware Threats

There are many ways that you can help protect against malware infection on your devices, including that
you:
●● Ensure that you apply all software and operating system updates to your devices.
●● Ensure that you install and activate anti-malware software on your devices.
●● Ensure that anti-malware definitions are current.
●● Avoid risky behavior, such as consuming pirated software or media.
●● Avoid opening suspicious email attachments, even if they are from senders that you trust.
Malware can infect the devices of even the most diligent people. For example, users with good mal-
ware-avoidance habits might visit a reputable website that has been compromised and that leverages an
undisclosed exploit in popular software. These users’ devices could become infected. An example could
be that the software vendor has not fixed that software because they are unaware that the exploit exists.
Additionally, no anti-malware solution has a perfect detection rate. It is possible to take all necessary
precautions and still have your devices infected. Taking precautions only reduces the probability that a
person’s device will be compromised by malware. It does not eliminate that possibility.
Phishing Scams
Phishing
Phishing (pronounced “fishing”) is a type of online identity theft. It uses email, phone calls, texts, and
fraudulent websites that are designed to steal your personal data or information such as credit card
numbers, passwords, account data, or other information.
Why is phishing dangerous?

Cybercriminals are skilled at tricking you into providing your personal information to them, which can
lead to identity theft and loss of data. Phishing is particularly dangerous because cybercriminals disguise
messages and calls as legitimate, using logos and acronyms that appear to be real.
Malware and Threat Protection 295
Mitigating phishing threats

Phishing threats cannot be stopped by simply configuring a setting in Windows. Phishing scams involve
the exposure of login credentials or other secure data when the user is tricked into exposing them to the
attacker. Therefore, educating users is necessary to minimize threats from phishing.
Some of the tricks cybercriminals use include:
- Fake Websites: If you receive a suspicious email message and it prompts you to select on a link, hover
over the link. If the link does not match the name in your email, you could have received a phishing email.
If the link points to a website or company you’ve never heard of or visited before, this could be a phish-
ing attempt.
- Threats: Emails that threaten account closure could be from a cybercriminal. If you receive an email that
urges you to take action by threatening that your account will be closed, be careful. Cybercriminals use a
variety of techniques to steal your information and gain access to your data through threats and mis-in-
formation.
- Spoofing companies or people you know: Scam artists use graphics in email that appear to be
connected to legitimate websites but actually take you to phony scam sites or legitimate-looking pop-up
windows. Spoofing also can occur when a scammer imitates someone you know by mimicking their email
address. Always check that the address you’re replying to is the correct one.
How to tell if an email is legitimate:
- Hover over links to uncover the URL. Always check a URL before you select on the link—sometimes
bad links are embedded into an email as a way to trick the reader.
- Check for poor grammar and spelling errors. Companies rarely send out messages without proof-
reading content, so multiple spelling and grammar mistakes can signal a scam message.
- Look for company contact information and brand accuracy. Most companies will have a brand
identity that is recognizable in their emails. Look for logos, brand colors and contact information in the
message.
Common Network-Related Security Threats

There are many network-security threats, which you can group into different categories. Common
network-based security threats include:
●● Eavesdropping. An eavesdropping attack, also known as network sniffing, occurs when a hacker
captures network packets that workstations connected to your network send and receive. Eavesdrop-
ping attacks can compromise your organization’s sensitive data, such as passwords, which can lead to
other, more damaging attacks.
●● Denial of service (DoS) attack. This type of attack limits the function of a network app, or renders an
app or network resource unavailable. Hackers can initiate a DoS attack in several ways, and often are
aware of vulnerabilities in the target app that they can exploit to render it unavailable. Hackers typical-
ly perform DoS attacks by overloading a service that replies to network requests, such as Domain
Name System (DNS), with a large number of fake requests in an attempt to overload and shut down a
service or the server that hosts the service. A distributed denial of service (DDoS) attack is a version of
a DoS attack.
●● Port scanning. Apps that run on a computer using the TCP/IP protocol use Transmission Control
Protocol (TCP) or User Datagram Protocol (UDP) ports to identify themselves. One way that attackers
exploit a network is to query hosts for open ports on which they listen for client requests. Once
attackers identify an open port, they can use other attack techniques to access the services that are
running on the computer.
●● Man-in-the-middle (MITM) attack. The network attacker uses a computer to impersonate a legiti-
mate host on the network with which your computers are communicating. The attacker intercepts all
of the communications that are intended for a destination host. The attacker might wish to view the
data in transit between the two hosts, but also can modify that data before forwarding the packets to
the destination host.
Mitigations for Network-Related Security

Threats
Attackers will try to access your network by using a variety of tools and techniques. Once they find a way
into your network, they can exploit that success and take their attack further. For this reason, it is impor-
tant to implement a comprehensive approach to network security, so that you can ensure that one
loophole or omission does not result in further weaknesses upon which malicious users can capitalize.
You can use any, or all, of the following defense mechanisms to help protect your network from malicious
attacks:
●● Internet Protocol security (IPsec), which authenticates IP-based communications between two hosts
and, where desirable, encrypt that network traffic.
●● Firewalls, which allow or block network traffic based on the type of traffic.
●● Perimeter networks, which are isolated areas on your network to and from which you can define
network traffic flow. When you need to make network services available on the Internet, it is not
advisable to connect hosting servers directly to the Internet. However, by placing these servers in a
perimeter network, you can make them available to Internet users without allowing those users access
to your corporate intranet.
●● VPNs and DirectAccess. It is important that users have the ability to connect to their organization’s
intranet from the Internet as securely as possible. The Internet is a public network, and data in transit
across the Internet is susceptible to eavesdropping or MITM attacks. However, by using virtual private
networks (VPNs) or DirectAccess, you can authenticate and encrypt connections between remote
users and your organization’s intranet. This can help to mitigate risk.
Malware and Threat Protection 297
●● Server hardening. When you run only the services that you need, you can make servers inherently
more secure. To determine what services you require, you must establish a security baseline among
your servers. To determine precisely which Windows Server services you need to support the function-
ality that you or your enterprise requires, you can use tools such as the Security Configuration Wizard
or the Microsoft Baseline Security Analyzer.
●● Intrusion detection. It is important to implement the preceding techniques to secure your network,
and it also is sensible to monitor your network regularly for signs of attack. You can use intrusion-de-
tection systems to do this by implementing them on perimeter devices, such as Internet-facing
routers.
●● Domain Name System Security Extensions (DNSSEC), which use digital signatures for validation, so
that DNS servers and resolvers can trust DNS responses. The DNS zone contains all signatures that are
generated in the new resource records. When a resolver issues a query for a name, the DNS server
returns the accompanying digital signature in the response. The resolver then validates the signature
by using a preconfigured trust anchor. Successful validation proves that no data modification or
tampering has occurred.
Microsoft Defender
Lesson Introduction
Malware might show up on your organization’s computers and devices, despite your efforts to prevent it.
Unwanted traffic often comes from Internet-based sources, but traffic from a local area network (LAN) or
wide area network (WAN) also can compromise your network.
Windows 10 includes components that can help you identify and remove malware from your environ-
ment’s computers and protect Windows 10 computers from unauthorized access attempts through
blocking and filtering of unwanted incoming or outgoing network traffic.
Lesson Objectives
●● Use Windows Defender to detect and quarantine malware.
●● Describe the purpose of a firewall.
●● Describe Windows Defender Firewall functionality.
●● Explain network-location profiles.
●● Explain the increased functionality of Windows Defender Firewall with Advanced Security.
Microsoft Defender Antivirus

Microsoft DefenderMicrosoft Defender Antivirus helps protect your computer from spyware, malware,
and viruses. Microsoft Defender Antivirus also is Hyper-V-aware, which means that it detects if Windows
10 is running as a virtual machine. Microsoft Defender Antivirus uses definitions to determine if software
it detects is unwanted, and it alerts you to potential risks. To help keep definitions up to date, Microsoft
Defender Antivirus automatically installs new definitions as they are released.
Microsoft Defender 299
You can use Microsoft Defender to run a Quick, Full, or Custom scan. If you suspect spyware has infected
a specific area of a computer, you can customize a scan by selecting specific drives and folders. You also
can configure the schedule that Microsoft Defender will use.
You can choose to have Microsoft Defender Antivirus exclude processes in your scan. This can make a
scan finish more quickly, but your computer will have less protection. When Microsoft Defender Antivirus
detects potential spyware activity, it stops the activity, and then it raises an alert.
Alert levels help you determine how to respond to spyware and unwanted software. You can configure
Microsoft Defender Antivirus behavior when a scan identifies unwanted software. You also receive an alert
if software attempts to change important Windows operating system settings.
To help prevent spyware and other unwanted software from running on a computer, turn on Microsoft
Defender Antivirus real-time protection.
Microsoft Defender includes automatic scanning options that provide regular scanning and on-demand
scanning for malware. The following table identifies scanning options.
Scan options Description

Quick View detailed configuration information.Checks
the areas that malware, including viruses, spyware,
and unwanted software, are most likely to infect.
Full Checks all files on your hard disk and all running
programs.
Custom Enables users to scan specific drives and folders.
As a best practice, you should schedule a daily Quick scan. At any time, if you suspect that spyware has
infected a computer, run a Full scan. When you run a scan, the progress displays on the Microsoft
Defender Home page. When Microsoft Defender detects a potentially harmful file, it moves the file to a
quarantine area, and it does not allow it to run or allow other processes to access it. Once the scan is
complete, you can perform the following steps. You can select Remove or Restore Quarantined items
and to maintain the Allowed list, and then a list of Quarantined items is available from the Settings page.
Select View to see all items. Review each item, and then individually Remove or Restore each. Alterna-
tively, if you want to remove all Quarantined items, select Remove All.
Note: Do not restore software with severe or high alert ratings because it can put your privacy and your
computer’s security at risk.
If you trust detected software, stop Microsoft Defender from alerting you to risks that the software might
pose by adding it to the Allowed list. If you decide to monitor the software later, remove it from the
Allowed list.
The next time Microsoft Defender alerts you about software that you want to include in the Allowed list,
you can perform the following steps. In the Alert dialog box, on the Action menu, select Allow, and then
select Apply actions. Review and remove software that you have allowed from the Excluded files and
locations list on the Settings page.
By using Microsoft Defender Offline, you can boot and run a scan from a trusted environment, rather
than running Microsoft Defender Antivirus from a fully booted Windows 10 environment. Microsoft
Defender Offline runs separate from the Windows kernel and can target malware that bypasses the
Windows shell, including malware that may infect or overwrite a computer’s master boot record (MBR).
Beginning with Windows 10 Anniversary Update, you can run Microsoft Defender Offline with one select
from the Microsoft Defender Antivirus client.
Microsoft Defender Antivirus includes 12 Windows PowerShell cmdlets that you can use to perform a
variety of tasks. The following table lists these cmdlets.
Cmdlet Function
Add-MpPreference Modify Microsoft Defender Antivirus settings.
Get-MPComputerStatus View status of antimalware software.
Get-MPPreference View Microsoft Defender Antivirus scan and
update preferences.
Get-MpThreat View threat detection history.
Get-MpThreatCatalog View list of known threats from the definitions
catalog.
Get-MpThreatDetection View active and previous detected malware
threats.
Remove-MpPreference Remove default actions or exclusions.
Remove-MpThreat Remove an active threat.
Set-MpPreference Configure Microsoft Defender Antivirus scan and
update preferences.
Start-MpScan Trigger a scan on the computer.
Start-MpWDOScan Trigger a Microsoft Defender Offline scan.
Update-MpSignature Update a computer’s antimalware definitions.
In addition to using Windows PowerShell to trigger a Microsoft Defender Antivirus scan, you also can use
the mpcmdrun.exe command from the cmd.exe environment to trigger a scan. For example, to trigger a
quick scan, run the following command:
mpcmdrun.exe -scan -scantype 1
To discover all command line options for this tool, use the following command:
mpcmdrun.exe /?
Additional features in Microsoft Defender Antivirus

Block at First Sight is a feature of Microsoft Defender Antivirus cloud protection that allows Microsoft
Defender Antivirus to rapidly identify and block new malware. You enable Block at First Sight through
Group Policy. When you enable this feature, both cloud-based protection and Automatic sample submis-
sion will be turned on.
Detect and Block Potentially Unwanted Applications is another feature that you can use to block unwant-
ed software during downloading and installation times. For example, you can block software that is
bundled with other downloads, advertisement injection software, and driver and registry optimizers. The
Detect and Block Potentially Unwanted Applications feature is available to enterprise users whose client
infrastructure you manage by using System Center Configuration Manager or Intune.
Microsoft Defender for Endpoint is an additional cloud-based online service that assists organizations in
detecting, investigating, and responding to advanced persistent threats. Microsoft Defender for Endpoint
provides behavior-based advanced attack detection, a forensic timeline, and a unique threat intelligence
knowledge base.
What Is a Firewall
Firewalls block or allow network traffic, based on the traffic’s properties. You can utilize hardware-based
firewalls or software firewalls that run on a device.
Depending on your firewall’s sophistication, you can configure it to block or allow traffic based on the:
●● Traffic source address.
●● Traffic destination address.
●● Traffic source port.
●● Traffic destination port.
●● Traffic protocol.
●● Packet contents.
For example, a sophisticated firewall analyzes network traffic and filters out harmful traffic, such as
attempts to cause a denial-of-service attack or an SQL injection attack.
Administrators often place firewalls at a network perimeter, between an organization’s screened subnet
and the Internet, and between the screened subnet and the internal network. Today, it also is common for
each host to have its own additional firewall.
Microsoft Defender Firewall

Windows 10 centralizes basic firewall information in Control Panel, in the Network and Sharing Center
and System and Security items. In System and Security, you can configure basic Microsoft Defender
Firewall settings and access the Action Center to view notifications for firewall alerts. In the Network and
Sharing Center, you can configure all types of network connections, such as changing the network
location profile.
Note: While the feature is called Microsoft Defender Firewall, you will frequently see the feature labeled
as Windows Defender Firewall.
-
Firewall exceptions
When you add a program to the list of allowed programs, or open a firewall port, you are allowing that
program to send information to or from your computer. Allowing a program to communicate through a
firewall is like making an opening in the firewall. Each time that you create another opening, the comput-
er becomes less secure.
Generally, it is safer to add a program to the list of allowed programs than to open a port for an app. If
you open a port without scoping the port to a specific app, the opening in the firewall stays open until
you close the port, regardless of whether a program is using it. If you add a program to the list of allowed
programs, you are allowing the app itself to create an opening in the firewall, but only when necessary.
The openings are available for communication only when required by an allowed program or computer.
To add, change, or remove allowed programs and ports, you should perform the following steps. Select
Allow an app or feature through Windows Defender Firewall in the left pane of the Windows Defend-
er Firewall page, and then select Change settings. For example, to view performance counters from a
remote computer, you must enable the Performance Logs and Alerts firewall exception on the remote
computer.
To help decrease security risks when you open communications:
●● Only allow a program or open a port when necessary.
●● Remove programs from the list of allowed programs, or close ports when you do not require them.
●● Never allow a program that you do not recognize to communicate through the firewall.
Multiple active firewall profiles

Windows 10 includes multiple active firewall policies. These firewall policies enable computers to obtain
and apply a domain firewall profile, regardless of the networks that are active on the computers. Informa-
tion technology (IT) professionals can maintain a single set of rules for remote clients and those that
physically connect to an organization’s network. To configure or modify profile settings for a network
location, select Change advanced sharing settings in the left pane of the Network and Sharing Center.
Windows Defender Firewall notifications

You also can display firewall notifications in the taskbar by performing the following steps. Select Change
notification settings in the left pane of the Windows Defender Firewall page, and then for each
network location, select or clear the Notify me when Windows Defender Firewall blocks a new app
check box.
Network Location Profiles

The first time that you connect a computer to a network, you must select whether you trust the network,
which sets appropriate firewall and security settings automatically. When you connect to networks in
different locations, you can ensure that your computer is set to an appropriate security level at all times
by choosing a network location.
Windows 10 uses network location awareness to identify networks uniquely to which a computer is
connected. Network location awareness collects information from networks, including IP addresses and
address data for media access control (MAC) address data from important network components, like
routers and gateways, to identify a specific network.
There are three types of network location:
●● Domain networks. These typically are workplace networks that attach to a domain. Use this option
for any network that allows communication with a domain controller. Network discovery is on by
default, and you cannot create or join a HomeGroup.
●● Private networks. These are networks at home or work where you know and trust the people and
devices on the network. When you select Home or work (private) networks, this turns on network
discovery. Computers on a home network can belong to a HomeGroup.
●● Guest or public networks. These are networks in public places. This location keeps the computer
from being visible to other computers. When you select the Public place network location, Home-
Group is not available, and Windows 10 turns off network discovery.
You can modify the firewall settings for each type of network location from the main Windows Defender
Firewall page. Select Turn Windows Defender Firewall on or off, select the network location, and then
make your selection. You also can modify the following options:
●● Block all incoming connections, including those in the list of allowed programs.
●● Notify me when Windows Defender Firewall blocks a new program.
The Public networks location blocks certain programs and services from running, which protects a
computer from unauthorized access. If you connect to a Public network, and Windows Defender Firewall
is on, some programs or services might ask you to allow them to communicate through the firewall so
that they can work properly.
Windows Defender Firewall with Advanced Se-

curity
Although you still can perform typical end-user configuration through Windows Defender Firewall in
Control Panel, you can perform advanced configuration in the Windows Defender Firewall with Advanced
Security snap-in. You can access this snap-in through Control Panel from the Windows Defender Firewall
page by selecting Advanced settings in the left pane. The snap-in provides an interface for configuring
Windows Defender Firewall locally, on remote computers, and by using Group Policy.
Windows Defender Firewall with Advanced Security is an example of a network-aware app. You can create
a profile for each network location type, and each profile can contain different firewall policies. For
example, you can allow incoming traffic for a specific desktop management tool when a computer is on a
domain network, but block traffic when the computer connects to public or private networks.
Network awareness enables you to provide flexibility on an internal network without sacrificing security
when users travel. A public network profile must have stricter firewall policies to protect against unau-
thorized access. A private network profile might have less restrictive firewall policies to allow file and print
sharing or peer-to-peer discovery.
Windows Defender Firewall with Advanced Security proper-

ties
You can configure basic firewall properties for domain, private, and public network profiles by using the
Windows Defender Firewall with Advanced Security Properties dialog box to configure basic firewall
properties for domain, private, and public network profiles. A firewall profile is a way of grouping settings,
including firewall rules and connection security rules. Use the IPsec Settings tab on the Windows
Defender Firewall with Advanced Security Properties dialog box to configure the default values for
IPsec configuration options.
Note: To access the global profile settings in Windows Defender Firewall with Advanced Security Proper-
ties, perform one of the following procedures:
●● In the navigation pane, right-click Windows Defender Firewall with Advanced Security, and then select
Properties.
●● In the navigation pane, select Windows Defender Firewall with Advanced Security, and then in the
Overview section, select Windows Defender Firewall Properties.
●● In the navigation pane, select Windows Defender Firewall with Advanced Security, and then in the
Actions pane, select Properties.
The options that you can configure for each of the three network profiles are:
●● Firewall state. Turn on or off for each profile.
●● Inbound connections. Configure to block connections that do not match any active firewall rules,
block all connections regardless of inbound rule specifications, or allow inbound connections that do
not match an active firewall rule.
●● Outbound connections. Configure to allow connections that do not match any active firewall rules, or
block outbound connections that do not match an active firewall rule.
●● Settings. Configure display notifications, unicast responses, local firewall rules, and local connection
security rules.
●● Logging. Configure the following logging options:
●● Name. Use a different name for each network profile’s log file.
●● Size limit (KB). The default size is 4,096. Adjust this if necessary when troubleshooting.
●● No logging occurs until you set one or both of following two options to Yes:
●● Log dropped packets
●● Log successful connections
Windows Defender Firewall with Advanced Security rules

Rules are a collection of criteria that define what traffic you will allow, block, or secure with a firewall. You
can configure the following types of rules:
●● Inbound
●● Outbound
●● Connection security rules
Inbound rules
Inbound rules explicitly allow or block traffic that matches the rule’s criteria. For example, you can
configure a rule to allow traffic for Remote Desktop from the local network segment through the firewall,
but block traffic if the source is a different network segment.
When you first install the Windows operating system, Windows Defender Firewall blocks all unsolicited
inbound traffic. To allow a certain type of unsolicited inbound traffic, you must create an inbound rule
that describes that traffic. For example, if you want to run a Web server, you must create a rule that allows
unsolicited inbound network traffic on TCP port 80. You can configure the default action that Windows
Defender Firewall with Advanced Security takes, which is whether to allow or block connections when an
inbound rule does not apply.
Outbound rules
Windows Defender Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly
allow or deny traffic originating from a computer that matches a rule’s criteria. For example, you can
configure a rule to explicitly block outbound traffic to a computer by IP address through the firewall, but
allow the same traffic for other computers.
Inbound and outbound rule types

There are four different types of inbound and outbound rules:
●● Program rules. These control connections for a program. Use this type of firewall rule to allow a
connection based on the program that is trying to connect. These rules are useful when you are not
sure of the port or other required settings, because you only specify the path to the program’s
executable (.exe) file.
●● Port rules. These control connections for a TCP or UDP port. Use this type of firewall rule to allow a
connection based on the TCP or UDP port number over which the computer is trying to connect. You
specify the protocol and the individual or multiple local ports to which the rule applies.
●● Predefined rules. These control connections for a Windows-based experience. Use this type of firewall
rule to allow a connection by selecting one of the programs or experiences from the list. Net-
work-aware programs that you install typically add their own entries to this list, so that you can enable
and disable them as a group.
●● Custom rules. Configure these as necessary. Use this type of firewall rule to allow a connection based
on criteria that other types of firewall rules do not cover.
Consider the scenario in which you want to create and manage tasks on a remote computer by using the
Task Scheduler user interface. Before connecting to the remote computer, you must enable the Remote
Scheduled Tasks Management firewall exception on the remote computer. You can do this by using the
predefined rule type on an inbound rule.
Alternatively, you might want to block all web traffic on the default TCP Web server port 80. In this
scenario, you create an outbound port rule that blocks the specified port. The next topic discusses
well-known ports, such as port 80.
Connection security rules

Firewall rules and connection security rules are complementary, and both contribute to a defense-in-
depth strategy to protect a computer. Connection security rules secure traffic as it crosses a network by
using IPsec. Use connection security rules to require authentication or encryption of connections between
two computers. Connection security rules specify how and when authentication occurs, but they do not
allow connections. To allow a connection, create an inbound or outbound rule. After a connection security
rule is in place, you can specify that inbound and outbound rules apply only to specific users or comput-
ers.
You can create the following connection security rule types:
●● Isolation rules. These isolate computers by restricting connections based on authentication criteria,
such as domain membership or health status. Isolation rules allow you to implement a server or
domain isolation strategy.
●● Authentication exemption rules. These designate connections that do not require authentication. You
can designate computers by specific IP address, an IP address range, a subnet, or a predefined group,
such as a gateway. You typically use this type of rule to grant access to infrastructure computers, such
as Active Directory domain controllers, certification authorities (CAs), or Dynamic Host Configuration
Protocol (DHCP) servers.
●● Server-to-server rules. These protect connections between specific computers. When you create this
type of rule, you must specify the network endpoints between which you want to protect communica-
tions. You then designate requirements and the type of authentication that you want to use, such as
the Kerberos version 5 protocol. A scenario in which you might use this rule is if you want to authenti-
cate traffic between a database server and a business-layer computer.
●● Tunnel rules. These secure communications that travel between two computers by using tunnel mode
in IPsec instead of transport mode. Tunnel mode embeds the entire network packet into one that you
route between two defined endpoints. For each endpoint, specify a single computer that receives and
consumes the sent network traffic, or specify a gateway computer that connects to a private network
onto which the received traffic is routed after extracting it from the tunnel.
●● Custom rules. Configure these as necessary. Custom rules authenticate connections between two
endpoints when you cannot set up authentication rules by using the other rule types.
Monitoring
Windows Defender Firewall uses the monitoring interface to display information about current firewall
rules, connection security rules, and security associations (SAs). The Monitoring page displays which
profiles are active (domain, private, or public), and the settings for the active profiles. The Windows
Defender Firewall with Advanced Security events also is available in Event Viewer. For example, the
ConnectionSecurity operational event log is a resource that you can use to view IPsec-related events. The
operational log is always on, and it contains events for connection security rules.
Windows PowerShell commands
You can use the following Windows PowerShell cmdlets to manage Windows Defender Firewall rules:
●● Get-NetFirewallRule. Use this cmdlet to display a list of available firewall rules.
●● Copy-NetFirewallRule. Use this cmdlet to copy an existing firewall rule.
●● Enable-NetFirewallRule. Use this cmdlet to enable an existing firewall rule.
●● Disable-NetFirewallRule. Use this cmdlet to disable an existing firewall rule.
●● New-NetFirewallRule. Use this cmdlet to create a new firewall rule.
●● Remove-NetFirewallRule. Use this cmdlet to delete a firewall rule.
●● Rename-NetFirewallRule. Use this cmdlet to rename a firewall rule.
●● Set-NetFirewallRule. Use this cmdlet to configure the properties of an existing firewall rule.
●● Show-NetFirewallRule. Use this cmdlet to view all firewall rules in the policy store.
Connection Security Rules 309
Connection Security Rules

Lesson Introduction
Windows 10 does not authenticate or encrypt connections made from one computer to another, by
default. However, by configuring and using connection security rules, you can verify the identity of each
computer that is communicating. You also can encrypt the connection between those computers, and
then ensure that no tampering has occurred with respect to the transmission between the two comput-
ers.
Lesson Objectives
●● Describe the purpose and functionality of IPsec.
●● Describe how to configure IPsec.
●● Describe connection security rules.
●● Explain authentication options.
●● Monitor connections.
What is IPSec
You can use IPsec to ensure confidentiality, integrity, and authentication in data transport across channels
that are not secure. Though its original purpose was to secure traffic across public networks, many
organizations have chosen to implement IPsec to address perceived weaknesses in their own private
networks that might be susceptible to exploitation.
If you implement IPsec properly, it provides a private channel for sending and exchanging potentially
sensitive or vulnerable data, whether it is email, FTP traffic, news feeds, partner and supply-chain data,
medical records, or any other type of TCP/IP-based data.
IPsec:
●● Offers mutual authentication both before and during communications.
●● Forces both parties to identify themselves during the communication process.
●● Enables confidentiality through IP traffic encryption and digital-packet authentication.
IPsec modes
IPsec has two modes:
●● Encapsulating security payload (ESP). This mode encrypts data using one of several available algo-
rithms.
●● Authentication Header (AH). This mode signs traffic, but does not encrypt it.
Providing IP traffic integrity by rejecting modified packets

ESP and AH verify the integrity of all IP traffic. If a packet has been modified, the digital signature will not
match, and IPsec will discard the packet. ESP in the tunnel mode encrypts the source and destination
addresses as part of the payload. In the tunnel mode, ESP adds a new IP header to the packet that
specifies the tunnel endpoints’ source and destination addresses. ESP can make use of Data Encryption
Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES) encryp-
tion algorithms in Windows Server 2012 R2 and Windows 10. As a best practice, you should avoid using
DES unless clients cannot support the stronger encryption that AES or 3DES offer.
Providing protection from replay attacks

ESP and AH use sequence numbers. As a result, any packets that hackers attempt to capture for later
replay use numbers that are out of sequence. Using sequenced numbers ensures that an attacker cannot
reuse or replay captured data to establish a session or gain information. Using sequenced numbers also
protects against attempts to intercept a message and use it to access resources, possibly months later.
Connection security rules

You can protect a network with two types of isolation:
●● Server isolation. You can isolate a server by configuring specific servers to require an IPsec policy
before accepting authenticated communications from other computers. For example, you might
configure a database server to accept connections only from a web application server.
●● Domain isolation. You can isolate a domain by using Active Directory domain membership to ensure
that computers that are domain members accept only authenticated and secured communications
from other domain-member computers. The isolated network consists only of that domain’s member
computers, and domain isolation uses an IPsec policy to protect traffic between domain members,
including all client and server computers.
What Are Connection Security Rules

A connection security rule forces authentication between two peer computers before they can establish a
connection and transmit secure information. Windows Defender Firewall with Advanced Security uses
IPsec to enforce the following configurable rules:
●● Isolation. An isolation rule isolates computers by restricting connections based on credentials, such as
domain membership or health status. Isolation rules allow you to implement an isolation strategy for
servers or domains.
●● Authentication exemption. You can use an authentication exemption to designate connections that
do not require authentication. You can designate computers by a specific IP address, an IP address
range, a subnet, or a predefined group, such as a gateway.
●● Server to server. A server-to-server rule protects connections between specific computers. This type
of rule usually protects connections between servers. When you create the rule, you specify the
network endpoints between which communications are protected. You then designate requirements
and the authentication that you want to use.
●● Tunnel. A tunnel rule allows you to protect connections between gateway computers, and typically,
you use it when you are connecting across the Internet between two security gateways.
●● Custom. There might be situations in which you cannot configure the authentication rules that you
need by using the rules available in the New Connection Security Rule Wizard. However, you can use a
custom rule to authenticate connections between two endpoints.
You can configure connection security rules by using Group Policy, Windows Firewall with Advanced
Security, or Windows PowerShell.
The relation between firewall rules and connection security

rules
Firewall rules allow traffic through a firewall, but do not secure that traffic. To secure traffic with IPsec, you
can create connection security rules. However, when you create a connection security rule, this does not
allow the traffic through the firewall. You must create a firewall rule to do this if the firewall’s default
behavior does not allow traffic. Connection security rules do not apply to programs and services. They
apply only between the computers that are the two endpoints.
Authentication Options
When you use the New Connection Security Rule Wizard to create a new rule, you can use the Require-
ments page to specify how you want authentication to apply to inbound and outbound connections. If
you request authentication, this enables communications when authentication fails. If you require authen-
tication, this causes the connection to drop if authentication fails.
The Request authentication for inbound and outbound connections option

Use the Request authentication for inbound and outbound connections option to specify that all
inbound and outbound traffic must authenticate, but that the connection is allowable if authentication
fails. However, if authentication succeeds, traffic is protected. You typically use this option in low-security
environments or in an environment where computers must be able to connect, but they cannot perform
the types of authentication that are available with Windows Defender Firewall with Advanced Security.
The Require authentication for inbound connections and Request authentication for outbound connec-
tions option
Use the Require authentication for inbound connections and request authentication for outbound
connections option if you want to ensure that all inbound traffic is authenticated or blocked. This allows
you to allow outbound traffic for which authentication fails. If authentication succeeds for outbound
traffic, the firewall authenticates that traffic. You typically use this option in most IT environments in which
the computers that need to connect can perform the authentication types that are available with Win-
dows Defender Firewall with Advanced Security.
The Require authentication for inbound and outbound connections option

Use the Require authentication for inbound and outbound connections option if you want to require
that all inbound and outbound traffic either is authenticated or else blocked. You typically use this option
in higher-security IT environments where you must protect and control traffic flow, and in which the
computers that must be able to connect can perform the authentication types that are available with
Windows Defender Firewall with Advanced Security.
The New Connection Security Rule Wizard has a page on which you can configure the authentication
method and the authentication credentials that you want clients to use. If the rule exists already, you can
use the Authentication tab in the Properties dialog box of the rule that you wish to edit.
Default
Select the Default option to use the authentication method that you configured on the IPsec Settings tab
of the Windows Defender Firewall with Advanced Security Properties dialog box.
Computer and user (Kerberos V5)

The Computer and user (Kerberos V5) method uses both computer and user authentication, which means
that you can request or require both the user and the computer to authenticate before communications
continue. You can use the Kerberos V5 authentication protocol only if both computers are domain
members.
Computer (Kerberos V5)

The Computer (Kerberos V5) method requests or requires the computer to authenticate by using the
Kerberos V5 authentication protocol. You can use the Kerberos V5 authentication protocol only if both
computers are domain members.
User (Kerberos V5)

The User (Kerberos V5) method requests or requires the user to authenticate by using the Kerberos V5
authentication protocol. You can use the Kerberos V5 authentication protocol only if the user is a domain
user.
Computer certificate
The Computer certificate method requests or requires a valid computer certificate to authenticate, and
you must have certificates from a CA trusted by both computers. s. Use this method if the computers are
not part of the same AD DS domain.
Advanced
You can configure any available method, and you can specify methods for first authentication and second
authentication. First authentication methods include Computer (Kerberos V5), computer certificate, and a
Preshared key (not recommended). Second authentication methods include User (Kerberos V5), User
NTLM (Windows NT Challenge/Response protocol), user certificates, and computer certificates issued by
trusted CAs. Only computers that are running Windows Vista, Windows 7, Windows 8, Windows 10,
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2
support second authentication methods.
Monitoring Connections
Windows Defender Firewall with Advanced Security is a stateful, host-based firewall that blocks incoming
and outgoing connections based on its configuration. Although you can perform a typical end-user
configuration for Windows Defender Firewall by using the Windows Defender Firewall control panel item,
you can perform advanced configuration in the Microsoft Management Console (MMC) snap-in named
Windows Defender Firewall with Advanced Security.
The inclusion of this snap-in not only provides an interface for configuring Windows Defender Firewall
locally, but also for configuring Windows Defender Firewall on remote computers and by using Group
Policy. You also can use Windows PowerShell to configure Windows Defender Firewall policies through-
out your environment. Windows Defender Firewall functions now integrate with settings for connec-
tion-security protection, which reduces the possibility of conflict between the two protection mecha-
nisms.
Monitoring options for Windows Defender Firewall with Ad-

vanced Security
You can use the Windows Defender Firewall with Advanced Security console to monitor security policies
that you create in the Connection Security Rules node. However, you cannot view the policies that you
create by using the IP Security Policy Management snap-in. These security options are for use with
Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2,
Windows Server 2012, and Windows Server 2012 R2.
Monitoring connection security rules

The Connection Security Rules node lists all of the enabled connection security rules with detailed
information about their settings. Connection security rules define which authentication, key exchange,
data integrity, or encryption you can use to form an SA. The SA defines the security that protects the
communication from the sender to the recipient.
Implementing Connection Security Monitor

You can implement the Connection Security Monitor as an MMC snap-in. It includes enhancements that
you can use to view details about an active connection security policy that the domain applies or that you
apply locally. Additionally, you can view Quick Mode and Main Mode statistics, filters, negotiation
policies, and security associations. You also can use Connection Security Monitor to search for specific
Main Mode or Quick Mode filters. To troubleshoot complex designs for connection-security policies, you
can use Connection Security Monitor to search for all matches for filters of a specific traffic type.
Changing default settings

You can change the Connection Security Monitor default settings, such as automatic refresh and DNS
name resolution. For example, you can specify the time that elapses between IPsec data refreshes.
Additionally, you can enable DNS name resolution for the IP addresses that you are monitoring. Note
that there are some issues to consider when enabling DNS. For example, it only works in a specific filter
view for Quick Mode and in SAs view for Quick Mode and Main Mode monitoring. There also is the
possibility that you can affect a server’s performance if several items in the view require name resolution.
Finally, the DNS record name resolution requires a proper pointer (PTR) resource record in DNS.
Obtaining information about the active policy

You can get basic information about the current IP security policy in the Active Policy node of the IP
Security Monitoring snap-in to the MMC. During troubleshooting, this is useful to identify which policy
IPsec is applying to the server. Details such as the policy location and the time of its last modification
provide key details when you are determining the current in-place policy.
To view the connection security rules in the active policy store, you can use the following Windows
PowerShell command:
Show-NetIPsecRule –PolicyStore ActiveStore
Main Mode SA and Quick Mode SA

The Main Mode SA is the initial SA that Windows 10 establishes between two computers. This negotiates
a set of cryptographic protection suites between both hosts. This initial SA allows Quick Mode key
exchange to occur in a protected environment. The Internet Security Association Key Management
Protocol or Phase 1 SA is another name for the Main Mode SA. Main Mode establishes the secure
environment to other exchange keys, as IPsec policy requires.
A Quick Mode SA depends on the successful establishment of a Main Mode SA. An IPsec or Phase 2 SA is
another name for a Quick Mode SA. This process establishes keys based on the information that the
policy specifies. Quick Mode SAs establish protected transmission channels for the actual application IP
data that the policy specifies.
Monitoring SAs
The Security Associations folder lists all of the Main Mode and Quick Mode SAs with detailed information
about their settings and endpoints.
Main Mode
Main Mode statistics provide data about the total number of SAs created and invalid packet information.
Quick Mode
Quick Mode provides more-detailed information about connections. If you are having issues with an
IPsec connection, Quick Mode statistics can provide insight into the problem.
Advanced Protection Methods

Lesson Introduction
Part of protecting Windows is to take a defense-in-depth approach. Threats come in many forms and can
target a variety of specific services or applications. Administrators should assume that no single solution
will be able to mitigate all threats and should be familiar with the tools and settings available to help
secure devices.
Lesson Objectives
●● Describe the features and use of the Security Compliance Toolkit
●● Describe the benefits of drive encryption with Bitlocker
●● Describe the features of AppLocker
●● Describe methods of securing data in the enterprise
●● Describe the benefits and features of Windows Defender Advanced Threat Protection
Security Compliance Toolkit

The Microsoft Security Compliance Toolkit enables enterprise security administrators to effectively
manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare
their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them
in GPO backup file format, and apply them via a domain controller or inject them directly into testbed
hosts to test their effects.
Windows Security Baselines

Every organization faces security threats. However, the types of security threats that are of most concern
to one organization can be completely different from another organization. For example, an e-commerce
company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting
confidential patient information. The one thing that all organizations have in common is a need to keep
their apps and devices secure. These devices must be compliant with the security standards (or security
baselines) defined by the organization.
A security baseline is a group of Microsoft-recommended configuration settings that explains their
security impact. These settings are based on feedback from Microsoft security engineering teams,
product groups, partners, and customers.
You can use security baseline to:
●● Ensure that user and device configuration settings are compliant with the baseline.
●● Set configuration settings. For example, you can use Group Policy, System Center Configuration
Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
Why are security baselines needed?

Security baselines are an essential benefit to customers because they bring together expert knowledge
from Microsoft, partners, and customers. For example, there are over 3,000 Group Policy settings for
Advanced Protection Methods 317
Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings,
only some are security-related. Although Microsoft provides extensive guidance on different security
features, exploring each one can take a long time. You would have to determine the security impact of
each setting on your own. Then, you would still need to determine the appropriate value for each setting.
In modern organizations, the security threat landscape is constantly evolving, and IT pros and poli-
cy-makers must keep up with security threats and make required changes to Windows security settings
to help mitigate these threats. To enable faster deployments and make managing Windows easier,
Microsoft provides customers with security baselines that are available in consumable formats, such as
Group Policy Objects backups.
Note: Security baselines are included in the Security Compliance Toolkit (SCT) which can be accessed
here: https://aka.ms/L0omxs
Overview of BitLocker
BitLocker provides additional protection for a computer’s operating system and any data that is stored on
that operating system or in other volumes. BitLocker helps ensure that data stored on a computer
remains encrypted, even if someone tampers with the computer while the operating system is not
running.
BitLocker provides a closely integrated solution in Windows 10 to help address the threats of data theft
or exposure from lost, stolen, or inappropriately decommissioned computers. Data on these types of
computers can become vulnerable to unauthorized access when a hacker either runs a software attack
tool against it or transfers the computer’s hard disk to a different computer.
BitLocker helps mitigate unauthorized data access by enhancing Windows file and system protections.
BitLocker also helps render data inaccessible when you decommission or recycle BitLocker-protected
computers.
BitLocker performs two functions that provide both offline data protection and system-integrity verifica-
tion:
●● It encrypts all data that is stored on the Windows operating system volume (and configured data
volumes). This includes the Windows operating system, hibernation files and paging files, applications,
and data that applications use. BitLocker also provides an umbrella protection for non-Microsoft
applications, which benefits the applications automatically when they are installed on the encrypted
volume.
●● It is configured, by default, to use a Trusted Platform Module (TPM) chip to help ensure the integrity
of early startup components by ensuring that no modifications have been made to the trusted boot
path, such as BIOS, boot sector, and boot manager. Once the TPM has verified that there are no
changes, it releases the decryption key to the Windows OS Loader. If TPM does detect changes, it
locks any BitLocker-protected volumes, so they remain protected even if someone tampers with the
computer when the operating system is not running.
Note: The Windows 10 installation process partitions the computer’s hard disk to enable the use of
BitLocker.
Windows 10 now offers a newer encryption algorithm, XTS-AES, for BitLocker. BitLocker Organizations
concerned with brute-force attacks of their devices given physical access may want to consider migrating
their BitLocker default encryption to XTS-AES. This option can be configured using Group Policy. Micro-
soft recommends that customers enable this level of encryption on newly provisioned devices.
BitLocker and TPMs

BitLocker uses a Trusted Platform Module (TPM) chip to verify the integrity of the startup process by:
●● Providing a method to verify that early boot file integrity has been maintained, and to help ensure
that there has been no adverse modification of those files, such as with boot sector viruses or root
kits.
●● Enhancing protection to mitigate offline software-based attacks. Any alternative software that might
start the system does not have access to the decryption keys for the Windows operating system
volume.
●● Locking the system when it is tampered with. If anyone has tampered with monitored files, the system
does not start. This alerts the user to the tampering because the system fails to start as usual. In the
event that system lockout occurs, BitLocker offers a simple recovery process.
In conjunction with the TPM, BitLocker verifies the integrity of early startup components. This helps
prevent additional offline attacks, such as attempts to insert malicious code into these components. This
functionality is important because the components in the earliest part of the startup process must be
available in an unencrypted format so that the computer can start.
Note: You might need to enable the TPM functionality in your computer’s BIOS.
If an attacker can gain access to the startup process components, they can change the code in these
components and gain access to the computer even though the data on the disk is encrypted. Once the
attacker gains access to confidential information such as BitLocker keys or user passwords, they can
circumvent BitLocker and other Windows security protections.
BitLocker does not require a TPM. However, only a computer with a TPM can provide the additional
security of prestartup system-integrity verification. To determine if a computer has a TPM version 1.2
chip, perform the following steps:
1. Open Control Panel, select System and Security, and then select BitLocker Drive Encryption.
2. In the lower left corner, select TPM Administration. The TPM Management on the Local Computer
console opens. If the computer does not have the TPM 1.2 chip, the “Compatible TPM cannot be
found” message displays.
Note: On computers that do not have TPM 1.2, you can still use BitLocker to encrypt the Windows
operating system volume. However, this implementation does not include a TPM, and requires the user
to insert a USB startup key to start the computer or resume from hibernation. It also does not provide the
prestartup system integrity verification that BitLocker provides when working with a TPM.
Encrypting Files System

Encrypting Files System (EFS) is another encryption feature in Windows 10. Unlike BitLocker, which
encrypts the entire volume, EFS encrypts individual files based on user accounts.
BitLocker is a newer feature of Windows and generally recommended for encryption as it’s easier to
implement and manage. However, there are some advantages that EFS provides that BitLocker does not.
IT professionals who want to implement EFS should research it thoroughly before using it. You need to
have a comprehensive understanding of EFS to implement a secure and recoverable EFS policy. A lack of
understanding (by either an administrator or an end user) or an improper implementation can expose
your data unnecessarily or leave it in a state from which you cannot recover it. This lesson provides a brief
overview of EFS.
What is EFS?
EFS is a built-in file encryption tool for Windows-based systems. EFS is a component of the NTFS file
system, and it uses advanced, standard cryptographic algorithms to allow transparent file encryption and
decryption. Through the Windows Information Protection functionality of Windows 10, EFS functionality
is also simulated on volumes that use the FAT32 file system. Any individual or app that does not have
access to a certificate store that holds an appropriate cryptographic key cannot read encrypted data. You
can protect encrypted files even from those who gain physical possession of a computer on which files
are stored. Even people who have the authorization to access a computer and its file system cannot view
the encrypted data.
Common Scenarios for EFS

Utilizing EFS does provide advantages for protecting data from unauthorized access.
●● Protecting files on shared computers. EFS allows users of shared computers to secure files so that
other users of those computers cannot access them. While files access can be defined using NTFS
permissions, you can use EFS with file and folder permissions as part of a defense-in-depth strategy.
●● Protecting files from privileged users. EFS allows you to prevent privileged users from accessing
certain files. Many data breaches are caused by attackers getting access to a privileged account and
using that privileged account to override file and folder permissions. While the default Administrator
account is also the data recovery agent for EFS-protected files, this can be changed so that privileged
accounts cannot access these files.
●● Sharing encrypted files with specific users. With BitLocker, files do not remain encrypted if they are
moved or copied to another system that does not also provide encryption. With EFS, users can share
encrypted files with other users on file shares and in web folders. This allows you to grant individual
users’ permissions to access an encrypted file. After you encrypt a file, you can enable file sharing
through the user interface. You first must encrypt a file and then save it before adding more users. You
can add users from a local computer or from Active Directory Domain Services (AD DS) if the users
have a valid certificate for EFS. EFS certificates can be located in roaming profiles, in the user profiles
on the computer that is storing the file, or in AD DS. Caution users to share files only with trusted
accounts, as any user who is authorized to decrypt a file can authorize other users to access the file. It
is not restricted to the file owner. Removing the Write permission from a user or group of users can
prevent this problem, but it also prevents the user or group from modifying the file. EFS-encrypted
files do not remain encrypted when crossing the network, such as when you work with the files on a
shared folder. The file is decrypted, and it then traverses the network in an unencrypted state. EFS
encrypts it locally if you save it to a folder on the local drive that is configured for encryption. Solu-
tions like WebDAV or IPSec can be leveraged to keep files encrypted while traversing the network.
Comparing BitLocker and EFS

The following table compares BitLocker and EFS-encryption functionality.
BitLocker functionality EFS functionality

Encrypts volumes (the entire operating-system Encrypts files.
volume, including Windows system files, and the
hibernation file).
Does not require user certificates. Requires user certificates.
Does not protect against unauthorized privileged Helps protect against unauthorized privileged
accounts. accounts.
Protects the operating system from modification Does not protect the operating system from
(on devices with a TPM). modification.
Easier to implement. More complex to implement.
Organizations can choose to use EFS or BitLocker separately, or together as part of a defense-in-depth
strategy. Administrators should consider carefully the benefits and risks of implementing EFS. While EFS
can solve certain scenarios, there is also greater potential for loss of data or unauthorized access if it is
not implemented and used correctly.
Using AppLocker to Control Applications

Today’s organizations face a number of challenges in controlling which applications run on client com-
puters. These challenges include controlling:
●● The Universal Windows and desktop apps that users can access.
●● Which users are allowed to install new applications.
●● Which versions of the applications are allowed to run, and for which users.
Users who run unauthorized software can experience a higher incidence of malware infections and
generate more help-desk calls. However, it can be difficult for you to ensure that the users’ computers
run only approved and licensed software.
AppLocker benefits
You can use AppLocker to specify which software can run on user PC’s and devices. AppLocker enables
users to run the applications, installation programs, and scripts that they require to be productive, while
still providing the security and compliance benefits of application standardization.
AppLocker can be useful for organizations that want to:
●● Limit the number and types of applications that can run. This can be done by preventing unlicensed
software or malware from running, and by restricting the ActiveX controls that are installed.
●● Reduce the total cost of ownership by ensuring that workstations are homogeneous across an
enterprise, and that users run only the software and applications that the enterprise approves.
●● Reduce the security risks and possibility of information leaks from running unauthorized software.
AppLocker rules
You can prevent many problems in your work environment by controlling which applications a user can
run. AppLocker enables you to do this by creating rules that specify exactly which applications a user can
run. AppLocker continues to function even when applications are updated.
Because you configure AppLocker with Group Policy, you need to understand Group Policy creation and
deployment. This makes AppLocker ideal for organizations that currently use Group Policy to manage
their Windows 10 computers or have per-user application installations.
To author AppLocker rules, you use a new AppLocker Microsoft Management Console (MMC) snap-in in
the Group Policy Management Editor window. AppLocker provides several rule-specific wizards. You can
use one wizard to create a single rule and another wizard to generate rules automatically, based on your
rule preferences and the folder that you select. The four wizards that AppLocker provides administrators
with to author rules are:
●● Executable Rules Wizard
●● Windows Installer Rules Wizard
●● Script Rules Wizard
●● Packaged App Rules Wizard
At the end of each wizard, you can review the list of analyzed files. You then can modify the list to remove
any file before AppLocker creates rules for the remaining files.
The Event Viewer stores events for AppLocker on the local computer. You can review these events if you
want to check whether your AppLocker rules apply as designed. You can use the events in the following
table to troubleshoot AppLocker from the client.
Event ID Event reason

8000 Indicates that the AppLocker policy did not apply
correctly to the computer.
8004 Indicates that an .exe or .dll file did not run.
8007 Indicates that a script or .msi file did not run.
8022 Packaged app is disabled.
8025 Packaged app installation is disabled.
Note: Only the Windows 10 Enterprise and Windows 10 Education editions support AppLocker.
Using AppLocker to Control Universal Windows

Apps
To enable AppLocker restrictions for the Universal Windows apps, you must configure the appropriate
Group Policy settings by performing the following procedure:
1. Open the Local Group Policy editor (gpedit.msc).
2. Under Local Computer Policy, in the left pane, navigate to Computer Configuration\Windows Set-
tings\Security Settings\Application Control Policies\AppLocker, and then select Packaged app Rules.
3. Right-click Packaged app Rules, and then select Create New Rule.
4. Use the Create Packaged App Rules Wizard to configure the application restriction policy with the
following settings:
●● Configure the permissions to allow or deny the app.
●● Select an app publisher. You can select an installed app as a reference.
●● Modify the rule by making the rule apply to:
●● Only the specific version of the app that you select.
●● Any apps from the publisher.

●● Any apps from any publisher.
●● Define exceptions.
●● Name the policy.
5. Create the default rule. This default rule has a lower precedence, but it enables all signed packaged
apps to run. To create the default rule, right-click Packaged app Rules, and then select Create Default
Rules.
6. Select the enforcement level. By default, policies are enforced. You can change the policy to audit
policies only. To do this:
●● Right-click the AppLocker node, and then select Properties.
●● In the AppLocker Properties dialog box, select the Configured check box adjacent to Packaged app
rules. In the list, depending on your requirements select either Enforce rules or Audit only, and then
select OK.
Enabling the Application Identity service

Enforcement of AppLocker rules requires that the Application Identity service must run on all computers
affected by your AppLocker policy. This service identifies applications, and then processes the AppLocker
policies against the identified applications. You can enable this service by opening Services.msc, and then
selecting the Application Identity service. Configure the service for automatic startup, and then start the
service manually. You also can start the service by configuring the setting through a GPO.
Securing Data in the Enterprise

While it is important to protect data at rest, not only on the servers located on-premises and in the cloud,
but also on the users' devices. You have learned about some of the device management capabilities that
can help to protect data at rest on the users' devices; however, you should also use built-in features in
the client device's platform to enhance this data protection.
Windows 10 includes many security features specifically targeted at large organizations. Among other
features, this version implements new user identity technologies to reduce dependence on user-chosen
passwords, improved credential storage to limit the impact of compromised PCs on other systems, and
improved software allow/block to secure locked-down devices such as point-of-service terminals against
malware. However, organizations must select the Enterprise edition of the OS; deploy prerequisite
hardware, software, and services; and invest time and money to deploy the improved protection success-
fully.
Windows Device Health Attestation

Windows Device Health Attestation ensures that the OS has not been tampered with or compromised
and helps verify the overall health of the system. Certain services (like Exchange e-mail, SharePoint, or
AAD membership) take advantage of this service and can disallow access until a Windows 10 Enterprise
edition PC meets certain qualifications.
For example, when a user tries to join a new Windows 10 PC to the AAD, the Microsoft-hosted directory
service, conditional access can verify the integrity of the PC using Windows Device Health Attestation and
then ensure that BitLocker, Secure Boot, or Virtualization-Based Security features like Credential Guard
are enabled. If a user elects to not allow these settings to be configured, access to the requested resource
is denied.
This functionality requires the use of “modern authentication.” Modern authentication is the name
Microsoft uses to describe the AAD Authentication Library (ADAL) for clients and other technologies that
implement authentication using OAuth 2.0 and Open ID connect protocols. Microsoft has built these
technologies natively into Windows 10 and Office 2016 and into Microsoft-hosted services such as Micro-
soft 365.
Windows Information Protection

Windows Information Protection (WIP) previously Enterprise Data Protection (EDP) is a feature of Win-
dows 10 Pro and Enterprise. The feature is intended to keep organizational data secure, regardless of the
actions of end users.
When enabled, WIP watches for content that is downloaded from SharePoint, Office 365, and corporate
Web servers and file servers. It offers a range of controls, from blocking the download of content,
warning users, or auditing their access to preventing data from being shared outside the organization.
Content downloaded to the device is automatically protected by WIP, and only approved applications can
access the content. An organization can also elect to securely wipe data from the device using Configura-
tion Manager, Intune, or third-party mobile device management (MDM).
WIP will provide encryption at rest using Microsoft's Encrypting File System (EFS) and also use the
Microsoft-hosted Azure Rights Management Services functionality, which is included with Microsoft 365,
to protect the data when the data egresses outside of the corporate network boundary or when it arrives
on non-Windows platforms, such as iOS and Android.
VPN Profiles
Windows 10 offers finer-grained control of virtual private network (VPN) software on the client through
VPN profiles. Windows 10 offers configuration of Microsoft and select third-party VPN profiles on client
computers using Group Policy, Intune, or third-party MDM. Centrally configuring VPN profiles can help
provide good defaults for network traffic from applications and devices that the organization would like
to protect.
With the November update, VPN profiles can be set to be always on when a user is logged on or trig-
gered by a specified Windows application. VPN traffic can also be configured for specific applications or
network traffic, or the administrator can specify that a device is locked down, meaning that all network
traffic should occur over a VPN.
Understand Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is a platform designed to help enterprise networks prevent, detect,
investigate, and respond to advanced threats. Unlike Microsoft Defender or Windows Defender solutions,
that are available on each Windows 10 computer, and managed by Group Policy or Intune, Microsoft
Defender for Endpoint is a whole new platform that helps administrators enhance security, as well as
establish centralized security control over both cloud and on-premises resources. Although Microsoft
Defender for Endpoint shares the same name with Microsoft Defender in Windows 10, these are not the
same products.
Administrators can use Microsoft Defender for Endpoint to monitor Microsoft Defender functionalities on
local Windows 10 clients to maintain consistent configuration and an acceptable security level. Microsoft
Defender for Endpoint can also integrate with Office 365 Threat Intelligence, Cloud App Security, Azure
ATP and Intune. It’s also capable of detecting potentially harmful content in Skype for Business communi-
cations.
Microsoft Defender for Endpoint uses the following combination of technologies built into Windows 10
and Microsoft's cloud service:
●● Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavio-
ral signals from the operating system and sends this sensor data to your private, isolated, cloud
instance of Microsoft Defender for Endpoint.
●● Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across
the Windows ecosystem, enterprise cloud products (such as Microsoft 365), and online assets - behav-
ioral signals are translated into insights, detections, and recommended responses to advanced threats.
●● Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat
intelligence provided by partners, threat intelligence enables Microsoft Defender for Endpoint to iden-
tify attacker tools, techniques, and procedures, and generate alerts when these are observed in
collected sensor data. These technologies, combined together, provide very efficient proactive
monitoring of what happens on your client machines, servers and network. They perform automated
investigations on well known incidents and provide some actions even before an administrator is
alerted.
Windows Defender Application Control

With thousands of new malicious files created every day, using traditional methods like antivirus solu-
tions—signature-based detection to fight against malware—provides an inadequate defense against new
attacks.
Normally, when a user runs a process, that process has the same level of access to data that the user has.
As a result, sensitive information could easily be deleted or transmitted out of the organization if a user
knowingly or unknowingly runs malicious software. Application control moves away from the traditional
application trust model where all applications are assumed trustworthy by default to one where applica-
tions must earn trust in order to run.
Windows Defender Device Guard

Device Guard combines the features of Application Control with the ability to leverage the Windows
Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of
malicious or unverified code.
Windows Defender Credential Guard

Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only
privileged system software can access them. Unauthorized access to these secrets can lead to credential
theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents
these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials
stored by applications as domain credentials. Because they are no longer stored in the Local Security
Authority (LSA), credential theft can be blocked even on a compromised system.
Windows Defender Application Guard

Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate untrusted sites. As an
enterprise administrator, you define what is among trusted websites, cloud resources, and internal
networks. Everything not on your list is considered untrusted.
If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft
Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating
system. If the site turns out to be malicious, the host PC is protected.
Windows Defender Exploit Guard

Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention
capabilities for Windows 10. It allows administrators to define and manage policies for reducing surface
attacks and exploits, network protection, and protecting suspicious apps from accessing folders com-
monly targeted.

Lab 0901: Configuring Microsoft Defender Antivirus and
Windows Security
Summary
In this exercise you will learn how to configure Microsoft Defender Antivirus and Windows Security
settings.
Exercise 1: Detecting threats using Microsoft Defender Anti-

virus
Scenario
You've been asked to configure and test Microsoft Defender Antivirus on SEA-CL1. You need to configure
protection settings to enable controlled folder access and to exclude E:\Labfiles\Tools from scanning.
You've decided to simulate a virus using a test file, sample.txt, located at C:\Files, to validate successful
threat detection.
Exercise 2: Configuring Windows Security Settings
Scenario
You need to verify that Microsoft Defender SmartScreen has been enabled and is configured on SEA-CL1.
You also need to verify that Exploit Protection settings are On by default.
Lab 0902: Configuring Firewall and Connection Security
Summary
In this exercise you will learn how to create and configure firewall rules to block and allow specific service
connections to a device. In this exercise you will learn how to create and configure connection security
rules to encrypt network traffic between Windows devices.
Exercise 1: Creating and Testing Inbound Firewall Rules
Scenario
Users that work on SEA-CL2 are not allowed to remote desktop into SEA-CL1. You need to verify that
remote desktop currently is allowed and then configure a firewall rule on SEA-CL1 that will block remote
desktop connections. You will leave the Remote desktop service enabled to allow for other device
connections to be configured at a later time.
Exercise 2: Creating and Testing Outbound Firewall Rules
Scenario
SEA-SVR1 also needs to be configured to allow remote desktop connections, however SEA-CL1's firewall
configuration should not allow any user to use a remote desktop connection to SEA-SVR1 from SEA-CL1.
You will configure an outbound firewall rule on SEA-CL1 to prevent remote desktop connections to the
server.
Exercise 3: Creating Connection Security Rules
Scenario
Your manager wants you to ensure that all network traffic between SEA-CL1 and SEA-CL2 is encrypted.
You need to configure a connection security rule with the setting “Require authentication for inbound
connections and request authentication for outbound connections” enabled on both devices.
Lab 0903: Configuring BitLocker
Summary
In this exercise you will learn how to encrypt a local disk drive using BitLocker.
Scenario
You have a Windows 10 computer that has sensitive data stored on the E drive. You decide to configure
and test BitLocker to see how it can be used to protect the data files that are stored on the local drive (E:).
Module Review
1. A hacker has captured network packets that workstations connected to your network send and
receive. You have concerns that your organization’s sensitive data has been compromised. What is this
kind of network-based security threat known as?
A. Man-in-the-middle attack
B. Port scanning
C. Denial of service attack
D. Eavesdropping
E. None mentioned
2. You have deployed several defense mechanisms to protect users from Phishing attacks. However,
some users are still falling prey to these attacks. Which of the following statements will not help
educate your users about Phishing?
A. Always check a URL before you select on the link.
B. Multiple spelling and grammar mistakes can signal a scam.
C. Look for company contact information and brand accuracy.
D. Phishing scams are exclusively perpetrated in email.
E. All statements are accurate and will help users
3. You are configuring a 64-bit Windows 10 Enterprise computer. Your organization discourages the use
of weak password and storing passwords insecurely. Which of the following features can securely
store OS secrets and prevent hackers from accessing them even if the machine is already compro-
mised?
A. Windows Hello
B. Microsoft Passport
C. Credential Guard
D. Encrypted File System (EFS)
E. None mentioned
4. You are an IT support professional for a power company. Ninety percent of the company's workforce
uses mobile devices. Which of the following Windows 10 data protection features is especially
valuable if one of their devices is stolen?
A. Windows Information Protection
B. Windows Device Health Attestation
C. BitLocker
D. VPN Profiles
E. None mentioned
5. You are configuring a Window 10 computer's firewall. You need to keep the computer from being
visible to other computers? Which network location profile should you select?
A. Domain networks
B. Guest or public networks
C. Private networks D. None mentioned
6. You are configuring a Windows 10 computer in your organization. You need to prevent computers
from connecting to this computer if they are not a member of the same domain. You decide to create
a connection security rule. Which of the following will you need to create?
A. Authentication exemption rules
B. Server-to-server rules
C. Isolation rules
D. Custom rules
7. Your organization has identified potential weaknesses in their private networks that might be suscep-
tible to exploitation. As an IT support professional for your organization, you are tasked to implement
IPsec. Which of the following statements is true when referring to IPsec?
A. Offers self authentication before and during communications.
B. IPsec has two modes: Basic and Advanced
C. The Advanced mode encrypts data using one of several available algorithms.
D. Enables confidentiality through IP traffic encryption and digital-packet authentication.
8. BitLocker has entered a locked state on a user's computer in your domain environment. You need the
recovery password to unlock the encrypted data on the volume. What condition must be met in order
to locate the password? (select four)
A. You must be a domain administrator.
B. Computer must be quarnteened from the network. C. BitLocker must be configured to store
recovery information in AD DS.
D. Computer must be joined to the domain.
E. BitLocker must be enabled on the computer that is locked.
F. You must be a BitLocker administrator.
Answers 1) D 2) D 3) C 4) C 5) B 6) C 7) D 8) A,C,D,E
Module 10 Supporting the Windows 10 Envi-
ronment
Windows Architecture
Lesson Introduction
You can use Windows 10 on a range of devices, including tablets and other touch-enabled computers. To
optimize your users’ experience, you can choose between several editions of Windows 10.
This lesson provides you with information about the operating system’s architecture and supported
devices. It also describes the desktop support environment and troubleshooting terminology.
Lesson Objectives
●● After completing this lesson, you will be able to:
●● Describe Windows 10 devices.
●● Explain the Windows 10 operating system architecture.
●● Describe the desktop support environment.
●● Explain the key stages and terminology of a troubleshooting methodology.
Windows 10 Devices
In present-day enterprise environments, not all users want to work on a single desktop computer that has
a wired connection to the corporate network. Today, many users prefer wireless connectivity and remote
access to their work environments. When you use wireless connectivity, you can work on different devices
and from different locations.
Diagram showing images that represent Windows devices.
332 Module 10 Supporting the Windows 10 Environment
The type of device that the user wants to utilize to connect to a corporate network might vary depending
on the user’s requirements. Some users want the portability of a laptop computer, while others want to
use a touch-capable device, such as a tablet. Windows 10 is designed to operate across many device
types, and its use is not restricted to only desktop and laptop computing devices.
Form factors
Windows 10 supports several types of devices, including:
●● Desktop computers. This is the traditional computing platform that offers powerful performance but
limited mobility. To improve user productivity, you can combine desktop computers with touch
screens.
●● Laptop computers. Modern laptop computers can come with a touch screen, which allows users to
perform tasks much more quickly than they would by using a traditional mouse. You can convert
some laptop computers into tablets through screen rotation, although these types of device are not
as portable as standard tablets.
●● Convertible laptops. These devices are tablet computers that come with a docking station that has a
keyboard and additional ports, such as universal serial bus (USB) and video expansion ports. When
you separate a convertible laptop from its docking station, it provides all of the convenience of a
tablet. When on its docking station, this type of device enables users to work in a more traditional
fashion. Some docking stations also have an additional battery.
●● Tablets. Tablets come in a variety of sizes and with different specifications and features:
●● 12 inch tablets These tablets are comparatively large, and you might find them more often on
convertible laptops with some kind of docking station. The Microsoft Surface Pro 6 is an 11.5 inch
tablet, and supports the attachment of optional keyboard covers.
Windows Architecture 333
●● 10-inch tablets. Comparable in size with the Apple iPad, these tablets often are stand-alone
devices, although they sometimes include a keyboard cover. These types of devices offer the best
portability.
●● 8-inch tablets. This type of device, which is similar to the Apple iPad Mini, provides optimum
portability. However, it might pose challenges for certain types of use. For example, using an 8
inch tablet for a great deal of typing typically is not an easy task, and you can find better devices
for this purpose.
Note: These are broad device categories, and some devices do not fall into one category only.
Factors that affect device selection

Additional factors that might determine what type of tablet or convertible device a user selects include:
●● Battery life. This is a critical factor for some users. Many devices in the first generation of Windows
tablets used Intel Atom processors, which provided extended battery life. However, while these
devices provide solid performance, the Atom is not suited for heavy processing tasks.
●● Processor performance. Some Windows-equipped tablets use Intel Core i7 processors. These
processors are capable of a much higher workload, but they typically consume more power.
●● Screen size and resolution. Smaller, and therefore more portable, devices have smaller screen sizes.
Users could find it difficult to interpret content that is in high resolution on a small screen, so they
might find these devices difficult to use for work. However, to help mitigate this issue, the screen
resolution might be reduced. For example, typical screen resolution for 10-inch Intel Atom-based
tablets is 1366x768.
●● External expansion options. The device that your user selects might need to support an optical drive
or multiple monitor connections, or provide for several USB expansion ports to support the peripher-
als they intend to use.
●● Memory. Many tablets with Atom processors have 2 gigabytes (GB) of available memory. This is
sufficient for relatively light workloads, but might not be adequate for heavy workloads. Core i7
devices can have as much as 8 GB of memory installed, thereby providing support for much heavier
workloads.
●● Storage. Unlike desktop computers, and even some laptops, tablets come with a fixed storage
capacity. Smaller devices come with less storage, and 32 GB of storage capacity is typical for small
tablets. Some vendors provide the option to customize the storage when the user purchases their
device. Before making a decision on the amount of storage they require, users must think about how
they are going to use a device. Almost every Windows tablet provides some means to expand the
available storage when they use secure digital (SD) or Micro SD cards, and in some cases, support for
USB storage devices.
Note: Although many tablet device vendors offer cloud-based storage, remember that a device’s capaci-
ty is the sum total of its local storage, particularly when a user is not online.
Support Considerations
The type of support issues that you encounter could vary based on the type of device that the user is
using. Storage issues are more prevalent with tablet computers, since they have less storage space than a
laptop or desktop computer. Additionally, users might choose to use cloud-based storage with their
tablets. Using cloud-based storage introduces complexities, such as file synchronization and user authen-
tication to the storage platform. Desktop computer users are less likely to need to use cloud-based
storage as these devices tend to have larger internal drives and generally are always connected to
corporate networks.
Another consideration is that increasingly, users want to connect their own devices to corporate net-
works. This practice increases an organization’s support concerns by introducing security issues and
device management issues. In addition, as devices become more mobile, the ability for IT departments to
manage those devices becomes a challenge.
Windows 10 Architecture
It is important to understand the differences between software applications, operating system services,
and hardware devices and their associated device drivers in the operating system kernel. The Windows 10
operating system architecture comprises the operating system kernel, system services, and applications.
Operating system kernel

At the lowest level of the operating system, the core of the operating system consists of the Windows
kernel itself and low-level device drivers. The kernel is responsible for taking operating system requests
from system services. The kernel then translates those requests into instructions for the computer
hardware, including the central processing unit (CPU), memory, and hardware devices.
When the operating system starts up, the kernel and its related low-level device drivers initialize first,
followed by the operating system services.
System services
Operating system services are part of the operating system rather than components that you install after
the operating system deploys. Additionally, operating system services function with no user action. In
fact, they start before a user signs in to the computer.
Both operating system services and device drivers are software. However, the difference between them is
that device drivers interact directly with hardware devices or components. Generally, a system service
interacts with other software components in the operating system.
Note: From a management perspective, the difference between device drivers and services is more
obvious. You can use the Device Manager tool to manage device drivers, and you use the services
Microsoft Management Console (MMC) snap-in tool to manage system services.
System services include various executive services that provide distinct functions within the operating
system, including:
●● The I/O Manager manages I/O.
●● The virtual memory manager controls virtualization of memory within the operating system.
●● Other components within the executive control other aspects of the operating system.
●● The application programming interface (API) sets enable Windows 10 to support different types of
apps. The Windows RT APIs enable the operating system to run Windows Store apps, whereas Win32
and related API sets enable the operating system to run traditional desktop apps.
Understanding apps
At the upper level of the operating system, apps operate by interacting with the computer user, and at a
lower level by integrating with the operating system services. You install apps after you install the operat-
ing system, and you must start apps manually to use them.
Microsoft engineered Windows 8.1 to support two different styles of apps. This involved modifying the
architecture of the Windows operating system to provide dual stacks of APIs as follows:
●● Traditional desktop apps, such as Office apps, use the Win32 APIs and Microsoft .NET Framework.
●● Windows Store apps use the Windows RT APIs.
The benefit of this dual stack approach is that the same operating system can support these two different
application platforms.
Windows 10 introduces the Universal Windows Platform (UWP), which is an evolution of the Windows
Runtime model that provides a common app platform across every device that is capable of running
Windows 10. Apps that are designed for the UWP can call both the Win32 APIs and Microsoft .NET
Framework, and can call the Windows RT APIs. This means developers can create a single app that can
run across all devices.
Examining the Desktop Support Environment

In a corporate support environment, you will encounter three types of networks: workgroups, domains,
and cloud-based infrastructure. In all of these environments, end users can share common resources,
such as files, folders, and printers. These three environments also provide security measures to secure and
protect end users’ personal data, in addition to your organization’s network resources and data, from
outside forces. Despite their similarities, there are important differences between workgroups, domains,
and cloud-based infrastructure, which this section details.
Workgroups
Workgroups, or peer-to-peer networks, are logical groupings of networked computers that share re-
sources. Workgroups are the easiest networks to set up and maintain, but they also are the least secure.
Each computer maintains its own local security database, which contains the valid user accounts for
signing in to that computer. The user accounts secure the data on each computer, and protect the
computer from unwanted access. However, the network is decentralized, which means that no single
computer provides centralized security of user accounts for all of the network’s computers.
Note: You typically would configure workgroups for home networks, small home offices, and small
businesses in which the computers are in close proximity to one another and often are connected by
using a hub, switch, or router. Larger corporations typically do not use workgroups, because they are not
as secure as other network options.
Domains
Domains are logical groupings of networked computers that share a common user database. In addition,
they manage security centrally on a single server, known as a domain controller, or on a group of servers
(domain controllers). A single domain must have one or more domain controllers. These computers
provide Active Directory Domain Services (AD DS), helping to secure access to resources, and providing a
single point of administration.
Domains are logical groupings, which you configure independent of the network’s actual physical
structure. Domains can span a building, city, state, country/region, or even the globe. You also can
configure them for a small office. You can connect a domain’s computers by DirectAccess, virtual private
network (VPN), Ethernet, broadband, satellite, or wireless connections.
Note: Larger companies and corporations typically configure domains because they are the most secure
network option. They also are extensible and offer centralized security and management. Smaller compa-
nies generally do not use domains because they are more expensive, and require more attention than
workgroups.
Cloud-based infrastructure and services

Many organizations choose to implement part or all of their network infrastructure, apps, and services in
the cloud. When providing support to your users, you might begin to encounter cloud-based infrastruc-
ture and services, if you have not already.
Note: Some organizations extend to the cloud by using a hybrid model, which means that they shift
some elements of their apps and infrastructure to the cloud.
Microsoft provides a number of cloud-based apps and services, including:
●● Microsoft 365. Microsoft Microsoft 365 delivers online versions of the Office applications and online
business collaboration tools. Creating and managing Microsoft 365 accounts and apps is a common
task for tier 1 help-desk staff, and tier 2 EDST.
●● Microsoft Azure. This is a public cloud environment, and it provides a collection of Microsoft cloud
services that you can use to build and operate cloud-based apps and information technology (IT)
infrastructure.
Note: A global network of data centers host Azure services. Microsoft technicians manage these data
centers 24 hours a day, seven days a week. Azure offers a 99.95 percent availability SLA for computing
services.
Azure services allow you to:
●● Create and operate cloud-based apps when you use a wide range of commonly used tools and
frameworks.
●● Host workloads in the cloud infrastructure that comprise virtual machines and virtual networks.
●● Integrate cloud services with on-premises infrastructure.
Key Stages and Terminology of a Troubleshoot-

ing Methodology
The details and terminology of various troubleshooting methodologies can vary, and there are no precise
processes for troubleshooting computer-related problems. However, most methodologies share some
common processes, procedures, and terminology, which this topic identifies.
Classification
When an end user first discovers and reports a computer problem, a series of classification processes
begins. During these processes, you gather information from the end user in an attempt to establish the
problem’s nature and scope. The initial discussion might reveal information that results in an immediate
resolution to the problem, but with more complex or serious problems, you must continue to trouble-
shoot the issue to resolve it.
Problems that affect many end users are more serious in terms of their impact on organizational produc-
tivity, and you must resolve them more quickly. Classification allows you time to determine the scope and
impact of problems so that you can prioritize them.
Even if you are immediately able to resolve a problem, you must log the problem by using your organiza-
tion’s methodology. Appropriate logging procedures ensure that you do not lose any incident reports.
Access to detailed incident reports allows organizations to monitor their IT systems more effectively and
make informed decisions about those systems.
Testing
When you have prioritized and logged a reported incident, the testing phase starts. During the testing
phase, you use a number of processes to determine the probable cause of a reported problem. You might
start by listing the possible causes. Typically, you might try to divide and isolate these possible causes.
In computer systems, dividing and isolating possible causes might mean making a distinction between:
●● Server and workstation-related issues
●● Hardware and software
●● Operating systems and applications
You can eliminate possible causes with this process, which in turn allows you to determine probable
causes.
When you reduce the list of possible causes to a manageable number, you can start a testing process.
The testing process helps you determine the probable cause of the problem as you work through your
list of potential causes.
One way to troubleshoot an issue is to reproduce the problem in a test environment. If you can repro-
duce a problem easily, you likely can determine the probable cause. If a problem is more difficult to
reproduce, you must study your results, and perhaps modify your initial thoughts about the problem’s
probable cause.
Escalation
If you cannot determine a resolution during the initial testing phase, you must either consult additional
documentation or escalate the problem. If you suspect that the issue stems from a component, you can
escalate the problem to the component’s manufacturer. For other issues, you can escalate the issue
within your organization, if you have the requisite internal resources. Your organization should have an
established process for escalating reported incidents to your organization’s second-tier support staff. The
second-tier support staff then asks questions to classify the problem’s scope and assign it a priority level.
Reporting
When you resolve an incident, you must document the resolution. Recording any changes to your IT
system’s configuration is an important step. Problems often reoccur, and when you document them
properly, you can save time resolving subsequent occurrences of the same problem.
Support and Diagnostic Tools 339
Support and Diagnostic Tools

Lesson Introduction
Windows 10 provides several tools that can help you troubleshoot the Windows 10 operating system.
This lesson introduces the most important tools and provides guidance on how to use them.
Lesson Objectives
●● Explain how to use the Task Manager tool.
●● Use Event Viewer to identify problems.
●● Explain how to use the Reliability Monitor.
●● Use the Diagnostics and Recovery Toolset.
●● Use the Steps Recorder to record details of a problem.
●● Use the Microsoft Management Console
●● Understand the Windows Registry
Task Manager
The Task Manager tool is one of the tools that end users and administrators use most for viewing system
performance and resource utilization on a device. Task Manager primarily is a performance-monitoring
tool, and not a reliability-monitoring tool.
You can run Task Manager in several ways, including by:

●● Right-clicking the taskbar, and then selecting Task Manager.
●● Pressing Ctrl+Alt+Del, and then selecting Task Manager.
●● Pressing the Ctrl+Shift+Esc key combination.
●● Running taskmgr.exe at a command prompt.
●● Selecting Start, typing taskmgr, and then pressing Enter.
When you run Task Manager for the first time, it shows only apps and processes that are running. If you
press the More details button, Task Manager expands and shows detailed information about the system’s
activity. Task Manager includes the following tabs:
●● Processes. The Processes tab displays a list of running programs, subdivided into apps and internal
Windows processes. For each running process, this tab displays a summary of processor and memory
usage.
●● Performance. The Performance tab displays a summary of CPU and memory usage, and network
statistics.
●● App history. The App history tab displays statistics and resource consumption by apps. This is useful
for identifying a specific app that is consuming excessive resources.
●● Startup. The Startup tab displays items that run at startup. You can choose to disable any listed
programs.
●● Users. The Users tab displays resource consumption on a per-user basis. You also can expand the user
view to see more detailed information about the specific processes that a user is running.
●● Details. The Details tab lists all the running processes on a server, providing statistics about CPU,
memory, and other resource consumption. You can use this tab to manage running processes. For
example, you can stop a process, stop a process and all related processes, or change the priority
values of processes. When you change the priority of a process, you determine the degree to which
the process can consume CPU resources. When you increase priority, you allow the process to request
more CPU resources.
●● Services. The Services tab provides a list of running Windows services with related information,
including whether a service is running and the process identifier (PID) value of a running service. You
can start and stop services by using the list on the Services tab.
When a reliability problem first becomes apparent, you should use Task Manager to see if you can
troubleshoot the issue. For example, you might examine the startup items to determine whether a
particular program is causing problems after it starts and scan the processes for unresponsive apps.
Note: Task Manager shows the current resource utilization on the local computer. You cannot use the
Task Manager to monitor activity on a remote computer or to store activity and resource utilization to a
log file.
Resource Monitor
You can access Resource Monitor from Task Manager or by running the perfmon /res command at a
command prompt. Similar to Task Manager, the primary goal of Resource Monitor is to monitor system
performance and utilization of CPU, disk, network, and memory resources. However, you also can use it
to help you to identify reliability problems, such as excessive use of system resources or unresponsive
apps.
Resource Monitor provides a snapshot of system performance, including a summary and tab with
detailed information for the four key system components: processor, memory, disk, and network. If a
Windows 10 computer runs slowly, you can use Resource Monitor to view current activity in each of the
four component areas, and determine which is causing a performance bottleneck. However, Resource
Monitor can show only resource utilization for the local computer, not remote or virtual computers.
Event Viewer
Windows Event Viewer provides access to the Windows 10 event logs. Event logs provide information
regarding system events that occur within the Windows operating system. These events include informa-
tion, warning, and error messages about Windows components and installed applications.
Event Viewer provides categorized lists of essential Windows log events, including application, security,
setup, and system events, in addition to log groupings for individual installed applications and specific
Windows component categories. Individual events provide detailed information regarding the type of
event that occurred, when the event occurred, the source of the event, and technical detailed information
to assist in troubleshooting the event.
Additionally, Event Viewer enables you to consolidate logs from multiple computers onto a centralized
computer when you use subscriptions. Finally, you can configure Event Viewer to perform an action when
specific events occur. This could include sending an email message, launching an app, running a script, or
performing other maintenance actions to notify you or attempt to resolve a potential issue.
Event Viewer in Windows 10 includes the following features:
●● The ability to view multiple logs. You can filter for specific events across multiple logs, making it
quicker to investigate issues and troubleshoot problems that might appear in several logs.
●● Inclusion of customized views. You can use filtering to narrow searches to only those events in which
you are interested, and you then can save these filtered views.
●● The ability to configure tasks scheduled to run in response to events. You can automate responses to
events. To do this, Event Viewer is integrated with Task Scheduler.
●● The ability to create and manage event subscriptions. You can collect events from remote computers,
and then store them locally.
Note: To collect events from remote computers, you must create an inbound rule in Windows Firewall to
permit Windows Event Log Management.
Event Viewer tracks information from several different logs. These logs provide detailed information that
includes:
●● A description of the event.
●● An event ID number.
●● The component or subsystem that generated the event.

●● Information, Warning, or Error status.
●● The time of the occurrence.
●● The user’s name on whose behalf the event occurred.
●● The computer on which the event occurred.
●● A link to Microsoft TechNet for more information about the event.
Windows logs
Event Viewer has many built-in logs, including those listed in the following table.
Built-in log Description and use

Application This log contains errors, warnings, and informa-
tional events that pertain to the operation of
applications.
Security This log reports the results of auditing, if you
enable it. The log describes audit events as
successful or failed. For instance, the log would
report success or failure regarding whether a user
was able to access a file.
Setup This log contains events related to application
setup.
System Windows components and services log general
events and classify them as error, warning, or
information. Windows predetermines the events
that system components log.
Forwarded events This log stores events collected from remote
computers. To collect events from remote comput-
ers, you must create an event subscription.
By default, Windows log files are 20,480 kilobytes (KB) in size, and Windows overwrites events, as neces-
sary.
Note: The Setup log is 1,028 KB in size.
Application and Services logs

Applications and Services logs store events from a single app or component rather than events that
might have system-wide impact. This category of logs includes a number of subtypes:
●● Hardware Events
●● Internet Explorer
●● Key Management Service
●● Microsoft Office Alerts
●● TuneUp
●● Microsoft Azure
●● Windows PowerShell
The Applications and Services logs also contain the Microsoft node. This node contains the Windows
subnode, which includes several nodes that contain granular log information.
Managing logs
If you want to clear a log manually, you must sign in as a local administrator. If you want to configure
event logs settings centrally, you can do so when you use Group Policy. To do this, open the Group Policy
Management Console for your selected Group Policy Object (GPO), and then navigate to Computer
Configuration\Policies\Administrative Templates\Windows Components\Event Log Service.
For each log, you can define:
●● The location of the log file.
●● The maximum size of the log file.
●● Automatic backup options.
●● Permissions on the logs.
●● Behavior that occurs when the log is full.
Custom views
Event logs contain vast amounts of data, which can make it challenging to narrow your search to only
those events that interest you. To accommodate this, you can customize views in Windows 10 so that you
can query and sort only the events that you want to analyze. You also can save, export, import, and share
these custom views.
Event Viewer allows you to filter for specific events across multiple logs, and display all events that could
relate to an issue that you are investigating. To specify a filter that spans multiple logs, you need to create
a custom view. You create custom views in the Action pane in Event Viewer. You can filter custom views
based on multiple criteria, including:
●● The time that the event was logged.
●● Event level to display, such as errors or warnings.
●● Logs from which to include events.
●● Specific event IDs to include or exclude.
●● User context of the event.
●● Computer on which the event occurred.
Subscriptions
Event Viewer enables you to view events on a single computer. However, troubleshooting an issue might
require you to examine a set of events that are stored in multiple logs on multiple computers. For this
purpose, Event Viewer enables you to collect copies of events from multiple remote computers, and then
store them locally. To specify which events to collect, create an event subscription. After a subscription is
active and events are being collected, you can view and manipulate these forwarded events as you would
any other locally stored events.
To use the event-collecting feature, you must configure the forwarding and the collecting computers. The
event-collecting functionality depends on the Windows Remote Management (WinRM) service and the
Windows Event Collector service (Wecsvc). Both of these services must be running on computers that are
participating in the forwarding and collecting process.
Enabling subscriptions
To enable subscriptions, perform the following steps:
1. On each source computer, to enable Windows Remote Management, type the following command
at an elevated command prompt, and then press Enter:
winrm quickconfig
2. On the collector computer, to enable the Windows Event Collector service, type the following
command at an elevated command prompt, and then press Enter:
wecutil qc
3. Add the computer account of the collector computer to the local Event Log Readers group on each of
the source computers.
Performance Monitor
The Performance Monitor is a Microsoft Management Console (MMC) snap-in that you can use to obtain
system performance information. You can use this tool to analyze the performance effect that applica-
tions and services have on a computer, and you can use it to obtain an overview of system performance
or collect detailed information for troubleshooting. The Performance Monitor includes the following
features:
●● Monitoring Tools. The Monitoring Tools section contains the Performance Monitor, which provides a
visual display of built-in Windows performance counters, either in real time or as historical data. The
Performance Monitor includes the following features:
●● Multiple graph views
●● Custom views that you can export as data collector sets
●● The Performance Monitor uses performance counters to measure the system’s state or activity. The
operating system includes some performance counters and individual applications might include
additional performance counters. The Performance Monitor requests the current value of performance
counters at specified time intervals, by default every second. You can add performance counters to the
Performance Monitor by dragging and dropping the counters, or by creating a custom data collector
set. The Performance Monitor features multiple graph views that enable you to have a visual review of
performance log data. You can create custom views in the Performance Monitor that you then can
export as data collector sets for use with performance and logging features.
●● Data collector sets. The data collector set is a custom set of performance counters, event traces, and
system configuration data. After you create a combination of data collectors that describe useful
system information, you then can save them as a data collector set, and then run and view the results.
A data collector set organizes multiple data collection points into a single, portable component. You
can use a data collector set on its own, group it with other data collector sets and incorporate it into
logs, or view it in the Performance Monitor. You can configure a data collector set to generate alerts
when it reaches thresholds. You also can configure a data collector set to run at a scheduled time, for
a specific length of time, or until it reaches a predefined size. For example, you can run the data
collector set for 10 minutes every hour during working hours to create a performance baseline. You
also can set the data collector to restart when the collection reaches a set limit, so the Performance
Monitor creates a separate file for each interval. Scheduled data collector sets collect data regardless
of whether the Performance Monitor is started.
●● Reports. Use the Reports feature to view and generate reports from a set of counters that you create
by using data collector sets. The Performance Monitor creates a new report automatically every time a
data collector set runs.
Reliability Monitor
The Reliability Monitor reviews a computer’s reliability and problem history. You can use the Reliability
Monitor to produce several kinds of reports and charts that can help you identify the source of reliability
issues. You can access Reliability Monitor when you select the View reliability history in the Maintenance
section of the Action Center.
The following section explains the main features of the Reliability Monitor in more detail.
Note: To access Reliability Monitor, in the Search box, type Reliability, and then select View reliability
history.
System stability chart

In Reliability Monitor, a system stability chart summarizes annual system stability in daily increments. This
chart indicates any information, error, or warning messages. In addition, it simplifies the task of identify-
ing issues and the date on which they occurred.
Installation and failure reports

The System Stability Report provides information about each event in the chart, including:
●● Software Installs
●● Software Uninstalls
●● Application Failures
●● Hardware Failures
●● Windows Failures
●● Miscellaneous Failures
Records key events in a timeline

Reliability Monitor tracks key events about the system configuration, such as the installation of new apps,
operating system patches, and drivers. It also helps you identify the causes of reliability issues by tracking
the following events:
●● Memory problems
●● Hard-disk problems
●● Driver problems
●● Application failures
●● Operating system failures
Reliability Monitor provides a timeline of system changes, and then reports on a system’s reliability. You
can use this timeline to determine whether a particular system change correlates with the start of system
instability. Reliability Monitor stores the history of these events for up to one year.
The Problem Reports and Solutions tool

The Problem Reports and Solutions tool in Reliability Monitor helps you track problem reports and any
solution information that other tools have provided. This tool helps store information only. Windows
Error Reporting manages all Internet communication–related to problem reports and solutions. Problem
Reports and Solutions provides a list of the attempts made to diagnose a computer’s problems.
If an error occurs while an app is running, Windows Error Reporting prompts the user to choose whether
they want to send error information to Microsoft over the Internet. If information is available that can
help a user resolve a problem, Windows displays a message to the user with a link to information about
how to resolve the issue.
You can use Problem Reports and Solutions to track resolution information and to recheck and find new
solutions. You start Problem Reports and Solutions from Reliability Monitor. The following options are
available in the tool:
●● Save reliability history
●● View all problem reports
●● Check for solutions to all problems
●● Clear the solution and problem history
Process Explorer and Process Monitor

The Process Explorer and Process Monitor tools are part of the Windows Sysinternals tool suite:
●● Process Explorer. Enables you to determine the currently active processes on a Windows 10 computer,
and depending upon mode:
●● Enables you to see the handles that the selected process has opened.
●● Enables you to see the dynamic-link libraries (DLLs) and memory-mapped files that the process
has loaded.
●● Process Monitor. This is an advanced tool for monitoring Windows 10 that shows real-time file
system, registry, and process/thread activity. Process Monitor includes monitoring and filtering
capabilities.
Note: You can download the Sysinternals suite from the TechNet website at: http://aka.ms/pe6664.
Diagnostics and Recovery Toolset

The Microsoft Diagnostics and Recovery Toolset (DaRT) 10 enables you to troubleshoot, diagnose, and
repair a Windows 10 computer that will not start, or that generates errors when starting. DaRT 10 is an
important part of the Microsoft Desktop Optimization Pack (MDOP), and you can use it to:
●● Recover Windows 10 computers that are unusable or will not startup properly.
●● Diagnose the probable causes of problems.
●● Quickly repair nonstarting or locked-out computers.
●● Restore lost files, and detect and remove malware, quickly.
●● Create a DaRT recovery image (ISO or WIM) and save the image to CD, DVD, or USB bus device.
●● Use the recovery image files to deploy them locally or to a remote or recovery partition.
DaRT 10 consists of the following tools:
●● Computer management. Use the Computer Management tools to view system information and event
logs, to manage disks, and to manage services and drivers.
●● Crash analyzer. Use this tool to determine the cause of a computer failure by analyzing the memory
dump file on the computer that you are repairing.
●● Disk commander. Use this tool to repair disk partitions and volumes.
●● Disk wipe. Use this tool to perform low-level disk format by using optional multiple passes.
●● Explorer. Use this tool to browse local and network file resources.
●● File restore. Use this tool to recover accidentally deleted files.
●● File search. Use this tool to locate files when you do not know the path to a file you wish to recover.
●● Hotfix uninstall. Use this tool to remove hotfixes or service packs from a computer.
●● Locksmith. Use this tool to set or reset the password for any local account.
●● Registry editor. Use this tool to edit the local registry.
●● SFC scan. Use this tool to launches the System File Repair Wizard, which enables you repair system
files that are preventing the installed operating system from starting.
●● Solution Wizard. Use this tool to present a series of questions, and then based on your answer, the
tool recommends the best tool for the situation.
●● TCP/IP config. Use this tool to configure TCP/IP settings manually for a computer that you are trouble-
shooting.
Note: You can find out more about the Diagnostics and Recovery Toolset 10 and download it from the
TechNet website at: http://aka.ms/lilbki.
Steps Recorder
The Steps Recorder tool can be a useful diagnostic tool for visually recording the steps that lead to a
problem. You can load the Steps Recorder tool from Start in the Windows Accessories folder in All
apps. To record steps, in the Steps Recorder tool, select Start Record. Then, perform the necessary steps
to reproduce a particular problem. When you finish, select Stop Record. You then can save the recording.
Saving the recording creates a MHTML file (stored in a zipped format) that you can later analyze to see
the steps involved in a particular procedure. Aside from troubleshooting, you also can use the recorded
steps to demonstrate particular procedures for your users.
Microsoft Management Console

Microsoft Management Console (MMC) unifies and simplifies day-to-day system management tasks. It
hosts tools and displays them as consoles. These tools, consisting of one or more applications, are built
with modules called snap-ins. The snap-ins also can include additional extension snap-ins. MMC is a core
part of Microsoft's management strategy.
Microsoft Management Console enables system administrators to create special tools to delegate specific
administrative tasks to users or groups. Microsoft provides standard tools with the operating system that
perform everyday administrative tasks that users need to accomplish. These are part of the All Users
profile of the computer and located in the Administrative Tools group on the Startup menu. Saved as
MMC console (.msc) files, these custom tools can be sent by e-mail, shared in a network folder, or posted
on the Web. They can also be assigned to users, groups, or computers with system policy settings. A tool
can be scaled up and down, integrated seamlessly into the operating system, repackaged, and custom-
ized.
Using MMC, system administrators can create unique consoles for workers who report to them or for
workgroup managers. They can assign a tool with a system policy, deliver the file by e-mail, or post the
file to a shared location on the network. When a workgroup manager opens the .msc file, access will be
restricted to those tools provided by the system administrator.
Building your own tools with the standard user interface in MMC is a straightforward process. Start with
an existing console and modify or add components to fulfill your needs. Or create an entirely new
console. The following example shows how to create a new console and arrange its administrative
components into separate windows.
Creating Consoles
The most common way for administrators to use MMC is to simply start a predefined console file from
the Start menu. However, to get an idea of the flexibility of MMC, it is useful to create a console file from
scratch. It is also useful to create a console file from scratch.
To open Microsoft Management Console in Windows 10 select Start then type “MMC” in the search box.
Select the MMC Run command.
Overview of the Registry

The Windows registry is organized in a hierarchical manner. At the top level, there are five registry hives,
which is a discreet collection of related settings that are structured as a series of keys, subkeys, and
values.
Hives
The following table describes the top-level hives, or subtrees.
Hive Description
HKEY_CLASSES_ROOT This hive contains file association information and
defines which application opens when a user
double-clicks a particular file type on the file
system. For example, it defines that the application
for .xlsx files is Microsoft Excel. This hive is popu-
lated from the computer-related and user-related
settings that are stored in HKEY_LOCAL_MACHINE\
Software\Classes and HKEY_CURRENT_USER\
Software\Classes. You typically will not make edits
to this hive.
HKEY_CURRENT_USER This hive contains configuration information for
the currently signed-in user. Items such as the
user’s Windows color scheme and font settings are
stored in relevant values below this hive. When
referencing this hive while editing the registry, this
hive sometimes is referred to as HKCU. This hive is
a shortcut to a key stored in HKEY_USERS.
HKEY_LOCAL_MACHINE This is probably the most important hive and the
one to which you likely will make the most edits.
Sometimes abbreviated to HKLM, this hive stores
all of the computer-related configuration settings.
Hive Description
HKEY_USERS This hive contains a collection of all of the config-
uration information for all users that have signed
in locally to the computer, including the currently
signed-in user. In fact, one of the keys beneath
this hive is the key of the currently signed in user,
which is shown as HKEY_CURRENT_USER hive. It is
important to know that you are likely to make
direct edits to the user settings for the currently
signed-in user only.
HKEY_CURRENT_CONFIG This hive contains information about the current
hardware profile that the local computer used
during system startup. You typically do not make
edits to this hive.
Note: Most likely, you will make direct changes only to the values stored within the hives HKEY_LOCAL_
MACHINE and HKEY_CURRENT_USER.
Note: The registry is a hierarchical database of values structured in hives, keys, and subkeys, but the
actual registry database is stored on the local file system in the C:\Windows\System32\Config file.
There is no requirement for you to access these files directly.
Keys and subkeys

To maintain structure within the database, similar settings are stored in folders and subfolders known as
keys and subkeys. This makes it easier to reference a particular registry value. You can specify a pathname
by declaring the appropriate hive, key, subkeys, and value, as the following example shows:
●● HKCU\Control Panel\Desktop\Wallpaper is the value (Wallpaper) that stores the name and location of
a user’s desktop wallpaper.
●● HKLM\Software\Microsoft\Windows\CurrentVersion\Run is the key that contains values that relate to
programs that start automatically when the computer starts and a user signs in. Typically, these
programs reside in the system tray.
Values
Values define the behavior of the operating system, and they are stored in keys and subkeys. There are
many types of values, depending upon the type of data that each stores. For example, you may wish to
store text values, numerical data, variables, and similar data. The following table lists the more common
types of registry values.
Value type Data type Description

REG_BINARY Binary Raw binary data. These values
usually display in hexadecimal
format. Hardware information is
often stored in REG_BINARY
values.
Value type Data type Description

REG_DWORD DWORD 4-byte numbers (a 32-bit
integer). Many device-driver and
service-related values are stored
in REG_DWORD values. For
example, the START and TYPE
values for device drivers always
are defined in REG_DWORD type
values.
REG_SZ String A fixed-length text string. The
values listed in the HKLM\
Software\Microsoft\Windows\
CurrentVersion\Run key are all
REG_SZ values. These values
store the path and filename to
the appropriate autostart
program.
REG_EXPAND_SZ Expandable string A variable length text string. The
Windows operating system uses
REG_EXPAND_SZ values to
contain variables. For example,
the ImagePath value that defines
the name of a service’s executa-
ble in the file system is stored in
an expandable string: %system-
root%\System32\service.exe.
REG_MULTI_SZ Multiple strings Multiple string values. This value
typically is used when multiple
values are stored. For example,
the DependOnService value for a
service is a REG_MULTI_SZ data
type, and contains the one or
more services on which this
service is dependent.
When you decide to make a direct change to the registry, you must be accurate about the value name, its
type, and its full registry path, including all subkeys, keys, and the appropriate hive. If you do not use this
information accurately, your changes might not have the desired effect and could cause the computer to
fail to work properly or even start up.
Additional Reading: For more information about Windows registry information for advanced users, refer
to: http://aka.ms/Rm62zf
Working with the Registry

Typically, you will not need to edit the registry directly. However, a software problem could arise, and the
software vendor could provide a solution that involves changing the registry. After you determine that
you must make a direct change to the registry, you must choose the most appropriate tool. The number
of computers on which you must make the change will influence your choice. For example, if you must
make the required change on a single computer only, then using the Registry Editor is your best choice.
However, if you must make the change across hundreds of computers, you may decide to use Windows
PowerShell or Group Policy. The following sections describe ways in which you can make registry edits.
Note: As a best practice, back up the registry before making any edits to it. You can export the specific
key that you are editing, or you can use a tool, such as System Restore, to capture a restore point.
Incorrectly editing the registry could severely damage your system.
The Registry Editor tool

The Registry Editor tool is probably the easiest and most direct way to make changes to the registry, and
you can use it to:
●● Search the registry for a given value entry, value name, subkey, or key.
●● Create, delete, and edit keys, subkeys, and values.
●● Import entries into the registry from an external file.
●● Export entries from the registry into an external file.
●● Back up the registry (by exporting the entire registry).
●● Connect to a remote computer and manage its registry.
Note: To manage a remote registry, from the Registry Editor, select File, and then select Connect
Network Registry. In the Select Computer dialog box, type the name of the remote computer, and then
select OK. You must have administrative credentials on the remote computer, and the remote computer’s
firewall must be configured to allow remote management. You only can manage HKEY_LOCAL_MA-
CHINE and HKEY_USERS hives on the remote computer.
To access the Registry Editor, open an elevated command prompt, type regedit.exe, and then press Enter.
REG files
You also can use a structured text file with a .reg extension (a registry entries file) to merge values into
the registry. The file will look like the following example:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\atapi]
"Start"=dword:00000001
Note: This particular .reg file edits the Start value stored in the HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\services\atapi path, and assigns it the DWORD value of 1.
After you have created the .reg file, you can import the when you:
●● Double-click the file and confirm that you want to continue.
●● Run a simple script that loads the file. The following command imports the settings stored in setting1.
reg without prompting the user to confirm:
regedit /s C:\Registry\setting1.reg \> nul
●● Open the Registry Editor, and use the import option to access the appropriate .reg file.
Windows PowerShell
Windows PowerShell displays a registry provider that represents the registry like a file system, displaying
keys and subkeys as subfolders of the registry hive, the same way as folders and subfolders of the drive C
are displayed. For example, to see the contents of the HKEY_LOCAL_MACHINE hive, open an elevated
Windows PowerShell command prompt, and then type the following command, and press Enter:
Get-ChildItem -Path hklm:\
As cd is the alias for the Get-ChildItem Windows PowerShell cmdlet, you also can type:
cd hklm:
To modify registry values, you must:

1. Use the Set-Location cmdlet to change to the appropriate registry drive.
2. Use the Set-ItemProperty cmdlet to assign a new value to the registry property.
For example:
Set-Location HKCU:\Software\Example
Set-ItemProperty . examplevaluename "assigned value"
In the preceding code sample, assigned value is assigned to a value called examplevaluename in the
registry path, HKEY_CURRENT_USER\Software\Example.
Additional Reading: For more information about working with registry keys, refer to: https://docs.
microsoft.com/en-us/windows/win32/sysinfo/registry
Group Policy Preferences
You can create, update, replace, and delete registry keys and values when you use Group Policy Prefer-
ence in the domain GPO. This approach is very effective if you need to manage registry updates on many
computers in an Active Directory environment.
Additonal Tools
Microsoft also provides the following tools for improving performance:
Sysinternals
In addition to the built-in performance monitoring tools in Windows 10, you also can download and use
the Sysinternals suite of tools. Sysinternals offers a number of advanced system utilities. You can use a
number of the following tools to monitor performance some of which include:
●● Contig. This tool enables you to defragment your frequently used files quickly.
●● DiskMon. This tool enables the computer to capture all hard disk activity, and acts like a software disk
activity light in the system tray.
●● PageDefrag. This tool enables you to defragment your paging files and registry hives.
●● Process Explorer. This tool enables you to determine which files, registry keys, and other objects
processes have open, which DLLs they have loaded, and more. This tool also displays who owns each
process.
●● Process Monitor. This tool enables you to monitor file system, registry, process, thread, and dynam-
ic-link library (DLL) activity in real time.
●● Autoruns. Extensive scan of programs, drivers, scripts, and extensions that are configured to run
during bootup, login or when certain Windows applications launch.
Additional Reading: For more information, refer to: “Sysinternals Suite” at: http://aka.ms/frah6v
Note: Defragment utilities should not be used on solid-state drives (SSD).
Windows Performance Toolkit

Included in the Windows Assessment and Deployment Kit, the Windows Performance Toolkit consists of
performance monitoring tools that produce in-depth performance profiles of Windows operating
systems and applications. It provides deep analysis of how applications and services are consuming
resources.
Additional Reading: For more information on Windows Performance Toolkit, refer to: https://aka.ms/
AA3qiwd
Windows Admin Center

Windows Admin Center is a new, locally-deployed, browser-based management tool set that lets you
manage Windows clients and servers over https. It is the evolution of what Server Manager and MMC
tools have typically been used for. It can be used to manage Windows Server 2019, Windows Server 2016,
Windows Server 2012 R2, Windows Server 2012 and Windows 10, It is instalelled on a Windows 10 client,
and has no cloud service dependancies. Alternatively, you can install it on Window Server 2016 as a
gateway to enable the entire organization to manage devices via Microsoft Edge or Google Chrome. Both
installations are included in a single .msi package.
Windows Admin Center is intended to compliment tools like System Center Virtual Machine Manager
(SCVMM), Azure security and management, and RSAT tools. While it's primary function is manging
servers, WIndows Admin Center provides Desktop Administrators a subset of the Server Manager
features for managing Windows 10 client PCs. That subset includes:
●● Displaying resources and resource utilization
●● Certificate Management
●● Managing Devices
●● Event Viewer
●● File Explorer
●● Firewall Management
●● Configuring Local Users and Groups
●● Viewing/Ending Processes and Creating Process Dumps
●● Registry Editing
●● Managing Scheduled tasks
●● Managing Windows Services
●● Managing Storage
●● Virutal Machines
●● Virtual Switches
When Windows Admin Center is installed on a Server as a gateway, WAC defines two roles for access to
the gateway service: gateway users and gateway administrators. Gateway users can access and use the
service, but only gateway administrators can define who can access the gateway. Note that these permis-
sions only grant access to the WAC tool itself. The user must have the appropriate permissions necessary
on the target client or server to mange it.
WIth WAC, a user with full local administrator priviledges will have full permissions to manage the target
client. However, WAC supports role-based access control, to allow users certain permissions that enable
them to perform thier job, without granting full administrative permissions. This is typically more useful
for servers than clients.
The following provides a list of the available roles:
Role name Intended use

Administrators Allows users to use most of the features in
Windows Admin Center without granting them
access to Remote Desktop or PowerShell. This role
is good for "jump server" scenarios where you
want to limit the management entry points on a
machine.
Readers Allows users to view information and settings on
the server, but not make changes.
Hyper-V Administrators Allows users to make changes to Hyper-V virtual
machines and switches, but limits other features to
read-only access.
Monitoring and Troubleshooting Performance

Lesson Introduction
A computer system that performs at a low efficiency level can cause workplace problems such as reduc-
ing user productivity and consequently increasing user frustration. Windows 10 has tools that can help
you to determine the potential causes of poor performance, and afterwards use appropriate tools to help
resolve the performance issues.
Lesson Objectives
●● Describe key system components in Windows 10.
●● Describe performance monitoring tools in Windows 10.
●● Explain how to establish a performance baseline.
●● Explain how to optimize disk and memory performance in a Windows 10 computer.
Key Performance Components in Windows 10

Decreased computer system performance is a common source of user complaints. Performance is a
measure of how quickly a computer completes application and system tasks. Performance problems can
occur when available resources are lacking. Computers respond slowly for several reasons, including
disorganized files, unnecessary software that consumes resources, too many startup apps, or perhaps
even malware or a virus. Factors that can influence computer system performance include:
●● Access speed of the physical hard disks.
●● Memory available for all running processes.
●● Fastest speed of the processor.
●● Maximum throughput of the network interfaces.
●● Resources that the individual applications consume.
●● Faulty or poor configuration of components, which leads to the unnecessary consumption of resourc-
es.
●● Out-of-date or inappropriate drivers for system components and peripherals, including the graphics
subsystem.
Windows 10 computers have four main hardware components that you should monitor:
●● Processor
●● Disk
●● Memory
●● Network
Understanding how the operating system utilizes these four key hardware components and how they
interact can help you better optimize computer workstation performance. When monitoring workstation
performance, you should consider:
●● Measuring the performance of key components in your user’s workstation.
Monitoring and Troubleshooting Performance 361
●● The workstation role and its workload, to determine which hardware components are likely to restrict
performance.
●● The ability to increase workstation performance by adding power or reducing the number of applica-
tions that the user runs.
Note: Although not considered a core component, the graphics adapter and its driver also can have a
significant impact on the performance of graphics-intensive applications. If your users intend to run
applications that are graphically demanding, ensure that you select a device with a powerful graphics
subsystem, and that you install the latest vendor-specific driver rather than relying on a generic driver.
Processor
One important factor in determining your computer’s overall processor capacity is processor speed.
Processor speed is determined by the number of operations that the processor performs over a specific
time period. Computers with multiple processors or processors with multiple cores generally perform
processor-intensive tasks with greater efficiency, and as a result, are faster than single processor or
single-core processor computers.
Processor architecture is also important. 64-bit processors can access more memory and have a signifi-
cant positive effect on performance. This is true especially when applications that run on users’ worksta-
tions require a large amount of memory.
Disk
Hard disks store programs and data. Consequently, the throughput of a workstation’s disk affects its
speed, especially when the workstation performs disk-intensive tasks. Many hard disks have moving
parts, and it takes time to position the read/write heads over the appropriate disk sector to retrieve the
requested information.
Most Windows-based tablet devices use solid-state drives (SSDs), which have no moving parts. SSDs have
different read and write performance profiles. Determine the workload profile, and then attempt to match
the disk’s performance profile to optimize the device’s performance.
By selecting faster disks, and by using collections of disks to optimize access times (Storage Spaces or
redundant array of independent disks (RAID)), you can alleviate the potential for the disk subsystem to
create a performance bottleneck. Windows 10 moves information on the disk into memory before it uses
it. Therefore, if a surplus of memory exists, the Windows 10 operating system creates a file cache for
items recently written to, or read from disks. Installing additional memory in a workstation often improves
the disk subsystem performance, because accessing the cache is faster than moving the information into
memory.
Finally, consider the type of work for which users will use the device. Different work profiles use disks in
different ways. For example, some applications read from a disk more frequently that they write to the
disk (read-intensive), and therefore good read performance is important; other applications are more
write-intensive.
Memory
Programs and data load from disk into memory before the program manipulates the data. In worksta-
tions that run multiple programs, or where datasets are very large, installing more memory can improve
workstation performance.
Windows 10 uses a memory model that does not reject excessive memory requests. Instead, Windows 10
manages them by using a process known as paging. During paging, Windows 10 moves the data and
programs in memory that processes are not currently using, to the paging file on the hard disk. This frees
up physical memory to satisfy the excessive memory requests. However, because a hard disk is compara-
tively slow, it has a negative effect on workstation performance. By adding more memory, and by using a
64-bit processor architecture that supports larger memory, you can reduce the need for paging.
Network
You can easily underestimate how a network that performs poorly can affect workstation performance,
because it is not as easy to see or to measure as the other workstation components. However, the
network is a critical component for performance monitoring, because network devices store so many of
the applications and data processed. In addition, wireless networks share the available bandwidth.
Understanding bottlenecks
A performance bottleneck occurs when a computer is unable to service the current requests for a specific
resource. The resource might be a key component, such as a disk, memory, processor, or network.
Alternatively, the shortage of a component within an application package also might cause a bottleneck.
By using performance-monitoring tools on a regular basis, and by comparing the results to historical
data, you can identify performance bottlenecks before they affect users. Once you identify a bottleneck,
you must decide how to remove it. Your options for removing a bottleneck include:
●● Running fewer applications.
●● Adding additional resources to the computer.
A computer suffering from a severe resource shortage might stop processing user requests. This situation
requires immediate attention. However, if a computer experiences a bottleneck but still operates within
acceptable limits, you might decide to defer any changes until you resolve the situation, or until you have
an opportunity to take corrective action. As you identify and resolve a performance problem that is
affecting one system component, another component might become affected. Therefore, performance
monitoring is an ongoing process.
Common causes for resource bottlenecks

Resource bottlenecks might occur for several reasons. Some of the most common causes are:
●● Resources are insufficient, and your computer might require additional or upgraded components.
●● A resource is malfunctioning, and you need to replace it.
●● A resource is not configured correctly, and you need to change configuration settings.
●● An application is monopolizing a particular resource, which might require that you do one of the
following:
●● Substitute with another application.
●● Have a developer rewrite the application.
●● Add or upgrade resources.
●● Run the application when demands for resources are low.
Performance tuning and testing

When you experience performance issues, you should make one change at a time, and then monitor your
resources after every change to verify whether the change solved the performance issue. In addition to
monitoring, you can review event logs, because some performance problems generate output that you
can review in Event Viewer. To see whether network components are affecting performance, compare the
performance of programs that run over the network with programs that run locally.
Establishing a Performance Baseline

By calculating performance baselines for your client computer environment, you can interpret real-time
monitoring information more accurately. A baseline for a computer’s performance indicates what your
performance-monitoring statistics look like during normal use. You can establish a baseline by monitor-
ing performance statistics over a specific period. When an issue or symptom occurs in real time, you can
compare your baseline statistics to your real-time statistics, and then identify anomalies.
You can set up a baseline in the Performance Monitor to help you with the following tasks:
●● Evaluate your computer’s workload
●● Monitor system resources
●● Notice changes and trends in resource use
●● Test configuration changes
●● Diagnose problems
By using data collector sets, you can establish a baseline to use as a standard for comparison. You create
a baseline when you first configure the computer, at regular intervals of typical usage, and when you
make any changes to the computer’s hardware or software configuration. If you have appropriate
baselines, you can determine which resources are affecting your computer’s performance.
When you create a performance baseline for a computer, you cannot transfer that baseline to a computer
configured with different hardware or software. Instead, you should create a performance baseline per
client computer configuration.
Note: You might have to recreate the baseline when you upgrade to Windows 10, because once it is
upgraded with new features and security updates, the baseline performance of Windows 10 might
change.
Performance Monitoring
Task Manager
You can use the Performance tab in Task Manager to help to identify performance problems. The Perfor-
mance tab displays a summary of CPU and memory usage, and network statistics.
Generally, you might consider using Task Manager when a performance-related problem first becomes
apparent. For example, you might examine the running processes to determine if a particular program is
using excessive CPU resources. Remember that Task Manager shows a snapshot of current resource
consumption. You may need to examine historical data to get a better understanding of a server comput-
er’s performance and response under load.
Resource Monitor
When the Resource Monitor first opens, the initial view is of the Overview tab. On the right side are four
graphs: CPU, Disk, Network, and Memory. You can examine these graphs, looking for excessive peaks in
CPU, Disk, Network, or Memory activity. In the main pane, you can examine details about each compo-
nent by expanding each component’s information list. It lists each process that is running on the comput-
er, and includes information about resource consumption for each process. For example, the number of
threads and the percentage of CPU capacity in use displays for each running process.
Having determined that a particular component is causing a bottleneck, you can use the appropriate
component tab to view more information. Remember that a snapshot of current activity, which Resource
Monitor provides, tells only a partial story. For instance, you might see a peak in activity, which is not
representative of average performance.
Performance Monitor
Performance Monitor features multiple graph views that give you a visual review of performance log data.
You can create custom views in Performance Monitor that you can export as data collector sets for use
with performance and logging features.
You can use data collector sets and the Performance Monitor tools to organize multiple data collection
points into a single component that you can use to review or log performance. The Performance Monitor
also includes default data collector set templates to help system administrators begin the process of
collecting performance data.
In the Performance Monitor, under the Data Collector Sets node, you can use the User Defined node to
create your own data collector sets. You can specify which objects and counters you want to include in
the set for monitoring. To help you select appropriate objects and counters, you can use the following
templates provided for monitoring:
●● System Diagnostics. This template selects objects and counters that report the status of hardware
resources, system response time, and processes on the local computer, along with system information
and configuration data. The report provides guidance on ways to optimize the computer’s responsive-
ness.
●● System Performance. This template generates reports that detail the status of local hardware resourc-
es, system response times, and processes.
●● WDAC Diagnostics. This template enables you to trace debug information for Windows Data Access
Components.
You also can configure a data collector set to run at a scheduled time, for a specific length of time, or
until it reaches a predefined size. For example, you can run the data collector set for 10 minutes every
hour during working hours to create a performance baseline. You also can set the data collector to restart
when set limits are reached, so that a separate file will be created for each interval.
You can use data collector sets and Performance Monitor tools to organize multiple data collection points
into a single component that you can use to review or log performance. Performance Monitor also
includes default data collector set templates to help system administrators begin the process of collect-
ing performance data specific to a server role or monitoring scenario.
In Performance Monitor, beneath the Data Collector Sets node, you can use the User Defined node to
create your own data collector sets. You can specify which specific objects and counters you want to
include in the set for monitoring. To help you select appropriate objects and counters, you can access
templates to use for monitoring, including:
●● System Diagnostics. Selects objects and counters that report the status of hardware resources, system
response time, and processes on the local computer, along with system information and configuration
data. The report provides guidance on ways to optimize the computer’s responsiveness.
●● System Performance. Generates reports that detail the status of local hardware resources, system
response times, and processes.
●● WDAC Diagnostics. Enables you to trace debug information for Windows Data Access Components.
Note: It is not necessary for Performance Monitor to be running for data to be collected into a data
collector set.
You can add many different performance counters to the Performance Monitor. Some performance
counters are not often used. The following table shows the commonly used performance counters.
Counter Usage
LogicalDisk\% Free Space This counter measures the percentage of free
space on the selected logical disk drive. Take note
if this falls below 15 percent, because you risk
running out of free space for the operating system
to store critical files. One solution is to add more
disk space.
PhysicalDisk\% Idle Time This counter measures the percentage of time the
disk was idle during the sample interval. If this
counter falls below 20 percent, the disk system is
saturated. You should consider replacing the
current disk system with a faster one.
PhysicalDisk\Avg. Disk Sec/Read This counter measures the average time, in
seconds, to read data from the disk. If the number
is larger than 25 milliseconds (ms), that means the
disk system is experiencing latency when it is read-
ing from the disk.
PhysicalDisk\Avg. Disk Sec/Write This counter measures the average time, in
seconds, it takes to write data to the disk. If the
number is larger than 25 ms, the disk system expe-
riences latency when it is writing to the disk.
PhysicalDisk\Avg. Disk Queue Length This counter indicates how many I/O operations
are waiting for the hard drive to become available.
If the value is larger than two times the number of
spindles, it means that the disk itself might be the
bottleneck. If this counter indicates a possible
bottleneck, consider measuring the Avg. Disk Read
Queue Length and Avg. Disk Write Queue Length
to try to determine if read or write operations are
the cause.
Memory\Cache Bytes This counter indicates the amount of memory that
the file-system cache uses. There might be a disk
bottleneck if this value is greater than 300 mega-
bytes (MB).
Counter Usage
Memory\% Committed Bytes in Use This counter measures the ratio of Committed
Bytes to the Commit Limit, or in other words, the
amount of virtual memory in use. If the number is
greater than 80 percent, it indicates insufficient
memory.
Memory\Available Mbytes This counter measures the amount of physical
memory, in megabytes, available to run processes.
If this value is less than 5 percent of the total phys-
ical random access memory (RAM), that means
there is insufficient memory, which can increase
paging activity.
Memory\Free System Page Table Entries This counter indicates the number of page table
entries not currently in use by the system. If the
number is less than 5,000, there might be a
memory leak.
Memory\Pool Non-Paged Bytes This counter measures the size, in bytes, of the
nonpaged pool. This is an area of system memory
for objects that cannot be written to a disk, but
instead must remain in physical memory for as
long as they are allocated. If the value is greater
than 175 MB (or 100 MB with a /3 gigabyte (GB)
switch), then there is a possible memory leak.
Memory\Pool Paged Bytes This counter measures the size, in bytes, of the
paged pool. This is an area of system memory for
objects that can be written to disk when they are
not being used. There might be a memory leak if
this value is greater than 250 MB (or 170 MB with
the /3 GB switch).
Memory\Pages per Second This counter measures the rate at which pages are
read from or written to the disk to resolve hard-
page faults. If the value is greater than 1,000 as a
result of excessive paging, there might be a
memory leak.
Processor\% Processor Time This counter measures the percentage of elapsed
time that the processor spends executing a
non-idle thread. If the percentage is greater than
85 percent, the processor is overwhelmed, and the
server might require a faster processor.
Processor\% User Time This counter measures the percentage of elapsed
time that the processor spends in user mode. If
this value is high, the server is busy with the
application.
Processor\% Interrupt Time This counter measures the time that the processor
spends receiving and servicing hardware interrup-
tions during specific sample intervals. If the value
is greater than 15 percent, this counter indicates a
possible hardware issue.
Counter Usage
System\Processor Queue Length This counter indicates the number of threads in
the processor queue. The server does not have
enough processor power if the value is more than
two times the number of CPUs for an extended
period of time.
Network Interface\Bytes Total/Sec This counter measures the rate at which bytes are
sent and received over each network adapter,
including framing characters. The network is
saturated if more than 70 percent of the interface
is consumed.
Network Interface\Output Queue Length This counter measures the length of the output
packet queue, in packets. There is network
saturation if the value is more than 2.
Process\Handle Count This counter measures the total number of
handles that a process currently has open. This
counter indicates a possible handle leak if the
number is greater than 10,000.
Process\Thread Count This counter measures the number of threads
currently active in a process. There might be a
thread leak if this number is more than 500
between the minimum and maximum number of
threads.
Process\Private Bytes This counter indicates the amount of memory that
this process has allocated that it cannot share with
other processes. If the value is greater than 250
between the minimum and maximum number of
threads, there might be a memory leak.
Optimizing Disk and Memory Performance

Disk and memory are arguably the resources that can make the most positive impact on improving client
computer performance. Use the following guidelines to help to optimize disk and memory performance
in your Windows 10 computer.
●● Select a 64-bit version of Windows 10. Using a 64-bit version enables your computer to use more
memory than the 4 GB limitation imposed by 32-bit operating systems. If your computer has more
than 4 GB of memory, or if you can add additional memory beyond 4 GB, then select a 64-bit version
of Windows 10.
●● Avoid shared memory video. Some video adapters use shared system memory. This means that the
video adapter uses memory for display purposes that would otherwise be available for servicing
applications. Some computers come equipped with video adapters that use dedicated onboard
memory for display purposes, ensuring that more memory is available for applications.
●● Optimize paging. For most single disk drive computers that run Windows 10, leaving the paging file
settings at the default values is adequate. However, you might gain a small performance benefit by
following these guidelines:
●● Create the paging file on a different physical disk than the operating system disk. Paging is a
disk-intensive task. If you distribute the disk load across all of your computer’s available disks, you
minimize the likelihood of performance bottlenecks affecting the disk subsystem. By optimizing
the disk subsystem, you can make the paging process as efficient as possible. If you have a device
with an SSD as the primary disk and a normal hard disk as the secondary disk, moving the paging
file is not likely to improve performance.
●● Configure a fixed-size paging file. A paging file that can grow on the disk might encompass
fragmented areas of the disk volume. By configuring a fixed-size paging file, you can ensure that
the paging file does not encompass fragmented areas.
●● On non-SSD drives, ensure that the disk volume is not fragmented when you create the paging
file. If you want to create a fixed-size paging file on a computer that already has a paging file,
ensure that you do not create a paging file that encompasses fragmented areas of the disk.
Additionally, before you create a fixed-size paging file, you should configure the computer to use
no paging, and then defragment the volumes.
●● When you configure the paging file, ensure that its size is sufficient. Recommendations specify that
an initial paging file should be equivalent to the amount of installed memory, and a maximum
paging file size that is equal to twice the initial value. Consequently, you should create a fixed-size
paging file that is equal to or twice the size of the physical memory.
●● Add physical memory to a computer that is paging excessively. If you investigate performance on
a computer with a memory bottleneck, you often find that disk performance is low as well. By
adding extra physical memory to the computer you can reduce the load on the disk subsystem
and thereby improve both memory and disk performance.
●● Implement faster disks. Disk speed is measured in revolutions per minute (rpm), and average seek
times are measured in milliseconds. Install disks running 7200 rpm or faster, and select disks with the
lowest seek time. On desktop computers, you also can install a disk controller that supports a faster
bus type. The first Serial ATA (SATA) standard supports transfer rates up to 150 megabytes per second
(MBps) whereas the latest SATA standard supports transfer rates up to almost 2000 MBps. Changing
your disk controller and disks that support the new disk controller could improve the disk subsystem
performance considerably.
●● Consider using SSDs. SSDs use flash memory technology and have no moving parts. They can
operate faster than traditional disks, but they are more expensive. Carefully research the specific
vendor and model of disk. Some disks provide higher write performance, and some provide higher
read performance. In systems that support multiple drives where SSD cost is a concern, consider a
smaller SSD drive to store the OS and a SATA drive for apps and data.
●● Defragment volumes that are used heavily. You can use either the built-in disk Optimize Drives tool
or another company’s tools, some of which support the defragmentation of files such as Hiberfil.sys
and Pagefile.sys. Windows 10 optimizes drives automatically once a week and will run the proper
optimization automatically (defragmenting SATA drives or running TRIM on SSDs).
●● Ensure that you enable write-caching. You can use Device Manager to examine the properties of
any installed disks, and to verify that write-caching is enabled.
●● Distribute the memory load across all available disks. If your computer has multiple physical disks,
consider distributing disk-intensive activities across these disks. For example, you can install the
Windows operating system and applications on one disk, the paging file on another disk, and your
data files on a third disk.
Configure Indexes
Indexing is a technology used by Windows search. As the name implies, it is an index, a local database.
Windows uses this index to keep track of files, folders, file types, data properties, and other details about
files so that you can search by those details to locate data more easily. Generally when you search for a
file, Windows accesses this index first. It is important to personalize the settings for indexing to meet your
needs. You want to make sure the service is indexing all of the areas of your computer that you use and it
does not index unnecessary areas.
Contents of the Windows Search Index

One index is maintained per computer so shared data stored on local drives is indexed only once. In
addition, each user’s data is distinguishable by a unique user security identifier {SID}, so users have access
only to their own content. System administrators can use Group Policy to prevent specific paths or file
types from being indexed.
Windows Search indexes information as follows:
●● By default, Windows Search indexes each user’s e-mail and Documents and Settings folders (users can
add custom locations like network shares). Indexing of shared folders can be turned off with Group
Policy.
●● Windows Search does not index password-protected Office files.
●● Windows Search indexes e-mail and attachments in a secure environment. Indexing of attachments
can be turned off with Group Policy.
●● The Windows Search index is updated automatically in the background when data is added, deleted,
and modified.
Indexing Encrypted Files
Windows Search 4.0 and higher fully supports indexing encrypted files on local file systems, enabling
users to index and search the properties and contents of encrypted files. Users can manually configure
Windows Search to include encrypted files, or administrators can configure this with Group Policy.
Windows Search ensures that only users with the correct permissions can search the content of encrypted
files by honoring ACLs and by restricting access to users with decryption permissions for the files.
Additionally, Windows Search restricts access to encrypted files to local searches only; Windows Search
does not return encrypted files in search results when the query is initiated remotely.
Note: The indexing of encrypted files should not be enabled unless the search index itself is protected
with full volume encryption. While encrypting the index file with EFS is possible, it is not recommended.

Lab 1001: Monitoring Events
Summary
In this lab, you will learn how to manage Windows 10 event logs and configure Event log subscriptions.
Exercise 1: Manage Windows 10 Event Logs
Scenario
You need to perform maintenance tasks on the Event logs for SEA-CL1. You will first review the event log
entries for the Application, Security, and System logs. You will then configure the Maximum log size for
the Application and System event logs. Finally, you will configure the Security event log to Archive the log
when full and do not overwrite events.
Exercise 2: Configure and Manage Event Subscriptions
Scenario
SEA-CL2 is a critical workstation that needs to be monitored and maintained on a regular basis. To
efficiently monitor SEA-CL2, you decide to collect its event log entries so that you can review them on
your workstation named SEA-CL1. To perform this task, you need to assign permissions on SEA-CL2. You
will then create a “Collector Initiated” event log subscription on your workstation that connects to
SEA-CL2 and collects the last 30 days of event log entries.
Lab 1002: Monitoring Reliability and Performance
Summary
In this lab, you will learn how to use Task Manager and Reliability Monitor to review Windows 10 reliabili-
ty and performance. You will also learn how to configure and use Performance Monitor to identify
performance issues for a Windows 10 device.
Exercise 1: Review Windows 10 performance using Task Man-

ager and Reliability Monitor
Scenario
A user reports performance and speed issues with a client workstation named SEA-CL1. You first step is to
review the Task Manager and Reliability Monitor on SEA-CL1 to identify any noticeable or consistent
issues that may be reported on the computer.
Exercise 2: Monitor Windows 10 using Performance Monitor
Scenario
You need to use Performance Monitory to identify performance bottlenecks on the Windows 10 worksta-
tion named SEA-CL1. You have developed a script named MonitorScenario.vbs that will simulate and
provoke the bad performance on SEA-CL1. While the script runs you plan to monitor the values for
Network Interface Packets per second, PhysicalDisk % Disk Time, PhysicalDisk Avg. Disk Queue Length,
Processor % Processor Time and System Processor Queue Length.
Module Review
1. An end user reports a problem with an app. You access the Task Manager to gather information to
help you identify and resolve the problems. You determine that you need to disable some programs.
Which feature of Task Manager should you access to disable the programs?
A. Processes
B. Performance
C. Startup
D. Details
E. None mentioned
2. A user reports problems regarding application failures. The user has indicated that this is not the first
time they have experienced issues with this application. Which of the tools provided in Windows 10
can create a problem report that you can use to troubleshoot this?
A. Reliability History
B. Process Explorer
C. Task Manager
D. Event Viewer
E. Message Analyzer
F. None mentioned
3. You are troubleshooting a computer problem. You need access to essential information from applica-
tions, security, setup, and the system. Which of the tools provided in Windows 10 lists and categorizes
this information?
A. Reliability History
B. Task Manager
C. Event Viewer
D. Message Analyzer
E. None mentioned
4. As an IT Support professional for your organization, you need to configure the settings for Windows
Logs. You create a new GPO for all the computers in your domain. Which of the following is some-
thing you can define for each log? (select four)
A. Automatic backup options.
B. Behavior that occurs when the log is full.
C. The location of the log file.
D. The version of the log file.
E. The maximum size of the log file.
F. Which apps should be excluded.
5. A user is complaining of decreased computer system performance. Which are the main hardware
components that you should monitor in a Windows 10–based computer? (select four)
A. Processor
B. Battery
C. Disk
D. Cooling Fan
E. Memory
F. Video
G. Network
H. USB Devices
6. Which Windows 10 performance-monitoring tool provides a snapshot of system performance?
A. Resource Monitor
B. Task Manager
C. Performance Monitor
D. Data collector sets
7. You are an IT Support Professional for a law firm. One of the paralegals is having trouble finding files
on their Windows 10 computer. Which files are not included in the Windows Search Index by default?
(select three)
A. Password-protected Office files
B. Network shares
C. Encrypted files
D. E-mail
E. Documents folder
F. Settings folders
8. When troubleshooting hardware and drivers, which of the following registry hives is the one you will
likely edit the most?
A. HKEY_CURRENT_USER
B. HKEY_LOCAL_MACHINE
C. HKEY_USERS
D. HKEY_CLASSES_ROOT
E. HKEY_CURRENT_CONFIG
9. C 2) A 3) C 4) A,B,C,E 5) A,C,E,G 6) A 7) A,B,C 8) B
Module 11 Troubleshooting Files and Apps
File Recovery in Windows 10

Lesson Introduction
Your organization most likely has a file recovery strategy in place to recover user data that is stored on
network file servers or network-accessible storage devices. However, it is important to remember that
users often save their work to their local devices. Therefore, it is important that you provide some method
of local file recovery, so that you can recover these data files if users delete them accidentally or they
become corrupt.
In this lesson, you will learn about the Windows 10 file backup and recovery tools. Previous Windows
versions allowed users to view and recover files that they modified or deleted by mistake, and Windows
10 offers similar tools, including the:
●● Backup and Restore (Windows 7) tool, which provides backup and recovery functionality.
●● File History feature, which protects user data by copying it periodically to a local or network drive.
Users then can recover files, as necessary.
●● Azure Backup tool, which stores Windows 10 data to Microsoft Azure (in the cloud). However, before
you can use this tool, you must create a backup vault in Microsoft Azure, and install Microsoft Azure
Backup agent on Windows 10.
Lesson Objectives
●● Explain the Windows 10 file recovery methods and tools.
●● Use File History to recover files.
●● Describe and use the Previous Versions feature.
●● Describe how to configure and use the Azure Backup tool.
●● Troubleshoot File Recovery Options.
●● Explain how and when to use the Reset this PC tool.
376 Module 11 Troubleshooting Files and Apps
●● Explain how to use provisioning packages.
The Importance of File Recovery

A computer contains different types of data that it stores in different locations. Computer data types
include operating-system configuration files, app and user-related settings, and user data files. The latter
can include documents, images, spreadsheets, and other types of files. Computers are very reliable, and
most operating systems are robust and recoverable, but problems do occur. Sometimes these problems
can result in data loss.
To prevent data loss, we strongly recommend storing user data on file servers or cloud-based solutions,
where it is highly available and backed up centrally. Windows features, such as Folder Redirection or
OneDrive to provide users with transparent and seamless offline access to robust storage. In common
situations and workloads, a desktop failure could be as simple as resetting the PC or provisioning a new
PC, with the user able to continue working upon login. Enabling these solutions can result in a tremen-
dous savings of time spent troubleshooting, costs associated with data loss, and resources needed to
support desktop data recovery.
However, storing all data remotely is not always possible. Therefore, you must be able to recover local
data in case of hardware failure or other scenarios, such as:
●● A user accidentally modifies or deletes a file or an entire folder.
●● Malware or a virus infects a computer and modifies or encrypts user files.
●● A user modifies a file several times, but later decides that the changes were unnecessary and wants to
access the original file.
●● A natural disaster occurs, such as a fire, flood, or tornado, and damages the computer.
●● A user’s data does not synchronize with the file server regularly, and then is stolen. The user wants to
access newer versions of data.
A computer stores data files and settings in several locations, and you need to ensure that you protect all
of them. Windows 10 includes several tools that can help you protect data and make backup copies of
local files, including:
●● Folder Redirection and Offline Files tools. In a domain environment, Folder Redirection redirects local
folders from the user profile to the file server. Offline Files makes a local copy of redirected files and
makes them available even when there is no network connectivity to the file server.
●● Work Folders tool. You can use Work Folders regardless of domain membership. Work Folders
synchronize data files between the file server and user devices.
●● File History tool. After you enable File History, it creates a backup of modified user files automatically
on the local drive, removable drive, or network location. File History backs up the folders in user
profiles and libraries, and you can add additional folders. By default, File History copies the modified
files in protected folders every hour, and Windows 10 keeps them indefinitely, as long as there is
enough storage space.
●● Backup and Restore (Windows 7) tool. Although the name of the tool includes Windows 7, it is a part
of Windows 10. It is intended to recover files from a Windows 7 backup in Windows 10.
●● Synchronization of user data with Microsoft OneDrive or OneDrive for Business. If your user account is
connected with a Microsoft account, or your company is using OneDrive for Business, you can
synchronize data files with the cloud and between the devices that you use.
●● Creation of a system image. A system image is not designed as a backup and restore solution, but it
does contain an exact copy of all data that was on a computer when you created it. There is no option
File Recovery in Windows 10 377
to create a schedule for system image creation. You can copy system images to hard disks, sets of
DVDs, or network locations. A system image contains a virtual hard disk (.vhdx file) for each volume of
the computer for which you create the image. You can mount the virtual disk in File Explorer, and
access and restore each file individually. If you want to restore the entire system image, you can use
the System Image Recovery option from Windows RE.
●● Wbadmin.exe tool. You can use this command line tool to create backups and restore backup content.
●● File Explorer or robocopy.exe features. You can use File Explorer or the robocopy.exe tool to copy files
manually to other media or a network location.
Microsoft Azure Backup feature. Windows 10 does not include Azure Backup. However, if you have a
Microsoft Azure subscription, you can create a Backup Vault, download and install the Azure Backup
Agent, and back up Windows 10 to Microsoft Azure.
What Is File History

When you use the File History feature, Windows 10 saves copies of your files automatically to a remova-
ble local drive or to a shared folder on a network. After you enable File History, it saves a copy of your
modified files periodically to a designated location. Windows 10 saves modified files every hour and
keeps file versions indefinitely by default. However, you can configure the interval at which the saves
occur and how long Windows 10 keeps saved files.
Note: The File History storage location that you specify can be on a local drive, a removable drive, or a
network location.
By default, File History saves files from the following folders: Contacts, Desktop, Documents, Downloads,
Favorites, Links, Music, OneDrive, Pictures, Saved Games, Searches, and Videos. Additionally, File History
saves files from the following libraries: Documents, Music, Pictures, and Videos.
You can protect additional folders by using File History in two ways:
●● Using the Backup option in the Update & security section in the Settings app. To access this option, in
the Settings app, select Update & security. Select Backup, and then in the Back up using File
History section, select More options.
Note: You cannot add additional folders to the File History item in Control Panel.
●● Adding folders to the libraries that File History protects. File History also protects folders that you add
to one of the protected libraries. You can do this by configuring File Explorer to show libraries, and
then modifying the library properties to include additional folders. If you create a new library, File
History automatically protects it.
You can modify File History settings by using the File History item in the Control Panel. You also can
modify these settings from the Settings app, by selecting Update & security, selecting Backup, and then
in the Back up using File History section, selecting More options. You can start the backup manually by
using the File History item in Control Panel. Alternatively, you can configure how often to perform
backups and configure how long to keep backups. You also can specify the drive that will keep the File
History backups and exclude folders and libraries from File History.
You can use File Explorer to revert to previous versions of files that File History protects. You can use it to
restore files by right-clicking the file or folder, and then selecting the Previous Versions tab. You also can
navigate to the folder that contains a modified or deleted file, on the Home ribbon, select History to
open File History, and then view the recoverable files. Alternatively, you can use the Restore your files
with File History option directly, allowing you to compare modified files and restore deleted or modified
files.
Note: File History backs up protected folders into a folder hierarchy, and names the top folder after the
user principal name (UPN). It names the first level subfolder after the computer from it is backing up the
stored data, and names the second level subfolders Configuration and Data. File History backs up the
data into subfolders of the Data folder. For example, the folder hierarchy for a user named Don in the
Adatum.com domain from the LON-CL1 computer will be in the Don@Adatum.com\LON-CL1\Data
folder.
Note: Previous versions of OneDrive files and folders accessible through the OneDrive online portal. For
organizations with OneDrive for Business and SharePoint, verify versioning settings with the SharePoint
Administrator.
Using Azure Backup

Azure Backup is one of the services that Microsoft Azure offers. It allows you to safely and securely store
file backups in cloud services. Once you back up the files, you can recover them on the same computer
on which you performed the backup or on any other computer with access to Azure Backup. However, to
use Azure Backup you must have a Microsoft Azure subscription and you must install the Microsoft Azure
Backup agent. Windows 10 supports the Azure Backup Agent, but the operating system does not include
it. You must subscribe to it.
Azure Backup does not require additional infrastructure, but computers that you want to back up must
have Internet connectivity, and you must perform following steps:
1. You first must create a Recovery Services vault in Microsoft Azure. A Recovery Services vault is a
location in which Windows can store backups, and which you create by using the Microsoft Azure
portal. The Recovery Services vault can store the backups of up to 50 computers. It does not have a
limitation on its storage size, but it does have a limitation of up to 366 backups from the same
computer. You can create up to 25 Recovery Services vaults per Microsoft Azure subscription.
2. After you create a Recovery Services vault, you need a way to connect it with a computer that will use
the backup vault for storing backups. You do this by using vault credentials, which is an XML file that
you can download from the Microsoft Azure portal. It is valid for two days after you download it.
Before the two-day expiration, you should download the Microsoft Azure Backup agent, install it, and
register it with the backup vault. Otherwise, you will need to download new vault credentials. Current
vault credentials always are available on the Microsoft Azure portal.
3. You manage Azure Backup by using the Microsoft Azure Backup program, which is a program that
installs during the Microsoft Azure Backup Agent installation. You must install the backup agent on
any computer on which you want to backup or recover data by using Microsoft Azure. You can
download it from the Microsoft Azure portal.
4. Before you can use the Microsoft Azure Backup program, you must register your computer. A wizard
will guide you through the registration process, in which you must provide vault credentials and
encryption settings. Encryption settings include a passphrase, which is string of 16 to 36 characters
that the Azure Backup Agent generates randomly. You will use a passphrase to encrypt a backup
before you transfer it to Microsoft Azure. Never share a passphrase with anyone, and store it securely.
You cannot recover data from Azure Backup without an encryption passphrase.
5. After you register a computer with a backup vault, you can schedule and perform backups. Azure
Backup can include only files and folders that you store on NTFS volumes. Azure Backup can perform
backups three times per day maximum, and you can configure the retention policy, which specifies
how long Microsoft Azure retains daily, weekly, monthly, and yearly backups. A vault does not have a
storage size limitation, but it can store only 366 backups from the same computer.
You can recover files and folders from Azure Backup either from the same computer on which it per-
formed the backup or from a different computer. It is easier to perform a recovery from the same
computer, because you already have the Microsoft Azure Backup program installed and registered with
the backup vault. The recovery from the same computer also can access the same passphrase that you
used for encryption. If you want to recover files from a different computer, you must make sure that it has
the Microsoft Azure Backup program installed. During recovery, you also must provide vault credentials
for the vault in which you are storing the backup. In addition, you must specify which files and folders
you want to recover and the passphrase that you used for encrypting the backup on the computer on
which Azure created the backup.
Backup and Restore Windows 7

Windows 10 includes the Backup and Restore (Windows 7) tool. As the name suggests, this tool was first
available in Windows 7 and is also available in Windows 10. Its primary purpose is to enable Windows 10
users to restore data from previous Windows 7 backups. While it still can be used to backup Windows 10
clients, one should review alternative methods of protecting files on end user devices. When considering
the newer methods Windows 10 offers for protecting data in the event of a device failure or migration to
a new device, it’s not a recommended solution unless modern methods simply cannot support the
scenario.
You can use the Backup and Restore (Windows 7) tool to create backups of folders, users’ libraries, and
volumes, and also to create a system image and restore backups. You can create backups on a local disk,
as long as it is different from the disk on which Windows 10 is installed. You can also create backups on
an external disk or on a network location. You can determine which data to include in the backup, and
specify if the system image should be part of the backup. You can also let Windows choose what to back
up. You can specify how often and when to perform backups. By default, backups occur every Sunday at
19:00.
Note: If you let Windows choose the data to back up, it will include only user libraries and the system
image in the backups, and will exclude volumes.
Note: You can manage the Backup and Restore (Windows 7) tool by using Control Panel, but it gives you
limited options to configure your backup schedule. If you want more granularity, or if you want to create
backups automatically multiple times per day, you should edit triggers for the AutomaticBackup job in
Task Scheduler.
The Backup and Restore (Windows 7) tool uses the Volume Shadow Copy Service when creating a
backup. It can store multiple versions of the backup on the same location. The first backup contains a
backup of all the selected data (full backup). When the tool performs the next backup, it backs up and
stores only the data that has changed since the previous backup. If only a small amount of data has
changed, then the next backup (incremental backup) will be smaller, and the tool will create it faster than
the first time. You can also use the Backup and Restore (Windows 7) tool to create a system image and
system repair disk. You can include system image in the backup, but you can only create a system repair
disk manually.
After a backup, you can restore files or folders to their original locations or to different locations. If you
performed backups multiple times, you can select from which backup to restore data. You can also
manage the space that the backup is using. The Backup and Restore (Windows 7) tool creates a restore
point each time you run a backup. The Previous Versions tab in File Explorer lists those restore points
for the data that you included in the backup.
Note: The Backup and Restore (Windows 7) tool uses virtual hard disk (.vhdx) files to store backup data.
You can view the backup data by mounting the .vhdx file in File Explorer.
Note: You can only use the Backup and Restore (Windows 7) tool to back up data that is stored on NTFS
volumes.
The Previous Versions Tab

Similar to the Backup and Restore (Windows 7) tool, the Previous Versions tab in File Explorer is a feature
that Windows 10 includes. This feature enables users to view, restore, or revert previous versions of files,
folders, or volumes. Data from File History or restore points populates the Previous Versions tab. There-
fore, you must configure either File History or restore points to be able to use the Previous Versions
feature.
Note: The Previous Versions tab displays following the text: “Previous versions come from File History or
from restore points.” However, this message does not refer to restore points that System Restore creates.
The message refers to the restore points that the Backup and Restore (Windows 7) tool creates.
The Previous Versions tab for all files is empty until either you run File History for the first time, or you
create the initial backup when you use the Backup and Restore (Windows 7) tool. Data from File History
populates the Previous Versions tab only for the files that File History protects. For example, you can
modify File1.txt in the Folder1 folder, but if File History does not protect Folder1, then the Previous
Versions tab remains empty. The Backup and Restore (Windows 7) tool works in a similar manner. It
enables you to use previous versions for any file that is on an NTFS volume and that the backup includes.
For example, if you use the Backup and Restore (Windows 7) tool to back up Folder1, only the data from
restore points for Folder1 and all of its contents will populate the Previous Versions tab.
If you configure File History and use the Backup and Restore (Windows 7) tool, data from both sources
will populate the Previous Versions tab. Thereafter, each time that File History runs, an additional file
version becomes available for any file that File History protects. When the Backup and Restore (Windows
7) tool creates a backup, it also adds an additional file version automatically. If File History or Backup and
Restore (Windows 7) created the backup, you can revert files and folders only to the versions that the
backup includes.
Note: The Previous Versions feature is available in Windows 10, regardless of the file system that you are
using. However, the Backup and Restore (Windows 7) tool can back up data only from NTFS volumes.
Therefore, if you want to use the Previous Versions feature for files on the FAT file system, File History
must protect those files.
Comparing File Recovery Options

Each Windows 10 file recovery option has specific requirements and benefits, and all options provide
protection for and recovery of files and folders on NTFS volumes. However, there are important differenc-
es in their functionality. For example, when you are considering which file recovery option to use, ask
yourself:
●● How often does an option create backups of the protected content?
●● What kind of content and file systems does an option protect?
●● Can an option protect and recover a computer’s system state?
●● Can I use a different computer to recover content than that on which I created it?
Windows 10 provides two file recovery options: File History, and the Backup and Restore (Windows 7)
tool. You do not need to install any features to use these options, but first you must configure them. If
you need to recover files that you protect with either of these options, you can use the Previous Versions
feature. Windows 10 does not include Azure Backup. Therefore, before you can use Azure Backup to
recover files, you must:
1. Purchase a Microsoft Azure subscription.
2. Create a backup vault.
3. Install the Microsoft Azure Backup agent.
4. Register the computer with the backup vault.
Note: Azure Backup does not integrate with the Windows 10 Previous Versions feature. You use the
Microsoft Azure Backup program to manage Azure Backup.
All three options—File History, Backup and Restore (Windows 7), and Azure Backup—can protect and
recover files and folders that are stored on an NTFS volume, the most common file system in Windows
10. If files are stored on other file systems, such as FAT, FAT32, exFAT or ReFS, you only can use File
History to protect and recover them; the Windows Backup and Restore (Windows 7) tool and Azure
Backup do not support those file systems. If you need the ability to recover an entire Windows 10
computer, and not just files and folders, you must use the Windows Backup and Restore (Windows 7)
tool. Only this tool can create a system state image, which bare-metal recovery uses.
When you configure File History, it creates a backup of the protected content each hour by default. You
can configure File History to create backups more often, with 10 minutes being the shortest length of
time and 24 hours the longest length of time that you can configure. The Windows Backup and Restore
(Windows 7) tool backs up content weekly, every Sunday at 7:00 P.M. by default. You can change the
backup frequency to daily when you use the Backup and Restore (Windows 7) tool, and you can schedule
backups to occur more often when you use Task Scheduler. In contrast, Azure Backup cannot create
backups more often than three times per day.
Both the Backup and Restore (Windows 7) tool and Azure Backup can recover files and folders on the
same computer on which the backup was created, and on different computers. However, File History can
recover files and folders only on the computer on which the backup was created. If you have permissions,
you can access the File History backup folders and restore files manually from any computer, because the
backup that File History performs is file-based.
The following table lists a comparison of the available file recovery options.
File History Backup and Restore Azure Backup

(Windows 7)
Feature is included in Yes Yes -
Windows 10
Can protect and restore Yes Yes Yes
files and folders
Can protect and restore Yes Yes Yes
data on NTFS volumes
Can protect and restore Yes - -
data on FAT and ReFS
volumes
Can create a system - Yes -
state
Can create more than Yes Yes -
three backups per day
You can recover data on - Yes
a different computer
than that on which it
was backed up
Troubleshooting File Recovery Options

Backup copies of files and folders that you want to recover must exist if you want to use file recovery. The
copies must be accessible, and you must have the appropriate tool to recover files and folders. File
History, the Backup and Restore (Windows 7) tool, and Azure Backup do not create backup copies until
you configure them. For example, on the Previous Versions tab in the File Properties dialog box, a
previous version of the file will not be available until File History or the Windows Backup and Restore
(Windows 7) tool creates a backup copy of that file.
If you use Azure Backup, you can store backup copies of files and folders located locally, in a shared
folder, or in Microsoft Azure. Backup copies must be available if you want to perform file recovery. For
example, if you create backup copies on a removable disk, that disk must be attached to your Windows
10 computer if you want to perform file recovery. If backup copies are stored in a shared folder, you must
have network connectivity to the file server, and have permissions to access the shared folder to be able
to recover files. If your backup is stored in Microsoft Azure, you must have the following: Internet connec-
tivity, the Microsoft Azure Backup program, vault credentials, and a passphrase to be able to perform file
recovery. You always can download current vault credentials from the Microsoft Azure portal.
A passphrase is generated on the computer on which you create a backup, and you use it to encrypt your
backup. You should store your passphrase securely, as you will not be able to recover data without a valid
passphrase. If you want to recover files on a computer other than the one on which you created the
backup, you need to provide vault credentials and a passphrase. You cannot access backup content if you
misplace or lose the passphrase that you used for encrypting backup.
Note: If you cannot access a file backup that is stored remotely, you should use standard network
troubleshooting. You should perform local storage troubleshooting if a file backup is stored locally and
the backup location is not accessible. For example, if the local disk is connected and it displays in Device
Manager and Disk Management, you should look for any disk-related entries in Event Viewer.
File History stores backups in a folder hierarchy. You can restore the backup when you use Previous
Versions or File History only on the computer on which backup was created. If you want to restore files
and folders from a backup, on different computer than that on which you created it, you need to copy
and rename the files and folders manually.
Application Troubleshooting
Lesson Introduction
Most large organizations automate application installations from a central location. However, desktop
support personnel are involved in application deployment during the initial development, and during
troubleshooting of failed installations. Therefore, you must know how to identify why a desktop app
installation fails, and how to resolve any issues that might prevent installation.
Lesson Objectives
●● Describe desktop app deployment methods.
●● Discuss desktop app deployment issues.
●● Describe Microsoft 365.
●● Describe the difference between Microsoft 365 apps and desktop apps.
●● Resolve desktop app deployment issues.
●● Troubleshoot Windows Installer issues.
●● Describe how to use AppLocker to control apps.
●● Control desktop app installation with AppLocker policies.
Troubleshooting Windows Installer Issues

Windows 10 uses Windows Installer to perform application installations. Windows 7 and newer Windows
operating system versions all include Windows Installer version 5.0.
If the application you want to install is packaged as an .msi file and is accessible from the target comput-
er, to install a desktop app you can either double-click the .msi file or run msiexec.exe from an elevated
command prompt. For example, to install an application from a shared folder, run the following com-
mand from an elevated command prompt:
Msiexec.exe /i \\lon-dc1\apps\app1.msi
During application installation, you might receive one of the following error messages:
●● “The Windows Installer Service could not be accessed.”
●● “Windows Installer Service could not be started.”
●● “Could not start the Windows Installer service on the Local Computer.”
One source of Windows Installer issues is applications that do not complete installing or uninstalling. In
some cases, restarting the computer might force the operation to proceed. However, you might need to
reinstall or repair the application before you can remove it. In a worst-case scenario, you might need to
remove an application manually, including its registry entries. To troubleshoot Windows Installer issues,
you can use any one of the following methods:
●● Verify that Windows Installer is functioning by running msiexec at a command prompt.
●● Verify that the Windows Installer service is configured to start manually, and that it starts without
errors.
Application Troubleshooting 385
●● Verify that Windows Installer has the latest updates. This currently is not relevant, as no newer version
exists.
●● Reregister Windows Installer by using the following commands:
- Msiexec /unregister
- Msiexec /register
●● Restart the computer to reset any ongoing installation.

●● Remove any software that might conflict with the software that you are trying to install.
Additional Reading: For more information, refer to: “Released Versions of Windows Installer” at: http://
aka.ms/bp60pk
In rare cases, another application that runs might be preventing the software’s installation or removal.
You can disable services and applications that start automatically, to attempt to identify a problem
application.
Resolving Desktop App Deployment Issues

Being able to resolve desktop app deployment issues depends on your understanding of why the
deployment failed. Once you understand why a desktop app is not deploying properly, you then can
determine the correct methods to resolve the issue. The following is a list of methods used for resolving
desktop app deployment issues:
●● Run as administrator. For desktop app installations that do not properly elevate permissions to
perform installation, you can manually elevate permissions by right-clicking the installation file, and
then selecting Run as Administrator.
●● Install the necessary dependencies. If you cannot install a desktop app because of missing depend-
encies, then you must install the necessary dependencies. If the missing dependency affects multiple
computers, you need to determine the best way to deploy the missing dependency to all computers.
You might need to update the base image, which you then can deploy with the dependency.
●● Application Compatibility Toolkit (ACT). ACT is a suite of tools that you use to simplify the installa-
tion and execution of earlier applications on newer versions of Windows operating systems. One of
the tools in ACT is Application Compatibility Manager. You use this tool to generate an inventory of
installed applications, and then evaluate whether those applications experience issues when running
on Windows 10. You typically would use ACT during migration to a new operating system. You install
ACT as a part of the Windows Assessment and Deployment Kit.
●● Correct AppLocker configuration. If AppLocker blocks legitimate desktop apps from installing, then
you must adjust the configuration of AppLocker rules.
In the case of automated deployment, the application may install and preform correctly when manually
installed but fail when using an automated deployment method. While the application itself should not
be ruled out, when a manual installation succeeds and the automated installation does not, it is often a
lack of permissions that is preventing the installation. Verify whatever deployment tool you are using has
the correct permissions required to install the application.
Issues Related to Desktop App Operations

A desktop app operation issue is any situation in which a desktop app does not perform properly from
the user’s perspective. Some of the issues that you or your users might encounter include:
●● Missing application features. In many applications, you can select which features to install. An
application’s default installation options might not include all of the features that a user requires.
●● Missing Windows operating system features. Some applications require Windows operating system
features to function correctly. This includes different versions of Microsoft .NET Framework.
●● Incorrect configuration. An application’s post-installation default settings might not be appropriate.
To fit your needs, you can customize the application’s settings, such as the default locations for saving
files and folders. Some desktop apps also might need open ports in the firewall. Users might not have
access to start all applications, or some file permissions might be insufficient for users to run the
application.
●● Poor performance. Applications might run slower than users expect. This can happen when users
perform a specific task, when devices do not meet the minimum hardware requirements, or during
regular application use.
●● Application errors. Any error that the application displays on the screen is a desktop app operation
issue.
●● Incorrect database connection settings. Some desktop apps use a server database as a data store. If
you do not configure the connection to the database correctly, the application cannot function
correctly.
●● Application blocking by AppLocker. You can configure AppLocker to allow or block applications on
Windows 10 devices. If AppLocker is blocking an approved desktop app, then you must try to resolve
the issue.
Issues with desktop app operations can influence a user’s job performance. Therefore, you must identify
and troubleshoot these issues as quickly and as accurately as possible.
Before you deploy a desktop app, you should put it through a thorough testing process that includes
common user activities. Desktop support staff often perform this testing, but you might want to include
users in this testing process as well. During testing, the desktop app might not function as you expect,
which results in the need for further troubleshooting.
After you deploy a desktop app, users are the most common source for information about issues with
application operations. When you investigate issues with desktop app operations, you can use on-screen
error messages and event logs. In some cases, these messages and logs provide enough information to
resolve the issue. In other cases, you might need to perform more research. Additional research might
include:
●● Searching the vendor’s website.
●● Searching the Internet.
●● Contacting vendor support.
Resolving Issues Related to Desktop App Opera-

tions
Your success in resolving an issue with a desktop app operation depends on your accuracy in defining the
issue. Some ways to resolve issues with desktop app operations include the following methods:
●● Install a requested feature. If an application feature that a user requires is missing, then you can
install it. Ultimately, you must determine if other users require that feature as well, and if so, deter-
mine the best way to accommodate them. You might need to update the application’s installation
process or update an operating system image that contains the application.
●● Reconfigure the application. If you configure a desktop app incorrectly, you can reconfigure it so
that it meets the defined specifications. If multiple users require the reconfiguration, you need to
determine the best way to update multiple computers. You might decide to update Group Policy,
update the application deployment process, or update an operating system image that contains the
application.
●● Repair or reinstall the application. If a desktop app is experiencing errors or is unable to start,
repairing the application might resolve the issue. Repairing an application updates the application
files to the correct version, and rewrites the required computer-specific registry entries. It does not
affect user-specific registry entries. If an application repair does not resolve the problem, try reinstall-
ing the application.
●● Apply application updates. Application updates resolve desktop app operation issues that the
application’s vendor identifies. Installing application updates in a timely manner might prevent some
issues with desktop app operations from occurring in your environment, and might resolve any
performance issues.
●● Upgrade the application to a newer version. Some issues with application operations require you to
upgrade to a newer version of the application. For example, to increase performance and access more
memory, you might need to upgrade an app to a 64-bit version. New features might also be available
in newer versions.
●● Identify performance issues and bottlenecks. Performance issues that users report typically are
vague. You need to define the source of the issue by using tools such as Performance Monitor or
Resource Monitor. Improving performance might be dependent on hardware upgrades, or users
might need to run fewer applications simultaneously on the computer. You also might need to adjust
users’ performance expectations.
●● Reconfigure AppLocker rules. If AppLocker rules are preventing a legitimate desktop app from
running, you must reconfigure those rules to enable the desktop app to run, by using the application
path, the publisher, or the hash value.
Resolving Issues Related to Universal Windows

Apps
The Windows Store will notify you if there are issues with an application, and in most cases will try to
solve the problem automatically. However, you might experience situations where an application will not
start and the Windows Store cannot solve the problem. This topic will cover some of the most common
issues that you might encounter running Universal Windows apps.
Apps troubleshooter
If you have problems with an application, or if the Windows Store app does not open, you can run the
Apps troubleshooter. This tool can identify and fix problems with Universal Windows apps and the
Windows Store app. It is only available in English, but you can use the tool on PCs that run any language.
Additional Reading: For more information, refer to: “Apps Troubleshooter Download” at: http://aka.ms/
w0hpmh
Additional solutions to the App troubleshooter

If the troubleshooter cannot resolve the issue, we recommend that you try any of the following listed
suggestions:
●● The built-in Administrator cannot run Universal Windows apps. Because of the default configuration,
you cannot run Universal Windows apps when signed in as the built-in Administrator. You must
enable User Account Control: Admin Approval Mode for the Built-in Administrator account for the
built-in administrator to run Universal Windows apps.
●● Enable UAC to run Universal Windows apps. Universal Windows apps can start only if UAC is enabled.
If you have disabled UAC, you need to re-enable it to run Universal Windows apps.
●● The app might be blocked by Windows Firewall. To secure your computer, Windows Firewall blocks
some Universal Windows apps. We recommend configuring Windows Firewall rules for an application
to function properly.
●● The application might be blocked by Group Policy. AppLocker might block the installation and
execution of certain Universal Windows apps. We recommend reconfiguring the AppLocker rules to
allow an application to install and/or execute.
●● Make sure your applications are up to date. If you run into issues with starting Universal Windows
apps, you should first check whether there are any updates to the applications in the Windows Store.
To avoid this issue, you can ensure that application updates are installed automatically.
●● Clear Windows Store cache. If the Windows Store app will not start or the Windows Store app cannot
connect to the store, clearing the Windows Store cache might resolve this issue. You can reset the
Windows Store cache by typing the following command in a command prompt, and then pressing
Enter:
WSReset.exe
●● Synchronize application licenses. If the license for the application you want to start is not synchro-
nized with the device on which you want to start the application, synchronizing the licenses might
resolve the issue.
Note: Synchronizing application licenses is possible in the Windows 8 and Windows 8.1 version of the
Windows Store app. However, currently (at the time of this writing), this feature is not available in the
Windows Store app in Windows 10.
Reinstall the application

If the above steps have not resolved your issue with starting your Universal Windows app, we recom-
mend reinstalling the application. To reinstall the application, you must first uninstall it and then open the
Windows Store app to install the application again.
Troubleshoot Common Office 365 Issues

Microsoft 365 is easier to install and use. However, you and your users might still run into issues. You
might experience some of the following issues with Office 365:
●● Installation. Verify that the installed Office product is in fact Office 365 as opposed to a non-sub-
scription version of Office. To do this, open one of the Office applications, select File, and then select
Account. Under Product Information, you should see the text Subscription Product. If the text is
something else, such as Microsoft Office Professional 2013, then you should uninstall the current
version of Office and install Microsoft 365 using the Microsoft 365 installation procedure.
●● Licensing. If a user receives an activation or subscription error in Microsoft 365, you must verify that
the user has an active user account and license for Microsoft 365. In Microsoft 365, you assign
software licenses to user accounts so they can install the product on several devices. Check if the user
has both an active Microsoft Azure Active Directory (Azure AD) user account and an Microsoft 365
license.
●● Activation. Activation of Microsoft 365 usually occurs during installation. To remain activated, Micro-
soft 365 connects to the Internet at least once every 30 days. Office goes into reduced functionality
mode when there is an activation issue. In this mode, most commands are unavailable and users see
“product deactivated” messages when they try to use Microsoft 365 applications. The user should try
to reactivate Microsoft 365 from one of the Office applications or access the Microsoft 365 portal to
manage Microsoft 365 installations. Microsoft 365 also contains a script named ospp.vbs that can
display license information.
●● Connectivity. Microsoft 365 connects to the Internet at least once every 30 days to verify the license
status. A successful connection to the website at: http://aka.ms/Mdfgn8 means that you have a
connection to Microsoft 365. If a webpage does not display, check for configurations that might be
preventing the computer from connecting to the Internet, including firewall or proxy server settings.
In addition, you should verify that no firewalls are blocking ports 80 and 443. If you use a proxy server
to obtain Internet access, you can use the bitsadmin tool to verify connectivity.
●● Updates. Microsoft 365 usually downloads and installs updates automatically. You should verify that
Microsoft 365 is set to receive the updates automatically. You can open an Microsoft 365 application,
such as Word, select File, and then select Account. Under Office Updates, you should see the text
Updates are automatically downloaded and installed.
The Application Compatibility Toolkit

Application Compatibility Toolkit (ACT) is a set of tools that you can use to perform an inventory of
applications, analyze compatibility of applications, and mitigate any compatibility issues. Organizations
typically use ACT when planning a new operating system deployment to ensure that all applications
function properly.
ACT includes the following features:
●● The ACT database. This tool contains known application compatibility issues and resolutions.
●● The Compatibility Administrator Tool. This tool provides compatibility fixes (previously known as
shims) that enable earlier application versions to run on newer Windows operating systems.
●● The Setup Analysis Tool (SAT). This tool monitors an application’s installation process and identifies
issues that relate to installation.
●● The Internet Explorer Compatibility Test Tool. This tool monitors web-based applications, and identi-
fies issues that newer Internet Explorer versions might experience.
●● The Standard User Analyzer. This tool identifies any issues that relate to running an application as a
standard user.
●● The Update Compatibility Evaluator (UCE). This tool identifies any issues that relate to implementing
new Windows operating system updates.
The majority of functionality that ACT provides is currently available in the Upgrade Analytics solution,
which is part of Microsoft Operations Management Suite (OMS). After you deploy the OMS agent to the
computers on which you want to analyze the applications and enable Windows telemetry, Upgrade
Analytics collects data that is necessary to detect any potential compatibility issues and provides recom-
mendations regarding their resolution. It also guides you through the process of applying recommended
fixes, provides a searchable inventory of computers and applications, and displays application usage data.
Additional Reading: For details regarding the deployment of the OMS agent, refer to: http://aka.ms/
Cjchkp
Troubleshooting Common Internet Explorer Is-

sues
Most issues related to Internet Explorer have a simple resolution. A key part of the resolution process is
identifying the following:
●● Which computers are affected—one computer or all computers?
●● Which users are affected—one user or all users?
●● Where are affected users located—internally, externally, or both?
●● Which versions of Internet Explorer are experiencing the problem?
These questions help you isolate whether a firewall, server configuration, or Internet Explorer configura-
tion is causing the problem. The following table lists some common ways that you can resolve problems
related to accessing websites and web-based applications.
Issue Resolution
Users are unable to access a website. Verify that there is proper network connectivity,
and that a firewall or proxy is not blocking the
website.
Users are prompted for credentials when access- Verify that users are accessing the website by
ing an internal website that is configured to use using a single label name without a domain name.
Windows authentication. Also, verify that users are accessing the website
from an internal, domain-joined computer.
Users are unable to use a web-based application If the web-based application is from a trusted
because Internet Explorer security or Protected source, then add the website to Trusted sites. This
Mode is blocking required functionality. disables Protected Mode, and allows many
web-based applications to function properly.
A web-based application is not retaining settings Ensure that privacy settings allow the web-based
properly between screens or between sessions. application to set cookies.
A web-based application is not opening new Ensure that Pop-Up Blocker allows the necessary
windows that are required for proper operation. windows to open by adding the website to the list
of allowed sites.
Internet Explorer runs slower than usual, and Disable any unauthorized add-ons that might be
might be displaying unusual information on malware.
webpages.
Issue Resolution
Users are unable to view embedded content in a Install the necessary add-on that Internet Explorer
website, such as audio or video. requires to display the content.
Internet Explorer is experiencing unusual problems Clear the Internet Explorer browsing history,
authenticating to a website or accessing website including temporary Internet files, cookies, and
content. passwords.
Internet Explorer is not displaying updated website Clear the temporary Internet files, and then press
content that you know has been updated. the F5 key to refresh page, or press Ctrl+F5 to
force a refresh of a single website in the cache.
An older website is not displaying properly in Enable Compatibility View for the website. This
Internet Explorer 11. might also be required for some web-based
applications.
When accessing a secure website with HTTPS, If the website is trusted, users can select Continue
users receive the error “There is a problem with to this website (not recommended). This error
the website’s security certificate.” occurs because the certificate that is installed on
the server is not trusted. This might be as a result
of expired certificates, users accessing websites by
using the wrong Domain Name System (DNS)
name, or by using self-signed certificates. You can
import a self-signed certificate on the client
computer to remove this error.
Malware is installed as an add-on and you cannot Reset Internet Explorer settings. This can resolve
remove it. unexplained problems with Internet Explorer.
However, this also causes the loss of all customiza-
tions (such as Favorites), and changes to other
configuration settings. If malware continues to
remain on the computer, Internet Explorer might
be infected again.
Troubleshooting Common Microsoft Edge Issues

Microsoft Edge is a new browser introduced in Windows 10. Due to the browser’s newness, you might
see issues where webpages display incorrectly. If the website incorporates technology that Microsoft
Edge does not support, try to open the same page in Internet Explorer. The following table lists some
common ways that you can resolve problems users might have related to the new Microsoft Edge
browser.
Issue Resolution
Microsoft Edge loads pages slowly. Try to delete cached files and enable InPrivate
Browsing to disable any trackers.
Some webpages display “needs Internet Explorer” Webpages that user ActiveX, Silverlight, Java, and
message. other similar technologies will more often show
this message. You will need to open the webpage
in Internet Explorer to display that webpage.
Users cannot find favorites or downloads. Internet Explorer favorites are not imported
automatically to Microsoft Edge. When you open
Favorites in Microsoft Edge, you can choose to
import favorites from Internet Explorer.
Issue Resolution
Text in reading pane is too small. In Settings in Microsoft Edge, you can configure
the font and size that you want to use for the
reading pane.
Ads are not blocked in Microsoft Edge. Install the AdBlock or Adblock Plus extension from
Windows Store.
Webpages cannot be saved with Microsoft Edge. Microsoft Edge does not have the same Save as
feature as Internet Explorer 11. You can use the
Web Note annotation tool to save the page to
OneNote, or share the page in an email. Windows
10 also includes the Microsoft Print to PDF printer
that you can use to save the webpage as a PDF
file. In the reading view, you have the option of
saving webpages and PDF files to your reading list.
Adobe Flash Player is not working. Microsoft Edge comes with Adobe Flash Player
preinstalled. By default, Microsoft Edge prevents
Adobe Flash content from loading automatically,
requiring action from the user, for example,
selecting the Select-to-Run button.

Lab 1101: Using File History to Recover Files
Summary
In this exercise you will learn how configure File History and use it to restore previous versions of a file or
folder.
Exercise 1: Configure File History
Scenario
You need to ensure that users can recover deleted files stored in the Documents library on their local
workstations. You decide to validate the File History feature using SEA-CL2. You will create a shared folder
on SEA-SVR1 named FileHistory that will be used as a central location to store file history data.
Exercise 2: Protect Additional Data
Scenario
An additional request has been made to protect specific files being added to SEA-CL2. A script has been
provided named CopyUserData.bat to be used to create the intended folders and copy the required data.
The Data folder needs to be added to the document library, but both the Data and Reports folder must
both be protected by File History.
Module Review
1. You are responsible for ensuring that desktop apps are deployed to the Windows 10 computers in
your organization. You need to automate desktop app installation using Windows Installer packages.
You do not need detailed reporting. Which method would be best?
A. Group Policy
B. Microsoft System Center 2012 R2 Configuration Manager (Configuration Manager)
C. Microsoft Intune
D. Remote applications
E. Inclusion in a Windows operating system image
2. You want to identify any potential desktop app deployment issues. You need to inventory installed
applications and then evaluate whether those applications experience issues when running on
Windows 10. What should you do?
A. Configure each application to Run as administrator
B. Run CompatCheck.exe
C. Install the necessary dependencies for all apps
D. Adjust the AppLocker rules

E. Run Application Compatibility Toolkit
3. Users are reporting desktop app operation issues. You create a log and categorize the issues. You
confirm that some users do not have access to a newly deployed application. You suspect file permis-
sions might be insufficient. What is the most likely cause of this issue?
A. Missing application features
B. Incorrect configuration
C. Poor performance
D. Incorrect database connection settings
E. None mentioned
4. Your organization deployed a new sales desktop app a month ago. A few users are experiencing
issues starting this app. What method should you try first to resolve the issue for these users?
A. Reinstall the application
B. Reconfigure the application
C. Repair the application
D. Upgrade the application to a newer version
5. You are troubleshooting a Windows 10 computer in which the Windows Store app cannot connect to
the store. You ran the Apps troubleshooter but still experience the issue. What should you try next?
A. Clear Windows Store cache.
B. Make sure your applications are up to date.
C. Synchronize application licenses.
D. Configure Windows Firewall rules for an application to function properly.
6. Your organization has a stringent system security policy. AppLocker is used in the organization to
control which users can run certain desktop apps. Which one of the following is not something you
can control with AppLocker?
A. executables
B. scripts
C. Windows Installer files
D. dynamic link-libraries
E. Universal Windows Apps
F. All mentioned can be controlled with AppLocker
7. Your organization uses file servers in order to prevent data loss. You want to synchronize data files
between the file server and user devices even if they are not joined to the domain. Which Windows 10
tool can help you accomplish this?
A. Work Folders tool
B. Folder Redirection
C. Synchronization with OneDrive
D. File History tool
E. Creation of a system image
8. You support a number of Windows 10 computers. You need to configure a recovery option that will
allow you to recover data on a different computer than it was backed up from. Which recovery option
should you choose?
A. Backup and Restore
B. File History
C. Azure Backup
D. Azure Backup and/or Backup and Restore
E. Any Mentioned
9. A 2) D 3) B 4) C 5) A 6) F 7) A 8) D
Module 12 Troubleshooting the OS
Troubleshooting Windows Startup

Lesson Introduction
To recover Windows 10 computers that do not start, or to recover those that are starting with errors, you
must recognize what the operating system looks like when it is starting properly. Additionally, a good
working knowledge of the recovery tools that Windows 10 provides should enable you to identify and
resolve problems that relate to startup issues.
Lesson Objectives
●● Describe the Windows 10 startup architecture.
●● Explain the repair and recovery options available in Windows 10.
●● Describe the available advanced startup recovery tools.
●● Explore the advanced startup environment.
●● Describe the System Restore process in Windows 10.
●● Access the Windows 10 System Restore tool to fix the startup environment.
●● Describe volume activation considerations.
●● Describe the role of the BCD store.
●● Describe BCD configuration settings.
Windows 10 Startup Architecture

The Windows 10 boot loader architecture provides a quick and secure mechanism for starting the
Windows operating system. The boot loader architecture has three main components:
●● The Windows Boot Manager (BOOTMGR). This file resides in the root directory of the volume marked
as active in Disk Management. This drive has no drive letter.
396 Module 12 Troubleshooting the OS
●● The Windows OS Loader (Winload.exe). This file resides in the Windows\System32 folder on the
volume where Windows is installed.
●● The Windows Resume Loader (Winresume.exe). This file is also in the Windows\System32 folder.
Windows Boot Manager

As the computer starts, BOOTMGR loads first, and then reads the Boot Configuration Data (BCD). BCD is a
database of startup configuration information that the hard disk stores in a format similar to the registry.
Note: BCD provides a firmware-independent mechanism for manipulating the boot environment data for
any type of Windows operating system. Windows Vista and later Windows versions use the BCD to load
the operating system or to run boot applications, such as memory diagnostics. Its structure is very similar
to a registry key, although you should not manage it with the Registry Editor (regedit.exe).
BOOTMGR replaces much of the functionality of the NT Loader (NTLDR) bootstrap loader that the
Microsoft Windows XP and earlier versions of the Windows operating system use. BOOTMGR is a sepa-
rate entity, and it is unaware of other startup operations in the Windows operating system. BOOTMGR
switches the processor into 32-bit or 64-bit protected mode, prompts the user for which operating
system to load (if multiple operating systems are installed), and starts NTLDR if you have Windows XP or
an earlier version of the Windows operating system installed.
Windows OS Loader
Winload.exe is the operating system boot loader that Windows Boot Manager invokes. Winload.exe loads
the operating system kernel (ntoskrnl.exe) and (BOOT_START) device drivers, which, combined with
BOOTMGR, makes it functionally equivalent to NTLDR. Winload.exe initializes memory, loads drivers that
should start, and then transfers control to the kernel.
Troubleshooting Windows Startup 397
Windows Resume Loader

If the BCD contains information about a current hibernation image, BOOTMGR passes that information to
Winresume.exe. BOOTMGR exits and Winresume.exe then starts. Winresume.exe reads the hibernation
image file, and uses it to return the operating system to its pre-hibernation running state.
Note: By default, Windows 10 enables fast startup. When you shut down your Windows 10 device,
Windows stores part of the operating system state into the hiberfil.sys file. When you next start your
Windows 10 device, this state is reloaded during startup. This process is sometimes referred to as Hybrid
Startup. You can configure this behavior through Control Panel. In Power Options, select Change what
the power buttons do, and then select the Turn on fast startup option.
Windows 10 startup process

When you turn on a computer, the startup process loads the BIOS, or on more modern computers, the
Unified Extensible Firmware Interface (UEFI). When it loads the UEFI or the BIOS, the system accesses the
master boot record (MBR) of the boot disk, followed by the boot sector of the drive startup.
The Windows 10 cold startup process has seven steps:
1. The UEFI or BIOS performs a power-on self-test (POST). From a startup perspective, the BIOS enables
the computer to access peripherals such as hard disks, keyboards, and the computer display, prior to
loading the operating system.
2. The computer uses information in the UEFI or BIOS to locate an installed hard disk, which should
contain an MBR. The computer calls and loads BOOTMGR, which then locates an active drive partition
on sector 0 of the discovered hard disk.
3. BOOTMGR reads the BCD file from the active partition, gathers information about the machine’s
installed operating systems, and then displays a boot menu, if necessary.
4. BOOTMGR either transfers control to winload.exe or calls winresume.exe for a resume operation. If
winload.exe selects an earlier operating system, such as Windows XP Professional, then BOOTMGR
transfers control to NTLDR.
5. Otherwise, winload.exe initializes memory and loads drivers that are set to begin at startup. These
drivers (that have a start value of 0 configured in the registry, and are called BOOT_START drivers), are
for fundamental hardware components such as disk controllers and peripheral bus drivers. Winload.
exe then transfers control to the operating system kernel, ntoskrnl.exe.
6. The kernel initializes, and then higher-level drivers load (except BOOT_START and services). During this
phase, you will see the screen switch to graphical mode as the session manager (Smss.exe) initializes
the Windows subsystem.
7. The Windows operating system loads the Winlogon service, which displays the sign-in screen. Once
the user signs in to the computer, Windows Explorer loads.
Windows Secure Boot

Secure Boot is a Windows 10 feature on UEFI-¬based devices that can help to increase the security of
your device by helping to prevent unauthorized software from running on your device during the startup
process. Secure Boot verifies that each piece of software has a valid digital signature. This verification
applies to the operating system itself.
With Secure Boot on a device, the device checks each piece of software against databases of known good
signatures maintained in the firmware. The firmware will only run software that it deems to be safe by
using this process.
The Windows 10 Secure Boot process requires firmware based on UEFI. The Secure Boot process utilizes
UEFI to prevent unknown or potentially unwanted operating-system boot loaders (such as firmware
rootkits) from launching between the system’s firmware start and the Windows 10 operating system start.
Secure Boot is mandatory for Windows 10, and it greatly increases the integrity of the startup process.
Note: Some desktop computer manufacturers might enable you to disable Windows 10 Secure Boot
through the UEFI. However, this might not be possible on UEFI-based tablet devices that run Windows
10.
Overview of Device Recovery Procedures

In the past, it was a common practice to create backups of all the data on a device, including the operat-
ing system files, apps, and user data. This was because, in the event of a system failure, you would need
all this data to recover the device. However, today things are different:
●● Devices are connected.
●● Apps, if installed locally, are available at all times from the company store or Windows store.
●● User data is no longer only stored locally. Local storage provides faster access and the ability to use
the data in the absence of network connectivity. When connectivity is restored, the local copy of the
data is synchronized and stored on company file servers or in the cloud.
Today, you can recover, reinstall, or upgrade the operating system without affecting apps or user data.
Some situations might require complete replacement of local storage; for example, if the local solid-state
drive (SSD) disk is broken. In such cases, you only have to recover the operating system. You can reinstall
your apps from the stores. You can access your user data at any time from your other devices, and
synchronize it back on the device you recover.
Windows 10 is a device oriented operating system that includes several features that you can use for
device recovery:
●● Driver Roll Back. A nonintrusive feature that only reverts a device driver to the previous version that
the same device used. This feature is only useful in situations where driver updates cause problems,
but it is very effective.
●● System Protection and System Restore. When turned on, System Protection automatically creates
snapshots, called restore points, before important changes to your device happen. Such changes
could include installation of an app or application of updates. You can also create restore points
manually. Restore points enable you to revert the operating system on your device to a previous
restore point, while leaving user data intact. You can use System Restore from a functioning Windows
10 device, but you can also run System Restore from the recovery environment, as long as the device
storage is accessible.
●● Startup Recovery. This feature detects and automatically corrects Windows 10 startup issues. It is
invoked automatically if the system fails to start up normally three times in a row. You can also invoke
it manually from the recovery environment. This feature is nonintrusive and leaves all device data
intact, but it can repair startup problems only.
●● Reset this PC. This feature enables you to either keep your files and reinstall the operating system, or
remove everything from the device and then reinstall the operating system. Windows 10 provides
considerable improvements to Reset this PC, which combines the functionality of the Refresh your PC
and Reset your PC features that were available in Windows 8 and Windows 8.1. You can run the Reset
this PC feature from the recovery environment.
●● System Image Recovery. This feature completely replaces any data on the device, including the
operating system, settings, and user data, with the information in a system image. To be able to use
this feature, you must create the system image in advance. Unlike the Reset this PC feature, System
Image Recovery does not differentiate between operating system and user data.
●● Command prompt. This is a powerful but nonautomated option. You can start the command prompt
from the recovery environment and then run other built-in commands or third party tools.
After you recover your operating system, you can restore access to your data by doing one of the
following:
●● Signing in to the recovered device, if you use Folder Redirection, Offline Files, or OneDrive for Busi-
ness.
●● Restoring the user data by using Azure Backup or the Backup and Restore (Windows 7) tool.
Windows RE
If your Windows computer fails to start correctly, you can use a number of tools to help resolve the
problem. The following topic discusses these tools.
Windows RE is a recovery platform based on the Windows Preinstallation Environment (Windows PE).
Windows RE provides two main functions:
●● Diagnose and repair startup problems automatically.
●● Provide a centralized platform for additional advanced recovery tools.
To access Windows RE,

if Windows starts normally, you can access Windows RE by:
●● Selecting Start, Power, then holding SHIFT while selecting Restart.
●● In the Settings App under Update & Security, select Recovery and select Restart now under
Advanced Startup.
●● From a command prompt, run shutdown /r /o
If you cannot successfully boot Windows, you can access Windows RE by:
●● Insert the Windows 10 media, and then start the computer. When prompted, run the Windows 10
media Setup program. After you configure language and keyboard settings, select the Repair your
computer option, which scans the computer for Windows installations, and then presents you with a
Choose an option menu, Select Troubleshoot.
●● Some systems will support pressing a function key during boot (such as F11). The previous method of
using F8/SHIFT-F8 is no longer reliable.
Automatic failover
Windows 10 provides an on-disk version of Windows RE. A computer that runs Windows 10 can fail over
automatically to the on-disk Windows RE if it detects a startup failure.
During startup, Windows OS Loader sets a status flag that indicates when the startup process begins.
Winload.exe clears this flag before it displays the Windows sign in screen. If startup fails, the loader does
not clear the flag. Consequently, the next time the computer starts, Windows OS Loader detects the flag,
assumes that a startup failure has occurred, and then launches Windows RE instead of Windows 10.
The advantage of automatic failover to Windows RE Startup Repair is that you might not need to check
the problematic computer when a startup problem occurs.
Note: Note that the computer must start successfully for Windows OS Loader to remove the status flag.
If there is an interruption to the computer’s power during the startup sequence, Windows OS Loader
does not remove the flag, and instead initiates Startup Repair automatically.
Remember that this automatic failover requires the presence of both Windows Boot Manager and
Windows OS Loader. If either of these elements is missing or corrupt, automatic failover cannot function,
and you must initiate a manual diagnosis and repair of the computer’s startup environment.
Advanced Startup Options

Windows 10 provides advanced startup options that you can use to start the operating system in an
advanced troubleshooting mode. In Windows RE, you need to select Troubleshooting, select Advanced
options, and then select Startup Settings.
Boot menu options

The following options are available from the boot menu:
●● Enable debugging. This option starts the Windows operating system in an advanced troubleshooting
mode. Debugging enables you to examine the behavior of the Windows operating system’s device
drivers. This is especially useful if the operating system stops unexpectedly, as it might provide
additional information for driver developers.
●● Enable boot logging. Use this option to create the Ntbtlog.txt file, which can be useful for advanced
troubleshooting. This file lists all drivers that the Windows operating system installs during startup.
●● Enable low-resolution video. This option starts the Windows operating system using your current
video driver, with low resolution and refresh rate settings. Use this mode to reset your display settings.
●● Enable Safe Mode. Use this option to starts the Windows operating system with a minimal set of
drivers and services. This is one of the most useful startup options, because it provides access to the
operating system when a high-level service or application prevents a normal startup. This enables you
to perform diagnostics and fix the problem.
●● Enable Safe Mode with Networking. This option starts the Windows operating system in safe mode,
and includes the network drivers and services that you need to access the Internet or other network
computers.
●● Enable Safe Mode with Command Prompt. You use this option to start the Windows operating
system in safe mode with a Command Prompt window, rather than the Windows GUI. You typically
use this when other startup options do not work.
●● Disable driver signature enforcement. This option allows you to install drivers that contain improper
signatures.
●● Disable early launch anti-malware protection. This option prevents low-level anti-malware protec-
tion from running. Early launch anti-malware protection loads an anti-malware driver before all
non-Microsoft boot drivers and applications, to test them and prevent unapproved drivers from
loading.
●● Disable automatic restart after failure. This option prevents the Windows operating system from
restarting automatically if an error causes the operating system to fail. Choose this option only if the
computer loops through the startup process repeatedly by failing to start correctly, and then attempt-
ing another restart.
●● Launch recovery environment. Use this option to start Windows RE. You can use the recovery
environment to trigger the Reset this PC function.
Note: In older versions of Windows, you could use the Last Known Good Configuration startup option to
revert registry settings to the most recent version that worked correctly. The Last Known Good Configura-
tion startup option is not available in Windows 10.
Using the Reset This PC Feature

There are several reasons why a user might want to reset their computer. For example, a user might
choose to reset their Windows 10 computer if it has significant configuration problems or errors, or does
not run correctly. The user might plan to repurpose the computer and give it to a family member. You can
use the Reset this PC feature to reset the computer. The Reset this PC tool reinstalls Windows 10, but
based on your selections, it can preserve computer settings and files. Optionally, the Rest this PC tool can
remove most everything and leave the computer only with the default Windows 10 installation.
Note: You do not need Windows 10 media to use the Reset this PC feature.
You can access the Reset this PC tool from the Settings app or from Windows RE. In either case, you can
select the option in the Reset this PC tool to preserve your files or to remove everything from the com-
puter. If you decide to remove everything, you can specify to remove only your files or to clean the drive
fully. When you clean your drive fully, it takes considerably longer. However, it is more secure, since you
cannot recover the deleted files easily. Regardless of your selection, the Reset this PC tool always pre-
serves the size and names of disk partitions, and it always removes apps and drivers that are not part of
the initial Windows 10 installation.
You can run the Reset this PC tool from the Settings app only as a local user. You do not need to provide
credentials if you run it from the Settings app and you select to preserve your files. The Reset this PC tool
will notify you about the apps that it will remove and that you will need to reinstall manually. If you run
Reset this PC from the Windows RE that is available on a local drive, you will need to select the local user
and provide the user’s credentials. However, you will not be notified about the apps that it will remove. In
either case, the Reset this PC tool will add a list of the removed apps to the local user’s desktop after it
completes the operation.
Although Reset this PC operation reinstalls Windows 10, it preserves computer settings such as computer
name, domain membership, and local users. The Reset this PC tool removes device drivers and apps that
were not part of the default Windows 10 installation, but preserves all user settings and files.
If you run the Reset this PC tool and select to remove everything, and if your computer has more than
one drive, you will be prompted to specify if you want to remove all files from all drives or remove all files
only from the drive where Windows 10 is installed. You also will have to specify whether the Reset this PC
operation should remove your files only, or clean the drive fully. If you select to clean your drive fully, the
Reset this PC operation will overwrite all of the disk space several times before installing Windows 10. You
should select this option if you do not want to recover your files, such as before you sell your Windows
10 computer or give it to a family member for personal use. If you select to remove everything, the Reset
this PC operation removes all apps, configuration, and data that the default Windows 10 installation does
not include.
The following table shows which configuration and settings are preserved when you select different Reset
this PC options.
Keep my files Just remove my files Fully clean the drive

Disk partitions Yes Yes Yes
User settings and files Yes - -
Computer settings, Yes - -
(such as name and
membership)
Apps, drivers and - - -
printers
Rewrite all disk space - - Yes
multiple times
Considerations for using the Reset this PC tool with the Keep my files option
Consider the following when you are deciding whether to use the Reset this PC tool with the Keep my
files option:
●● The Keep my files option is not as destructive as the Just remove my files and Fully clean the drive
options. However, although the Reset this PC tool retains your files and settings, it removes all apps
that the default Windows 10 installation did not include.
●● You need a local user with administrative permissions if you start the Reset this PC tool with the Keep
my files option from the Windows RE that is available from the local drive. If you start the Reset the
PC tool with the Keep my files option from Windows 10 media, anyone with physical access to the
computer can utilize the Reset this PC tool’s functionality.
●● You must reinstall any apps and reapply any updates that were made since the computer was first
installed with Windows 10.
●● You do not need a backup or Windows 10 media to perform the Reset this PC function with the Keep
my files option, which is different from the System Image Recovery option.
Using the Reset this PC tool with the Just remove my files or Fully clean the drive options
You should consider the following when deciding whether to use the Reset this PC tool with the Just
remove my files or Fully clean the drive options:
●● The Reset this PC tool removes all of your Windows Store apps and desktop apps. Only the apps that
the default Windows 10 installation includes will be available on the computer.
●● You do not need any special permissions to use Reset this PC with the Just remove my files or Fully
clean the drive options.
●● Your files, settings, and computer configuration settings are set to their initial, post-installation state.
For example, a computer will have the name DESKTOP- name, and it will be in a workgroup.
●● You must reinstall any apps and reapply any updates that were made since the computer was first
installed with Windows 10.
●● You do not need a backup or Windows 10 media to perform Reset this PC with the Just remove my
files or Fully clean the drive options, which is different from the System Image Recovery option.
Overview of System Restore

Windows 10 enables System Restore features automatically. System Restore takes snapshots of your com-
puter system, and then saves them as restore points. These restore points represent a point in time for
the computer’s configuration when it was running successfully. Using System Restore does not affect user
data.
After you enable System Restore points, Windows 10 creates them automatically when the following
actions occur:
●● You install a new application or driver.
●● You uninstall certain programs.
●● You install updates.
Windows 10 also creates System Restore points:
●● Manually, whenever you choose to create them.
●● Automatically, once daily.
●● Automatically, if you choose to use System Restore to restore to a previous point in time.
In this last instance, System Restore creates a new restore point before it restores the system to a previ-
ous state. This provides you with a recovery option should the restore operation fail or result in issues.
However, Windows RE does not create a restore point for the current state if you are in safe mode and
you restore to a previous state.
Perform driver rollbacks
You might use System Restore when you install a device driver that results in a computer that is unstable,
or that fails to operate entirely. Earlier Windows operating systems had a mechanism for driver rollback,
but it required the computer to start successfully from safe mode. With Windows 10 computers, you can
use System Restore to roll back drivers by accessing the System Restore points, even when the computer
does not start successfully.
Protect against accidental deletion of programs
System Restore also provides protection against accidental deletion of programs. When you add or
remove programs, System Restore creates restore points, and keeps copies of application programs (file
names with an .exe or .dll extension). If you accidentally delete an executable (.exe) file, you can use
System Restore to recover the file by selecting a recent restore point prior to when you deleted the
program.
Note: If you use System Restore to restore your computer to a previous point in time, be aware that it
might affect connectivity to the computer’s domain. Specifically, if the computer’s password has changed
since the restore point was created, your computer will be unable to sign in to the domain. In this
instance, you must reset the computer’s secure channel with the domain. You can do this by using the
Windows PowerShell Reset-MachineAccountPassword cmdlet.
You also can use the Netdom command prompt tool and Active Directory Users and Computers.
Additional Recovery Tools in WindowsRE

In addition to Reset this PC and System Restore option, Windows RE provides additional recovery tools
that you can use to help recover your computer’s startup environment. When you launch Windows RE,
and select Advanced options, the following options are available.
In Troubleshooting, from the Advanced options menu, you can access the following tools:
●● System Restore
●● System Image Recovery
●● Startup Repair
●● Command Prompt
●● Go back to the previous build
System Restore
As covered in the previous topic, System Restore is also available in the Advanced Options menu.
System Image Recovery

The System Image Recovery tool replaces your computer’s current operating system with a complete
computer backup that you created previously, and which you stored as a system image. You can use this
tool only if you have made a recovery drive of your computer. You should use this tool only if other
methods of recovery are unsuccessful, because this recovery method is intrusive and overwrites
everything on the computer.
Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most
common startup problems. The following sections describe the Startup Repair tool functions:
●● Replace or Repair Disk Metadata. Disk metadata consists of several components, including the boot
sector and the MBR. If these files are missing or corrupt, the startup process fails. If you suspect that
an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk
metadata. Automatic Repair then checks, and if necessary, repairs the disk metadata automatically.
Damage to the disk metadata often occurs because of unsuccessful attempts to install multiple
operating systems on a single computer. Another possible cause of metadata corruption is a virus.
●● Repair Boot Configuration Settings. Windows XP and earlier Windows operating system versions
stored the boot configuration information in Boot.ini, a simple text file. However, Windows 10 uses a
configuration store that is in the C:\Boot folder.
●● If the boot configuration data is damaged or deleted, the operating system fails to start. The Startup
Repair tool then checks, and if necessary, rebuilds the BCD by scanning for Windows installations on
the local hard disks, and then storing the necessary BCD.
●● Resolve Incompatible Driver Issues. Installing a new hardware device and its associated device driver
often causes Windows operating systems to start incorrectly.
The Automatic Repair tool performs device driver checks as part of its analysis of your computer. If
Automatic Repair detects a driver problem. It uses System Restore points to attempt a resolution by
rolling back the configuration to a known working state.
Note: Even if you do not create restore points manually in Windows 10, installing a new device driver
automatically causes Windows 10 to create a restore point prior to the installation.
The Startup Repair tool should be your primary startup recovery mechanism. It is the least invasive and
requires the least manual configuration following recovery.
Command Prompt
Windows 10 uses the Command Prompt window from the Windows RE tool set as its command-line
interface. The Command Prompt tool is more powerful than the Recovery Console command-line
interface from earlier Windows operating system versions. The Windows RE Command Prompt features
are similar to the Command Prompt window that is available when Windows 10 runs normally and
enables you to:
●● Resolve problems with a service or device driver. If a computer runs Windows 10 and experiences
problems with a device driver or a Windows service, use the Windows RE Command Prompt window
to attempt a resolution. For example, if a device driver fails to start, use a command prompt to install
a replacement driver or disable the existing driver from the registry. If the Netlogon service fails to
start, at the command prompt, type Net Start Netlogon. You also can use the SC tool (SC.exe)
command-line tool or the Windows PowerShell start-service and stop-service cmdlets to start and
stop services.
●● Recover missing files. The Windows RE Command Prompt tool enables you to copy missing files to
your computer’s hard disk from original source media, such as the Windows 10 product DVD or USB
flash drive.
●● Access and configure the BCD. Windows 10 uses a BCD store to retain information about the operat-
ing systems that you install on the local computer. You can access this information by using the
command-line tool BCDEdit.exe at the command prompt. You also can reconfigure the store, if
necessary. For example, you can reconfigure the default operating system on a dual-boot computer
with the BCDEdit.exe /default id command.
●● Repair the boot sector and MBR. If the boot sector or MBR on the local hard disk is damaged or
missing, a computer that runs Windows 10 will fail to start successfully. You can launch the Bootrec.
exe program at the command prompt to resolve problems with the disk metadata.
●● Run diagnostic and troubleshooting tools. The Command Prompt tool provides access to many
programs that you can access from Windows 10 during normal operations. These programs include
several troubleshooting and diagnostics tools, such as the registry editor (Regedit.exe), a disk and
partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe,
Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you can
use to determine which programs and services are running currently.
Note: Windows PE is not a complete operating system. Therefore, when you use the Command Prompt
tool in Windows RE, remember that not all programs that work in a Windows operating system will work
at the command prompt. Additionally, because there are no sign-in requirements for Windows PE and
Windows RE, Windows restricts the use of some programs for security reasons, including many that
administrators typically run.
Go back to the previous build

If you have serious issues after a recent update of the Windows 10 build, you can use this option to
return to the previous Windows 10 build. As with other Windows RE tools, you need to provide adminis-
trative credentials if you want to use this option. If you revert to the previous Windows 10 build, it will not
affect your personal files, but it will not preserve any changes that you made to applications and settings
since the most recent update.
Windows 10 BCD Store

The Windows 10 BCD store is an extensible database of objects and elements that can include informa-
tion about a current hibernation image, and special configuration options for starting Windows 10 or an
alternate operating system. The BCD store provides an improved mechanism for describing boot configu-
ration data for new firmware models.
During startup, the boot sector loads BOOTMGR, which in turn accesses the BCD store, and then uses
that information to display a startup menu to the user (if multiple boot options exist), and to load the
operating system. These parameters were previously in the Boot.ini file (in BIOS–based operating sys-
tems) or in the nonvolatile random access memory (NVRAM) entries in operating systems based on an
Extensible Firmware Interface (EFI).
However, Windows 10 replaces the boot.ini file and NVRAM entries with the BCD store. The store is more
versatile than boot.ini, and it can apply to computer platforms that do not use BIOS to start the comput-
er. You also can apply the BCD store to firmware models, such as computers that are based on EFI.
Windows 10 stores the BCD as a registry hive. For BIOS–based systems, the BCD registry file is in the
active partition \Boot directory. For EFI–based systems, the BCD registry file is on the EFI system partition.
Configuring the BCD Configuration Settings

Depending on what you want to change, you can use the following tools to modify the BCD store:
●● Startup and Recovery. The Startup and Recovery dialog box enables you to select the default operat-
ing system, if you have multiple operating systems installed on your computer. You also can change
the time-out value. You can find these settings on the Advanced tab in the System Properties dialog
box.
●● The System Configuration tool (MSConfig.exe). MSConfig.exe is an advanced tool that enables you to
select the following startup options:
●● Safe boot. Enables you to select:
●● Safe boot: Minimal. On startup, Windows Explorer opens in safe mode, which means it runs
only critical system services. Networking is disabled.
●● Safe boot: Alternate shell. On startup, this option opens a Command Prompt window in safe
mode, and runs only critical system services. Networking and Windows Explorer are disabled.
●● Safe boot: Active Directory repair. On startup, this option opens Windows Explorer in safe
mode, and runs only critical system services and Active Directory Domain Services (AD DS). Safe
boot performs no functions on a client operating system.
●● Safe boot: Network. On startup, this option opens Windows Explorer in safe mode, and runs
only critical system services. Networking is enabled.
●● No GUI boot. Does not display the Windows Welcome screen when starting.
●● Boot log. Records startup information into a log file.
●● Base video. Uses a generic video display adapter driver.
●● Advanced options:
●● Debug. Enables kernel-mode debugging for device driver development.
●● Number of processors. Limits the number of processors used on a multiprocessor system.

●● Maximum memory. Artificially limits the available random access memory (RAM).
●● BCDEdit.exe. You can use BCDEdit.exe to change the BCD. This advanced tool is beyond the scope of
this course and included only for reference. Typical reasons to manipulate the BCD with BCDEdit
include:
●● Adding a new hard disk to your Windows 10 computer and changing the logical drive numbering.
●● Installing additional operating systems on your Windows 10 computer to create a multiboot
configuration.
●● Deploying Windows 10 to a new computer with a blank hard disk, requiring you to configure the
appropriate boot store.
●● Performing a backup of the BCD.
●● Restoring a corrupted BCD.
Note: BCDEdit.exe replaces Bootcfg.exe in previous Windows operating system versions.
●● BootRec.exe. You use BootRec.exe with the /rebuildbcd option to rebuild the BCD. You must run
Bootrec.exe in Windows RE. If rebuilding the BCD does not resolve the startup issue, you can export
and delete the BCD, and then run this option again. By doing this, you ensure that the BCD rebuilds
completely.
Troubleshooting Windows Updates

On occasion, an update can introduce reliability or performance problems after you install it on a com-
puter. In these situations, you must remove the update that has caused the problem.
Test updates
To avoid issues with feature upgrades and servicing updates, you should perform extensive testing before
installing the updates on your Windows 10 devices. If you configure the majority of your devices for
Semi-Annual Channel, you have a period to test upgrades on computers configured for Semi-Annual
Channel (Targeted). The fastest way to test new upgrades is to sign up as a Windows Insider. As a Win-
dows Insider, you have access to new upgrades before devices configured for Semi-Annual Channel get
the upgrades. If you are using a management system such as WSUS to approve upgrades, you can defer
upgrades for an additional time to test the upgrades.
Uninstall updates
The simplest way to remove a problematic update is to uninstall it. To remove an update:
1. Open the Settings app, select Update & security, select Windows Update, select Update history,
and then select Uninstall updates.
2. Right-click the suspect update, and then select Uninstall.
Uninstall drivers
If you suspect a driver to be problematic, you can uninstall the driver. To uninstall a unwanted driver:
1. Open Device Manager.
2. Locate the device driver with the problem driver installed, right select it, and then select Uninstall.
3. In the Uninstall dialog box, select the Delete the driver software for this device check box, if
available.
Use System Restore

If you are unsure which update has caused a problem, you can use System Restore to restore the com-
puter’s configuration to an earlier point in time. However, this can potentially remove many updates.
Troubleshooting Operating System Service Issues 409
Troubleshooting Operating System Service Is-

sues
Lesson Introduction
Failures of an operating system service often result in problems that are not severe enough to prevent
the computer from starting, but are enough to restrict functionality. Therefore, it is important that you
understand how to identify and resolve service-related startup problems.
BitLocker helps protect lost or stolen computers from data theft or exposure and offers more secure data
deletion when computers are decommissioned. Data on a lost or stolen computer is vulnerable to
unauthorized access, either by running a software attack tool against it, or by transferring the computer's
hard disk to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen
computers by combining two major data-protection procedures: encrypting the entire Windows operat-
ing system volume on the hard disk and encrypting multiple fixed volumes.
Lesson Objectives
●● Describe operating system services.
●● Identify failed services by using Windows 10 tools.
●● Explain how to use tools and utilities to disable services.
●● Describe BitLocker.
●● Explain how BitLocker works with Trusted Platform Modules (TPMs).
●● Explain how to recover a BitLocker-encrypted drive.
Operating System Services

To troubleshoot system service issues, you must understand the differences between the different system
services. System services have three distinct groups: software applications, operating system services, and
hardware devices and their associated device drivers.
Applications operate at a high level through personalization by the user, and at a lower level by integrat-
ing with the operating system. You install applications after you install the operating system, and you
must start applications manually to use them.
Operating system services are part of the operating system rather than something that you install after
the operating system deploys. Additionally, operating system services function with no user action. In
fact, they start before a user signs in to the computer.
The difference between operating system services and device drivers is that device drivers interact
directly with hardware devices or components, while generally an operating system service interacts with
other software components in the operating system. From a management perspective, the difference
between device drivers and operating system services is more obvious. You use Device Manager to
manage device drivers, and you use the services Microsoft Management Console (MMC) snap-in to
manage system services.
Identifying Failed Services

When troubleshooting a computer that has problems with its operating system services, the operating
system might return an error after you sign in to the computer. This error message might indicate that a
service failed to start.
Windows 10 provides several tools that can help you determine which operating system service failed to
start correctly. Because some services are dependent on other services or drivers to start successfully, you
should consider that the failure of one service might cause the failure of another service.
Event Viewer
Event Viewer provides access to the Windows logs, and to applications and services logs.
The Windows logs files provide the following information:
●● Application log. The application log contains events that applications generate. For example, a
database program records a file error in the application log, and the program developer decides
which events to record.
●● Security log. The security log records security events, such as valid and invalid sign-in attempts, and
events related to resource use such as creating, opening, or deleting files. An administrator specifies
which events Windows 10 records in the security log by creating a domain-wide audit policy.
●● System log. The system log contains events that the system components in Windows 10 generate.
For example, if a driver or other system component fails to load during startup, Windows 10 records
this failure in the system log. Windows 10 predetermines the event types that the system components
log.
When you troubleshoot startup problems with services, pay special attention to error events that the
system log records. All users can access the application and system logs, but only members of the local
Administrators group can use the security log. If you encounter problems with service startup, examine
the system and application logs for related events.
Windows 10 logs the following three events:
●● Information events
●● Warning events
●● Error events
Log files
In addition to the logs accessible from Event Viewer, Windows 10 records other events in other log files.
For example, you can use MSConfig.exe to configure Windows 10 to record a boot log file when it starts.
The boot log file, Ntbtlog.txt, is stored in the Windows folder. It contains a list of all drivers and some
services that start during the boot process. If a problem occurs with a service, activate boot logging, and
then examine the log.
Stop codes
If the Windows 10 operating system experiences a system failure, it might display a stop code on a blue
screen. The stop code might contain the name of the device driver or service that is causing the system
failure and might contain information to help you diagnose the reason for the failure. Windows 10
records contain information related to the system failure in a system log file (called a memory dump file),
which is located in Windows\System32. Examine the contents of this memory dump file to help deter-
mine the reason for the system failure.
Action Center
Action Center is a consolidated tool that enables you to track and repair reported problems. You also can
configure Action Center to determine how your computer reports problems. Additionally, you can use
Action Center to examine problems that Windows reports.
Disabling Services
After you determine which service is causing the startup problem, you can disable it. Depending on the
circumstances, you can disable a service in one of several ways:
Safe mode
If the Windows 10 computer does not start normally, try to start the computer in safe mode. You can
access the Safe Mode option from the Advanced Boot Options menu, but you also can activate safe
mode from MSConfig.exe. In safe mode, a minimal set of services load during the startup process.
However, these services are sufficient to load the operating system. You then can troubleshoot the service
startup problem using standard Windows operating system tools such as Control Panel, Computer
Management, Registry Editor, the services MMC snap-in, and Event Viewer.
Command Prompt recovery tool

If you can start the operating system either normally or in safe mode, you can access the Command
Prompt. If you cannot start the operating system, you can access the Command Prompt from Windows
RE. In Windows RE, from the Command Prompt, use either the net command or SC.exe to start, stop,
activate, and disable services manually.
System Configuration tool

Use the System Configuration tool (MSConfig.exe) to specify which services you want to run on startup.
MSConfig.exe displays a list of services that start automatically, and you can selectively disable services.
You also can use this tool to start the computer in safe mode, and to configure additional startup charac-
teristics while you troubleshoot the computer. To run the System Configuration tool, you must sign in
with administrative rights.
Recovering a BitLocker-Encrypted Drive

When a BitLocker-enabled computer starts, BitLocker checks the operating system for conditions that
might indicate a security risk. If BitLocker detects such a condition, it does not unlock the system drive
and instead enters recovery mode. When a computer enters recovery mode, the user must enter the
correct recovery password to continue. The recovery password is linked to a particular TPM or computer
and not to an individual user. The recovery password typically does not change.
You should save the recovery information either on a USB flash drive or in AD DS, using one of these
formats:
●● A 48-digit number divided into eight groups. During recovery, use the function keys to type this
password into the BitLocker Recovery Console.
●● A recovery key in a format that the BitLocker Recovery Console can read directly.
Scenarios where recovery is likely

There are a number of situations where BitLocker recovery might become necessary, including:
●● Switching the computer's encrypted hard drive to another computer.
●● Making the BitLocker-encrypted drive subordinate to another computer to recover its data.
●● Turning the computer off during the encryption process.
●● Updating the computer’s firmware.
●● Changing the device boot order in the computer’s BIOS.
Locating a BitLocker recovery password

The BitLocker recovery password is a 48-digit password that unlocks a system in recovery mode. The
recovery password is unique to a particular BitLocker encryption, and you can store it in AD DS. The
recovery password will be required if you move the encrypted drive to another computer, or if changes
are made to the system startup information.
Note: This password is very important. We recommend that you make additional copies of the password,
and then store them in safe places to ensure access to your data. Microsoft does not have any access or
work-around for a lost key.
If BitLocker enters a locked state, you will need the recovery password to unlock the encrypted data on
the volume. A recovery password is unique to a particular BitLocker encryption, and you cannot use it to
recover encrypted data from any other BitLocker encryption session.
A computer's password ID is a 32-character password unique to a computer name. You can find the
password ID under a computer's property settings, which you can use to locate passwords stored in AD
DS. To locate a password, the following conditions must be met:
●● You must be a domain administrator or have delegate permissions.
●● The client's BitLocker recovery information is configured for storage in AD DS.
●● The client’s computer has been joined to a domain.
●● BitLocker must be enabled on the client's computer.
Prior to searching for and providing a BitLocker recovery password to a user, confirm that the person is
the account owner and is authorized to access data on the computer in question.
You search for the password in Active Directory Users and Computers by using one of the following:
●● Drive label
●● Password ID
When you search by drive label, after locating the computer, right-click the drive label, select Properties,
and then select the BitLocker Recovery tab to view associated passwords.
To search by password ID, right-click the domain container, and then select Find BitLocker Recovery
Password. In the Find BitLocker Recovery Password dialog box, enter the first eight characters of the
password ID in the Password ID field, and then select Search.
Examine the returned recovery password to ensure that it matches the password ID that the user pro-
vides. Performing this step helps to verify that you have obtained the correct unique recovery password.
Data recovery agent support

BitLocker for Windows 10 provides data recovery agent support for all protected volumes. This provides
users with the ability to recover data from any BitLocker and BitLocker To Go device when data is inacces-
sible. This technology assists in the recovery of corporate data on a portable drive using the key created
by the enterprise.
Data recovery agent support allows you to dictate that all BitLocker-protected volumes (such as operat-
ing system, fixed, and new portable volumes), are encrypted with an appropriate data recovery agent. The
data recovery agent is a new key protector that is written to each data volume so that authorized IT
administrators will always have access to BitLocker-protected volumes.
Troubleshooting Locked Accounts

When users attempt to sign in and enter their passwords incorrectly, depending on the account lockout
threshold that you configure, Windows could lock their accounts. When a user contacts the help desk
with a sign-in issue, as a best practice, you should verify whether the account is locked because of repeat-
ed incorrect passwords. Occasionally, account lockouts can occur for other, less obvious reasons than
repeated, failed interactive sign-in attempts, including that:
●● Applications use cached user credentials. Some applications store user names and passwords for
subsequent reuse. If a user changes their password, Windows could lock the account because the
cache is outdated.
●● Users sign in to multiple computers. If a user signs in to multiple computers to access resources, and
then changes their password at one of the computers, the password update does not propagate to
the other computers to which the user signs in. On those other computers, Windows uses the cached
password, which results in an account lockout.
●● Passwords for service accounts have changed. A service account is a user account that is related to a
service. The service control manager on computers that are domain members cache that service’s
account details. If you change the service account’s password without also resetting the service
control manager, account lockouts can occur. This can lead to service failures, which is a far more
serious issue than a standard user lockout.
●● Persistent drive mappings are used. When a user maps a network drive, they can specify that they
want to connect to the server folder by using alternative credentials. This means that a user account
and password other than the one to which they have signed in. If the password is reset for the
account that is being used as the drive’s map, this can result in account lockout.
Note: It is important not to set the account lockout threshold too low, as this can create excessive
administrative burden, as the help-desk staff will be conducting many account resets. Remember that
many users will forget that they changed their password recently, and might require a few attempts to
sign in before they remember.
Identifying Sign-In Errors

You can resolve most errors that pertain to sign-in issues quickly once you identify the issue. You can use
the following methods and tools to help troubleshoot sign-in issues:
●● On-screen errors. Most user sign-in errors provide an accurate description on the screen. However,
many users might not interpret these messages correctly. Often, viewing the error yourself is more
accurate than relying on a user’s description of it.
●● Active Directory Users and Computers. You can use this tool to verify the user’s sign-in name and
whether the account is disabled. You also can use this tool to unlock the account and reset the
password, if necessary.
Note: You also can use Windows PowerShell to query a user’s account status and reset a user’s account
properties. For example, use the Get-ADUser cmdlet to retrieve user account properties; the Unlock-AD-
Account cmdlet to unlock a user account; and the Set-ADUser –enabled $true cmdlet to enable a user
account. If you wish to use these cmdlets on a Windows 10 client computer, install Remote Server
Administration Tools (RSAT) on that computer to install the necessary Windows PowerShell cmdlets.
●● Event logs. You can use Event Viewer to view event logs that might give some indication of why a
sign-in error occurs. The Security logs on a computer or domain controller indicate if authentication
errors occur. The computer’s System log indicates if the computer account is not authenticating
correctly.
If a user is able to sign in, but cannot access network resources, the sign-in process might be using the
user’s cached credentials. If this happens, you should verify that the computer has network connectivity
and that the computer account is authenticating properly.
If your organization does not restrict user sign in to specific computers, the user can attempt to sign in to
a second computer, which identifies whether the authentication issue pertains to a specific computer. You
can use the results of this test to limit your troubleshooting scope. For example, if the issue is not
computer-specific, then it is not a local computer-configuration issue.

Lab 1201: Using Advanced Startup and Windows RE to
recover from Boot Failures
Summary
During this lab you will learn how to work with the Windows RE, manipulate the BCD from the Command
Prompt tool, and use Startup Settings to access advanced startup options.
Scenario
You need to test and validate the features available for when you need to recover from boot failures on a
Windows 10 device. You will access Windows RE to identify the recovery options that are available. You
will also use command-line tools to manipulate the BCD and use Startup Settings to access the advanced
startup options.
Lab 1202: Recovering Windows using Reset This PC
Summary
During this lab you will learn how to recover a Windows 10 device using Reset This PC.
Scenario
You discover that SEA-CL2 is having intermittent issues. Repeated attempts have been made to correct
the issues, but have been unsuccessful. You've decided to try resetting the PC. You would like to still
retain the user files on the PC.
Module Review
1. A user reports a system failure with a computer. You need to return the computer to an earlier state
without re-installing the operating system or causing data loss. Which of the Windows RE recovery
tools can you use to achieve this?
A. Reset this PC
B. Advanced options
C. System Restore
D. System Image Recovery
E. Startup Repair
F. Command Prompt
G. None mentioned
2. You are configuring a dual-boot machine. You need to specify the default operating system. You also
need to change the amount of time a user has to select an operating system during startup. Which
tool can accomplish this with the least amount of administrative effort?
A. Startup and Recovery
B. System Configuration tool
C. BCDEdit.exe
D. BootRec.exe
E. None mentioned
3. In an effort to protect your organization's data, you enabled System Restore points on users' Windows
10 computers. System Restore points will be created automatically when which of the following
actions occur? (select three)
A. You install a new application or driver.
B. You change your password.
C. You install updates.
D. You remove programs.
E. You perform a backup.
4. You are about to run the Reset this PC tool on a Windows 10 computer. You want to keep the current
disk partitions. Which setting should you select?
A. Keep my files
B. Just remove my files
C. Fully clean the drive
D. Keep my files or Just remove my files
E. Any mentioned
5. You are troubleshooting a Windows 10 computer. You decide to use the the Reset this PC tool. When
you select the option “Just remove my files or Fully clean the drive” which of the following statement
is true?
A. This option removes all of your Windows Store apps, desktop apps, and the apps that the default
Windows 10 installation includes.
B. This options requires special permissions to use.
C. Any apps installed and updates that were made since the computer was first installed with Win-
dows 10 will still be available.
D. You do not need a backup or Windows 10 media with this option.
E. All statements are false.
6. In an effort to protect your organization's data, you enabled System Restore points on users' Windows
10 computers. System Restore points will be created automatically when which of the following
actions occur? (select three)
A. You install a new application or driver.
B. You change your password.
C. You install updates.
D. You perform a backup.
E. You remove programs.
7. You need to launch the Windows Recovery Environment. Which of the following are methods could
you perform? (select 3)
A. From the login screen, select Shutdown, then hold down the Shift key while selecting Restart.
B. In the Windows 10 Settings App under Update & Security, select Recovery and select Restart now
under Advanced Startup.
C. Boot using recovery media.
D. Reboot and press the F8 key before Windows starts to load.
8. C 2) A 3) A,C,D 4) E 5) D 6) A,C,E 7) A,B,C
Module 13 Troubleshooting Hardware and
Drivers
Troubleshooting Device Driver Failures

Lesson Introduction
Before you troubleshoot the failure of a device driver, you need to understand the role of device drivers
in Windows 10. A device driver is a small software program that allows a computer to communicate with
its hardware or devices. A hardware device works only if its device driver is installed correctly and func-
tions properly. Device drivers are specific to operating systems, and they run with system-wide privileges.
The failure of a device driver can render even the most sophisticated and expensive device useless.
Malfunctioning device drivers can affect computer reliability and could stop the computer from operating
properly. You should be able to use Windows 10 tools to manage, diagnose, and troubleshoot device
drivers.
This lesson focuses on troubleshooting problems that pertain to device drivers, including:
●● Disabling and removing device drivers.
●● Verifying driver signatures.
●● Installing or reinstalling drivers manually.
●● Viewing device details.
●● Restricting installation of specific devices.
Lesson Objectives
●● Describe the role and importance of device drivers.
●● Manage and troubleshoot device drivers.
●● Explain the difference between the staging and installation of device drivers.
●● Restrict installation of device drivers by using Group Policy.
418 Module 13 Troubleshooting Hardware and Drivers
Tools for Managing and Troubleshooting Device

Drivers
In most cases, Windows 10 automatically detects a connected device and installs its device driver auto-
matically. Windows 10 has several tools that you can use if you need to list installed devices, change
device settings, or troubleshoot devices that do not work correctly.
Device Manager is the most widely used tool for this purpose. It provides a list of all detected devices and
the resources that they use. If you need to modify the most basic device settings, you can use the Devices
section in the Settings app. You also can use the Devices and Printers item in Control Panel, in which you
can view and manage devices that are connected to your computer. To perform basic device manage-
ment, you can use the Windows PowerShell cmdlets.
To view advanced device information, you also can use the DevCon.exe tool, which you can download
from the Microsoft site.
The Device Manager tool

You can use Device Manager to install and update device drivers; disable or enable devices; use the Driver
Roll Back feature; change resources that devices use, such as interrupt requests (IRQs); and troubleshoot
device problems. You also can use Device Manager to view devices that are connected currently to your
network, and the resources that they are using. You can sort these items by device type or connection.
The Device Manager view updates dynamically when the status of a connected device changes, or you
can update it manually, by selecting the option to scan for hardware changes.
You can open Device Manager in one three ways, including by:
●● Right-clicking the Start icon, and then selecting Device Manager.
●● Selecting Start, typing Device Manager or devmgmt.msc, and then pressing Enter.
Troubleshooting Device Driver Failures 419
●● Selecting the Device Manager node in Computer Management.

You also can perform many tasks in Device Manager, including:
●● Viewing a list of connected devices. You can view all currently installed devices by type, by connection
to the computer, or by the resources that they consume. Device Manager recreates a device list after
every system restart or dynamic change.
●● Viewing detailed properties for the connected devices. This is the data that the system obtains from
the connected device, such as device Hardware IDs, Model, and Friendly name.
●● Uninstalling a device. You can uninstall a device driver and remove the driver software from the
computer.
●● Enabling or disabling devices. If you want a device to remain attached to a computer without enabling
it, you can disable the device instead of uninstalling it. Disabling a device is different from uninstalling
it, because you disable only the drivers, and the hardware configuration remains unchanged. You can
recognize disabled devices by the downward-pointing arrow next to the device icon in Device Manag-
er.
●● Troubleshooting devices. Determine whether the hardware on a computer is working properly. If a
device is not operating correctly, or if a device’s driver is unavailable, the device icon has an exclama-
tion mark (!) in a yellow triangle next to it.
●● Updating device drivers. If you have an updated driver for a device, you can use Device Manager to
update it in the driver store.
●● Rolling back drivers. If you experience system problems after updating a driver, you can roll it back to
a previous driver. When you use this feature, you can reinstall the last device driver that functioned
before the installation of the current device driver.
Device Manager shows each connected device by using a related icon. The status of a device shows
whether a device has drivers installed and whether the Windows operating system can communicate with
the device. For example, if a device is missing the device driver, the device icon appears below the Other
devices node, and has an exclamation mark (!) in a yellow triangle next to it. The device icon also will have
an exclamation mark in a yellow triangle next to it, if it has any issue, such as the device driver not
starting. If you disable the device, its icon displays a downward-pointing arrow next to it. You also can
view a device’s status by right-clicking it, and then selecting Properties.
By default, Device Manager does not show hidden devices. The most common types of hidden devices
are devices that do not support Plug and Play (PnP), storage volumes, and internal network adapters. To
view hidden devices in Device Manager, select View, and then select Show hidden devices.
Note: You can only use Device Manager to manage devices on a local computer.
Windows 10 does not include remote access to the PnP remote procedure call (RPC) interface that
Windows 8 included. Therefore, you cannot use Device Manager to connect to a remote Windows 10–
based computer. If you try to use Device Manager to connect to a remote computer, you will receive an
error message that indicates that your access is denied.
The Devices and Printers tool

After you connect an external device, it appears in the Devices and Printers tool in the Control Panel. You
can use this tool to add a printer manually, if Windows does not detect it automatically. This can occur if
you are sharing the printer over a network. Additionally, the Devices and Printers tool displays multifunc-
tion devices, and lets you manage them as one device, as opposed to managing an individual printer,
scanner, or a fax device. For example, when you connect a web camera to your computer, the Devices
and Printers tool displays it as a single device. However, Device Manager shows the same device as an
audio input and output device, an imaging device, and a sound, video, and game-controller device.
The Devices section in the Settings app

You can perform very basic device management by using the Devices section in the Settings app in
Windows 10. The interface is optimized for touch, and includes links to Device Manager and to Devices
and Printers. You can add printers, faxes, and other devices, and specify whether you want to allow users
to download drivers over metered connections, and be able to configure spelling, AutoPlay, mouse, and
touchpad settings.
Windows PowerShell
Windows 10 includes several Windows PowerShell cmdlets for managing devices.
Cmdlet Description
Enable-PnpDevice Enables a PnP device.
Disable-PnpDevice Disables a PnP device.
Get-PnpDevice Displays information about PnP devices.
Get-PnpDeviceProperty Displays detailed properties for a PnP device.
Driver Roll Back

Driver Roll Back is a system-recovery feature that is available on the device property page in Device
Manager. Driver Roll Back reinstalls the last device driver that was functioning and overwrites the current
device driver. This reinstallation enables users to recover from system problems due to the installation or
update of a particular driver. Driver Roll Back is nondestructive and replaces only the device driver, while
leaving system settings and user data intact. It supports only a single level of rollback, and after the
rollback operation, the previous device driver is no longer available.
Note: The Roll Back Driver button is available only if a previous version of the driver was updated. If the
current driver for the device is the only one ever installed on the computer, the Roll Back Driver button
is grayed out and unavailable.
Windows 10 will only back up drivers that are active and functional. It will not back up inactive or mal-
functioning drivers. Driver Roll Back is available for any device except printers (Print queues). Printers
cannot use Driver Roll Back, because you cannot manage printers through Device Manager. You have to
use Devices and Printers to configure printers.
Note: If a malfunctioning driver is preventing Windows 10 from starting normally, you can start the
computer in safe mode and then use the Roll Back Driver option.
To roll back a driver, use the following procedure:
1. Open Device Manager.
2. Right-click the device to roll back, and then select Properties.
3. In the Properties dialog box, select the Drivers tab, and then select Roll Back Driver.
4. In the Driver Package rollback dialog box, select Yes.
Note: Rolling back a driver can cause the loss of new functionality, and can reintroduce problems that the
newer version addressed.
Driver Roll Back only replaces the current device driver with the previous device driver. Therefore, it is a
nondestructive operation. Sometimes, when you install a device driver, the installation program also
modifies some other system settings. In such cases, Driver Roll Back might not resolve all the issues, and
you might have to consider System Restore, which reverts system settings, but preserves user data. As a
last resort, you can use the Reset PC option, System image recovery, or Backup and Restore (Windows 7).
System Restore
In rare cases, after you install a device or update a device driver, a computer might not start. This problem
might occur because:
●● The new device or driver causes conflicts with other drivers on the computer.
●● A hardware-specific issue occurs.
●● The installed driver is damaged.
Sometimes, performing a driver rollback is not sufficient to recover from a computer problem. If you are
unable to recover a computer by performing a driver rollback, consider using System Restore. You can
use System Restore when you want to retain all new data and changes to existing files, but still want to
perform a restoration of the system from when it was running well. Windows 10 lets you return a com-
puter to the way it was at a previous point without deleting any personal files. System Restore is reversi-
ble, because it creates an undo restore point before the restore operation starts.
Managing Signed Drivers

Device drivers run with system-level privileges and can access files or information on a computer. There-
fore, it is critical to trust installed device drivers. Trust, in this context, includes two main principles:
●● Authenticity. This is a guarantee that the package came from its claimed source.
●● Integrity. This is an assurance that the package is intact, and there have been no modifications since
its release.
A digital signature uses a digital certificate to encrypt specific details about the device driver package.
The encrypted information in a digital signature includes a thumbprint for each file that the package
includes. A special cryptographic algorithm, or hashing algorithm, generates the thumbprint. The algo-
rithm generates a code that only the file’s contents can create, and changes to a single bit in the file
cause the thumbprint to change. After the file generates the thumbprints, the publisher combines them
into a catalog, and encrypts them. A digital signature does not modify the device driver. It only assures
that the device driver was not modified after it was signed.
Microsoft digitally signs all devices device drivers that are included in Windows 10 includes. Windows 10
checks for a driver’s digital signature during installation, and prompts the user if device driver is not
signed. Although you can install device drivers that are not signed to 32-editions of Windows 10, we
recommend that you use only signed drivers. You can use Group Policy to block the installation of device
drivers that are not signed by a trusted organization. 64-bit editions of Windows 10 require that all
drivers are signed digitally, and by default, you cannot use device drivers with 64-bit editions of Windows
10 if they are unsigned.
Note: You can configure 64-bit editions of Windows 10 to use unsigned device drivers, such as if you
want to test the driver before signing it, but we do not recommend this. To disable the enforcement of
driver signatures, you should restart the computer, and then select Disable driver signature enforcement
on the Startup Settings menu.
You can use Device Manager to verify if a device driver is signed digitally, but you need to do it for each
device driver separately. In Device Manager, you right-click a device, select Properties, and then on the
Driver tab, select the Driver Details button. You can verify if a device driver was signed and by whom in
the Driver File Details dialog box.
The Signature Verification tool

You can use the Signature Verification tool (Sigverif.exe) to scan and determine if the 32-bit edition of
Windows 10 is using unsigned drivers. Sigverif.exe writes the scan’s results to a log file that includes the
system file, the signature file, and the signature file’s publisher. The log file shows any unsigned device
drivers, and you then can replace the unsigned drivers with signed drivers.
To remove an unsigned device driver, follow these steps:
1. Run Sigverif.exe to scan for unsigned drivers.
2. Review the resulting log file.

3. Create a temporary folder for the unsigned driver storage.
4. Manually move any unsigned drivers from C:\WIndows\System32\Drivers into the temporary folder.
5. Disable or uninstall the associated hardware devices.
6. Restart the computer.
You should try to obtain a signed device driver from the hardware vendor, or replace the device with a
device that that uses a digitally signed device driver.
At a command prompt, you can run the driverquery command with the /si switch to obtain a basic list
of signed and unsigned device drivers.
Note: Some hardware vendors use their own digital signatures so that drivers can have a valid digital
signature, even if Microsoft has not tested them. The Sigverif report lists the vendors for each signed
driver. This can help you identify problem drivers issued by vendor.
Configuring the Certificate Store to support an unknown certification authority
On each computer, Windows 10 maintains a store for trusted certification authorities. If an unknown
certification authority has signed a driver package, 32-bit editions of Windows 10 require confirmation
that the publisher is trusted. However, Windows 10 64-bit editions do not install device drivers signed by
untrusted certification authority. When you place a certification authority certificate in the certificate
store, you inform Windows 10 that the driver packages signed by the certification authority are trusted.
Group Policy is the most common way to deploy certificates to client computers.
Note: It is unusual to install a certificate into the Trusted Root Certification Authority store simply to
support driver signing.
Staging Device Drivers

Installing a device driver in Windows 10 is a two-step process. During staging, you add the driver pack-
age into the driver store. You can do this regardless of whether the device is attached to the computer.
You must use administrator credentials to add the device driver package into the driver store. The second
step is the driver’s installation from the driver store. The driver is installed when Windows 10 detects an
attached device that would need the driver for the first time. A standard user can perform the second
step, because it does not require administrative permissions.
Depending on the packaging of the device driver, you can install it in different ways. If the device driver
has its own installation program (for example, setup.exe), you run the installation program, which per-
forms the staging when you add the driver package to the driver store. If you attach a device to Windows
10 computer, and its device driver is not in the driver store, Windows 10 searches for a matching driver
package in several locations. You can customize these locations, and you can include folders specified by
the DevicePath registry entry and the Windows Update site. If Windows 10 finds the driver package, it
adds the driver package into the driver store, and then installs it from the driver store to the system. You
also can stage the driver package manually, when you use the pnputil.exe command.
During device driver staging, Windows 10 verifies the driver files, copies them to the driver store, and
then indexes them for quick retrieval. However, it does not install them. During the staging process,
Windows 10 verifies that the driver packages contain all required files, that they do not display any user
prompts, and that they do not require LocalSystem security context during installation. This allows a user,
who does not have administrator privileges on a computer, to install them.
Note: If there are multiple driver packages available for the same device, Windows 10 ranks the driver
packages by evaluating criteria such as:
●● Is the driver signed?
●● Is the driver specific to the attached device or for a compatible set of devices?
●● What is the driver version?
Benefits of staging driver packages
Device drivers run as part of the operating system, so it is critical that you allow only known and author-
ized device drivers to run. Staging device-driver packages on Windows 10 provides several benefits,
including:
●● Improved security. You can allow standard users to install approved device drivers without compro-
mising computer security or requiring help-desk assistance.
●● Reduced support costs. Users can install only devices that your organization has tested and is pre-
pared to support. Therefore, you can maintain computer security while you reduce help-desk de-
mands.
●● Better user experience. A staged driver package, in the driver store, works automatically when the user
plugs in the device. Alternatively, Windows 10 will discover driver packages that you place on a shared
network folder whenever the operating system detects a new hardware device. In both cases, the user
receives no prompts prior to installation.
Staging device drivers manually
You can use the following steps to use the Pnputil.exe command-line tool to add a device driver to the
Windows 10 driver store manually:
1. Obtain a digitally signed driver package.
2. Sign in as Administrator, and then open a command prompt.
3. At the command prompt, type pnputil.exe /add-driver package_name, and then press Enter.
4. The command runs, and Windows 10 verifies the driver’s integrity and digital signature, and then
copies the driver into the driver store.
Note: The Pnputil.exe tool only runs at a command prompt with elevated user rights. The tool cannot
invoke the User Account Control dialog box.
Managing the driver store
You also can use the Pnputil.exe command-line tool to manage the driver store, including adding and
removing driver packages from the driver store, and listing non-Microsoft driver packages that already
are in the store.
You can use the Pnputil.exe command-line tool to perform the following tasks:
●● Add a driver package to the driver store.
●● Add a driver package to the driver store, and then install it in the same operation.
●● Delete a driver package from the driver store.
●● List all driver packages in the driver store.
The following table lists the Pnputil.exe command-line syntax.
Command line Details

pnputil.exe /add-driver d:\usbcam\USBCAM.inf Adds a package that USBCAM.inf specifies.
Command line Details

pnputil.exe /add-driver c:\drivers*.inf Adds all packages in C:\drivers.
pnputil.exe /add-driver a:\usbcam\USBCAM.inf / Adds and installs a driver package.
install
pnputil.exe /enum-drivers Lists all non-Microsoft packages.
pnputil.exe /delete-driver oem0.inf Deletes package oem0.inf.
pnputil.exe /delete-driver oem0.inf /force Forces deletion of package oem0.inf.
Note: You also can distribute drivers by adding them to the operating system images that your organiza-
tion uses. To do this, use the DISM.exe tool to mount the image, inject the driver package, and effect the
changes.
Restricting Device Installation

When a driver package is in the driver store, any user can connect a device, and the driver installation will
begin. This is very user friendly since the user can start using devices without assistance. However, it also
makes it challenging for IT departments, who might not be able to support a broad range of devices. In
the past, some companies prevented users from connecting USB devices by physically preventing the use
of USB ports, but this solution is not very flexible.
Windows 10 includes several Group Policy settings that control installation of devices and device drivers.
This enables you to restrict installation of specific devices, but allows installation of all others devices. For
example, you can use these Group Policy settings to restrict certain types of USB devices and installation
of all devices that are not allowed explicitly, such as USB keys that are not company-approved. To access
the Group Policy settings for controlling driver installation, in Group Policy, select Computer Configura-
tion, Policies, select Administrative Templates, select System, and then select Driver Installation. The
following table details the Group Policy settings that you can configure.
Group Policy setting Description

Allow nonadministrators to install drivers for these Allows users to install specified device drivers. You
device setup classes can determine the appropriate driver setup class
by examining the .inf file that accompanies a
device driver.
Turn off the Windows Update device driver search Determines whether the administrator receives a
prompt prompt to search Windows Update for drivers
during device installation.
To access the Group Policy settings for controlling device installation restrictions, in Group Policy, under
Computer Configuration, select Policies, select Administrative Templates, select System, select
Device Installation\Device Installation Restrictions. The following table details the Group Policy
settings that you can configure.
Group Policy setting Description

Allow administrators to override Device Installa- Allows members of the Administrators group to
tion Restrictions policies install or update drivers for devices, regardless of
policy settings.
Allow installation of devices using drivers that Allows the installation of devices that match the
match these device setup classes specified setup class globally unique identifiers
(GUIDs).
Prevent installation of devices using drivers that Prevents the installation of devices that match the
match these device setup classes specified setup class GUIDs.
Display a custom message when a policy setting Allows the administrator to define a customized
prevents installation message that displays when a policy setting
prevents device installation.
Display a custom message title when a policy Allows the administrator to define a customized
setting prevents device installation message title that displays when a policy setting
prevents device installation.
Allow installation of devices that match any of Allows the installation of devices that match the
these device identifiers device identifiers that you specify.
Prevent installation of devices that match any of Prevents the installation of devices that match the
these device identifiers device identifiers that you specify.
Time (in seconds) to force reboot when required Allows you to define the time that the computer
for policy changes to take effect waits to restart after a device installation.
Prevent installation of removable devices Allows you to prevent users from installing
removable devices.
Prevent installation of devices not described by Allows you to ensure that users cannot install any
other policy settings drivers, even if there are no policies restricting
installation.
Overview of Hardware Troubleshooting 427
Overview of Hardware Troubleshooting

Lesson Introduction
If a Windows 10 computer or mobile device does not function properly, you can expect many different
types of issues, which can vary from simply being be annoying to users to being detrimental to your
environment. For example, when a computer’s cooling fan produces a strange noise, a user’s productivity
typically declines, and the hardware can overheat and fail. All data that the user did not save before the
hardware failure will be lost.
This lesson provides an overview of troubleshooting hardware-related problems and discusses specific
considerations for using USB and wireless devices on computers that are running Windows 10. It is
important that you understand common hardware-related problems so that you can support your users.
Lesson Objectives
●● After completing this lesson, you will be able to:
●● Describe hardware-related problems.
●● Describe the considerations for using USB devices.
●● Describe considerations for using wireless devices.
●● Explain how you can use built-in diagnostic tools to gather hardware information.
●● Determine how to best approach hardware problems.
●● Apply the guidelines for troubleshooting hardware-related problems.
Hardware-Related Problems
Hardware problems occur when a failure occurs in a hardware device or the device driver that the
hardware device uses. When you troubleshoot hardware-related problems, you first must determine the
underlying cause of the hardware failure.
Failure of physical hardware

A computer contains several hardware components, such as hard disk drives, a power supply, a mother-
board, a video controller, and externally connected devices, such as removable disks or a webcam.
Manufacturers could combine these devices into a single physical component, such as a video controller
that is integrated on the motherboard. If a single component or a combination of components fails, this
can prevent the computer from functioning correctly. Each hardware component has a set lifetime, and
eventually, these components will fail. However, you can take preventive measures to extend the lifetime
of your components and minimize the possibility of failure. These preventative measures include ensuring
that you operate hardware components in the environmental conditions that the component’s vendor
recommends. For example, you should avoid using hardware components in areas with high volumes of
dust or high temperatures, unless the hardware is designed specifically for such environments.
Some components are more prone to failure than others, and often the components with moving parts,
such as hard disk drives, cooling fans, power supplies, and optical drives, are the most susceptible to
failure.
Note: Many tablet devices are equipped with solid-state drives (SSDs), which have no moving parts and
are less susceptible to physical failure. However, be aware that SSDs might become less reliable after a
significant number of write operations.
Failure of device drivers

A device driver can fail for three primary reasons:
●● Version incompatibility with the operating system. Drivers developed for previous Windows operating
system versions might not be compatible with Windows 10. To avoid incompatibility issues, always
check for a Windows 10 version of drivers, and use them if available.
●● Driver bugs. Although hardware vendors use every precaution to ensure that device drivers are free
from error, problems can occur. Ensure that you obtain the latest driver version from the manufactur-
er, particularly if the new version fixes previous driver issues. Verify that the device driver has a digital
signature from a trusted certificate-signing authority.
●● 32-bit and 64-bit issues. Windows 10 is available in both 32-bit and 64-bit editions. Drivers that
manufacturers develop for the 32-bit edition do not work with the 64-bit editions, and vice-versa.
Make sure that you obtain the appropriate device driver from the hardware vendor.
You can detect some issues with device drivers, such as version incompatibility with an operating system,
when you try to install a device driver. Some other issues, such as driver bugs or lack of support for
advanced device functionality, might take longer to detect.
Understanding USB Devices

These days, you can attach most hardware devices to computers by using a USB device, which are
convenient and require no special skills or tools to use. You simply install new USB hardware by plugging
the device into a free USB port on your device, and the device driver installs automatically, if available.
However, this convenience could pose risks to your network’s security.
USB devices represent a potential security risk to your network because a malicious user could copy
sensitive or confidential network data onto a mobile device, such as an external hard disk, and then
remove it from the workplace. USB device installation is simple, and users are installing an increasing
number of USB devices more frequently. Therefore, as the number and variety of these devices increases,
so does the associated support and maintenance costs for issues that they introduce. Therefore, con-
trolling use of these devices has become an important consideration for administrators.
Many organizations restrict employee use of USB devices because of security and management reasons.
However, implementing restrictions on USB devices can affect user productivity. It also can have a
significant impact on hardware troubleshooting if the person who is performing troubleshooting diagno-
ses these restrictions as hardware faults incorrectly. Windows 10 uses two methods to control USB device
installation: device identification strings and device setup classes.
Device identification strings

Hardware manufacturers assign one or more device identification strings to each device. These identifica-
tion strings are in the setup information (.inf) file in the driver package. During device initialization,
Windows 10 retrieves these device identification strings, and matches them to corresponding identifica-
tion strings in the .inf file. Identification strings are either general or specific. If specific, they identify the
device’s exact make and model. Device identification strings are one of two types:
●● Hardware identifiers. Hardware identifiers provide an exact match between a device and a device
driver package. The first string in the device identifier list is the individual device’s specific identifier.
Additional strings in the list identify the device more generally. This allows Windows 10 to install a
different device revision driver if the correct one is not available.
●● Compatible identifiers. Windows 10 uses compatible identifiers to select a device driver only if the
driver store has no available drivers for any of the hardware identifiers that Windows 10 retrieves from
the device. These strings are optional, and Windows 10 lists them in decreasing order of suitability if
the hardware manufacturer provides them. Typically, the strings are generic and identify the hardware
device at the component level, such as a Small Computer System Interface (SCSI) hard disk drive. This
enables Windows 10 to select a generic SCSI driver for the disk drive, but may result in limited device
functionality and slower read/write performance.
Multifunction devices are physical devices that include more than one logical device. Manufacturers
assign hardware identifiers to each logical device so that it can manage part of the functionality of the
physical device. For example, an all-in-one scanner/printer/fax might have different device identification
strings for each function. To control installation of multifunction devices, you specifically must allow or
deny all hardware identifiers for each multifunctional device. If you do not do this, you could cause
unexpected results from some of the logical devices that have drivers installed for the one physical
device.
The following sample is the relevant portion of an .inf file for a keyboard device driver:
[MsMfg]
;========= Microsoft USB Internet Keyboard (IntelliType Pro)
%HID\\VID_045E&PID_002D&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\\
VID_045E&PID_002D&MI_00
;========= Microsoft USB Wireless MultiMedia Keyboard (IntelliType Pro) -

with
Wireless Optical Mouse
%HID\\VID_045E&PID_005F&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\\
VID_045E&PID_005F&MI_00
;========= Microsoft USB Wireless MultiMedia Keyboard (106/109) (Intelli-

Type
Pro) - with Wireless Optical Mouse
%HID\\VID_045E&PID_0061&MI_00.DeviceDesc%=MicrosoftKBD_Dev_109,HID\\
VID_045E&PID_0061&MI_00
;========= Microsoft USB Wireless Natural MultiMedia Keyboard (IntelliType

Pro)
- with Wireless Optical Mouse
%HID\\VID_045E&PID_0063&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\\
VID_045E&PID_0063&MI_00
To interpret the preceding and subsequent configuration files, use the following key:
●● HID = Human Interface Device, such as keyboards and mice.
●● VID = Vendor ID
●● PID = Product ID
Device setup classes

The device setup class groups devices that you install and configure in the same way. For example, all
keyboards belong to the Keyboard device setup class, and they use the same co-installer when installed.
A GUID represents each device setup class. The manufacturer of a device driver package assigns the
device setup class, and then Windows 10 builds a memory-tree structure that contains the GUIDs for all
devices that it detects, including that of any bus that you attach to the device. You can use Group Policy
to specify the device class for which you allow or disallow installation. The following sample is the
relevant portion of an .inf file for a keyboard device driver.
[Version]
CatalogFile.NT= type32.cat ;Digital Signing
Signature="\$Windows NT\$" ;All Platforms
Class=Keyboard
ClassGUID={4d36e96b-e325-11ce-bfc1-08002be10318}
Provider=Microsoft
LayoutFile=layout.inf
DriverVer=06/29/2010, 8.0.219.0
Controlling USB device access

In Windows 10, you can use Group Policy to control how USB devices access your computer. You can use
Group Policy to:
●● Prevent users from installing any device.
●● Allow users to install only devices on an approved list.
●● Prevent users from installing devices that are on a prohibited list.
●● Deny read or write access to removable devices or removable media.
Note: USB device firmware might include malicious code, which can execute, without user interaction,
when a user connects an affected USB device. Restricting USB device installation can benefit hardware
support in several ways, including by ensuring:
●● More simple data security. When you limit the devices that users can install, you can reduce the risk of
data theft. For example, allowing users to connect only encrypted USB flash drives provides additional
protection for data that users transfer from the company network.
●● Reduced support costs. You can ensure that users only install devices that your help desk has preap-
proved and tested, which reduces support costs and user confusion.
However, controlling USB device installation could cause issues, including:
●● Misdiagnosed faults. Unless policy restrictions are simple, consistent, and easily understood by IT staff
and users, IT staff might diagnose a restriction as a hardware problem.
●● Policy management. Some manufacturers use a range of identifiers for similar device models. When
you have a batch of such devices, you could have difficulty supporting policy restrictions based on
identifiers. Consequently, the success of these policies could be inconsistent. For example, although a
batch of devices from a single vendor could appear identical, you should check each device identifier
to verify that the entire batch uses the same identifier. If there is a range of identifiers, you will need
to modify your Group Policy settings to include all of these identifiers.
Note: You also must consider the USB version on specific devices. Many computers provide both USB 2
and USB 3 ports for peripheral devices. However, some tablet devices provide only USB 2 ports. If your
peripheral requires a USB 3 connection, you will be unable to use that device with a USB 2 port.
Understanding Wireless Devices

Users can connect many peripherals and devices to their computers when they use wireless connections.
Two commonly used wireless technologies are Bluetooth and Wi-Fi.
Troubleshooting wireless devices

When you are troubleshooting wireless devices, it is helpful to note that problems that devices encounter
might be due to wireless connectivity rather than with the actual devices. For example, many laptop
computers allow users to disable the Wi-Fi and Bluetooth ports, primarily to conserve battery power.
However, you must ensure that you enable all ports. Furthermore, for Bluetooth, you should ensure that
you configure all ports to be discoverable during the process of pairing the device with the user’s
computer.
If you cannot connect a device successfully by using a Wi-Fi or Bluetooth connection, perform the
following steps:
1. Enable the Wi-Fi and/or Bluetooth receivers in the computer’s BIOS.
2. Turn on the Wi-Fi and/or Bluetooth receiver by using the computer’s switches or keyboard shortcuts.
Note: On some computers, you cannot independently enable or disable Wi-Fi and Bluetooth.
1. Ensure that Flight mode is turned off, as this disables all radio receivers.
2. Use Device Manager to verify, and if necessary update, the drivers for the computer’s Wi-Fi and/or
Bluetooth modules.
3. For Bluetooth devices, use the Bluetooth section in the Settings app to configure:
●● Discovery. Enable discovery to ensure that the computer is visible. Additionally, you might need to
enable Discovery (sometimes also known as visibility) on peripheral devices.
●● Connections. Enable the Allow Bluetooth devices to find this PC setting. Optionally, you can select
the setting to Alert me when a new Bluetooth device requests to connect.
●● Pairing. Some peripherals also require that you pair them to your computer. This process requires
that the computer and the device exchange a passcode or key to establish the partnership. You
could need to establish this process on the computer or the peripheral.
Note: The device manufacturer often defines a device’s passcode. For example, a Bluetooth headset does
not provide you with a mechanism for defining a passcode. However, 0000 or 0001 is often the default
passcode. For more information, refer to the vendor documentation.
1. For Wi-Fi devices, follow standard wireless troubleshooting techniques:
●● Ensure that the devices are close enough for the signals to communicate.
●● Configure the devices to use the same wireless protocol and security settings.
●● Investigate possible sources of interference.
Note: Some Bluetooth peripheral devices, such as wireless mouse devices and keyboards, often come
with a small Bluetooth module that you insert into a USB port on your computer. This USB Bluetooth
module allows you to use cordless devices without needing a built-in Bluetooth module.
Gathering Hardware Information

Windows 10 includes a number of tools that you can use to gather information about the hardware
installed on a computer. When you become familiar with the functionality that these tools offer, you can
identify the most appropriate tool for a particular hardware-monitoring or troubleshooting scenario.
The Event Viewer tool

The Event Viewer tool is the starting point for troubleshooting hardware failures. You should check the
system and application logs for information, warnings, or errors that hardware devices or device drivers
generate. Use the Event Viewer tool to show logs on remote computers and on the local machine.
The Event Viewer tool has many built-in logs, including Application, Security, Setup, System, and Forward-
ed events logs. Event Viewer also includes Applications and Services logs, which store events from a
single application or a component. This category of logs includes four subtypes:
●● Admin. Admin logs are helpful for IT professionals who use the Event Viewer to troubleshoot prob-
lems. These logs provide guidance about how to respond to issues, and primarily target end users,
administrators, and support personnel. The events found in admin logs indicate a problem that has a
well-defined solution that an administrator can implement.
●● Operational. Events in an operational log also are useful for IT professionals, but they often require
more interpretation. You can use operational events for analyzing and diagnosing a problem or
occurrence, and trigger tools or tasks based on the problem or occurrence.
●● Analytic and Debug. Analytic and debug logs are not as user-friendly as admin and operational logs.
Analytic logs store events that trace an issue, and they often log a high volume of events. Developers
use debug logs when debugging applications. Analytic and debug logs are not visible by default. If
you want to review them, you first must configure Event Viewer to display them.
The System Information tool

The System Information (msinfo32.exe) tool displays information about a computer, including reports on
installed hardware. You can use the System Information tool to look for hardware-resource conflicts, and
to determine the resources that a hardware device is using, including the IRQ line, memory address
range, and the base input/output (I/O) address range. You can use the System Information tool to show
information from local computer, as well as from remote computers.
The Device Manager tool

As covered earlier, Device Manager displays information about the hardware installed on a computer,
including hardware resource settings, device details, and driver information. You also can use Device
Manager to perform driver rollback, check for hardware changes, enable and disable drivers, and, where
necessary, uninstall drivers. You can use Device Manager to show information only from devices that are
connected to a local computer. Service Manager in Windows 10 cannot connect to remote computers.
Windows PowerShell
You can view detailed information about connected devices, as well as enable or disable connected
devices, by using Windows PowerShell. You can view information about all connected devices by running
the Get-PnpDevice cmdlet. You can view detailed information about a specific connected device, such as
a mouse, by typing the following command at a command prompt, and then pressing Enter:
Get-PnpDevice –FriendlyName “HID-compliant mouse” \| Format-List
The Reliability and Performance Monitor tools

The Reliability and Performance Monitor console includes two monitoring tools:
●● Reliability Monitor. The Reliability Monitor displays Windows 10 reliability over time and any hardware
failures that have occurred. You can use the Reliability Monitor to identify hardware-failure trends so
that you can be more proactive in your administration. This can help you identify devices that suffer
periodic failures, and replace them before they fail irreversibly.
●● Performance Monitor. The Performance Monitor displays and collects performance information that
pertains to hardware devices that are installed on a local computer and on remote computers. You
can use this information to track performance deterioration that might be a warning sign of potential
malfunctioning or failing hardware. The Performance Monitor also includes the System Diagnostics
Data Collector Set, which collects the status of local hardware resources, configuration data, and info
gathered by the System Information tool.
The Windows Memory Diagnostics tool

The Windows Memory Diagnostics Tool can detect and resolve physical memory problems automatically.
If the Windows Memory Diagnostics Tool detects a faulty memory module or parity error, it displays a
message in the system tray that prompts the user to diagnose and fix the problem. You can use Windows
Memory Diagnostics to check the computer’s memory during the startup process. You can choose to
restart the computer immediately and perform the check, or to schedule the memory check during the
next computer restart. If you select an immediate check, ensure that you save any work in progress, and
close any open windows before restarting the computer.
Centralized inventory
You can use additional products or services, for example System Center 2012 R2 Configuration Manager
Service Pack 1 (SP1) or Microsoft Intune, to gather hardware information from devices in your company.
You can review this information, and then generate reports or perform various actions, as needed, based
on the device hardware.
Best Practices for Troubleshooting Hardware Is-

sues
Outside of component failure, hardware-related problems typically occur when you install a new hard-
ware device or update a device driver. Common signs of a hardware-related problem include spontane-
ous computer restarts and error messages that display on a blue screen. To troubleshoot hardware issues:
●● Verify that the computer and all connected devices are compatible with Windows 10. If any hardware
device is not compatible with Windows 10, replace it with a compatible device.
●● Review device related events in Event Viewer, and check for device conflicts in Device Manager. Use
these two tools to perform initial troubleshooting.
●● Remove or disable recently installed device drivers. If you have recently installed another company’s
device driver or software package, try removing or disabling the driver to prevent it from loading, and
then restarting the computer. If that does not fix the problem, contact the hardware vendor, and
ensure that you have the latest available driver. If you are using the latest version of the driver, contact
the hardware vendor, and log the issue as a support incident.
●● Use driver rollback to return to a previous driver version. If a failure occurs after installing an updated
device driver, use the driver rollback feature to return to the previous working driver version. To roll
back a device driver:
●● Access driver rollback from within Device Manager.
●● Start the computer in Safe Mode, if necessary, to access driver rollback.
Note: If driver rollback is not possible, consider using System Restore to restore the computer’s configu-
ration to a previous point. Remember that using System Restore most likely will resolve the driver
problem, but it also will revert other system settings.
●● Consider upgrading the computer’s BIOS or firmware. This is a relatively straightforward process, and
you typically can do this in a Windows operating system by using a vendor-supplied tool. After
applying a BIOS or firmware update, you also might need to update the system device drivers.
●● Use hardware vendor support. Ensure that you have adequate support agreements and escalation
procedures with the hardware vendor, and then utilize this support if a hardware failure occurs. Many
hardware vendors offer extended support options, and will replace failed hardware components
within a certain period. You should have support options specified in your organization’s service level
agreements (SLAs).
●● Follow the company incident reporting process. Users often find it difficult to determine the exact
sequence of events that led to failures. Many IT help desks adopt scripts that facilitate logical inter-
viewing techniques to determine whether users made changes to their computers prior to the failure.
Using a consistent procedure for recording incidents also aids with diagnosing problems.
Troubleshooting Physical Failures

Lesson Introduction
Hardware failures can be catastrophic unless you plan for them, as well as for data redundancy and
regular backups. You should have procedures in place so that you can troubleshoot failed devices
efficiently, particularly for your most vulnerable devices such as hard disk drives and memory. You should
also know the SLA that your company has with respect to device failures, and your organization’s proce-
dure for replacing hardware components. If the failed component includes data, such as a hard disk drive,
you might have a special there process for discarding these devices to protect the stored data’s confiden-
tiality.
Lesson Objectives
●● Apply device-replacement considerations.
●● Identify the most vulnerable hardware devices.
●● Apply the guidelines for replacing hardware.
●● Diagnose memory problems.
●● Diagnose and troubleshoot disk problems.
Replacing Devices
You should be aware that computers are only tools, which allow users to perform their jobs. If a computer
fails, the user likely will not be able to perform his or her job, and because of that, you should repair the
computer as soon as possible. If you determine that the estimated recovery time is longer than is accept-
able, it often is faster and more efficient to replace the computer. Many organizations have SLAs and
warranties with hardware vendors in place. Therefore, before you replace defective hardware, consider
any procedures that your SLAs mandate must occur before you can obtain replacement hardware. You
could fix your hardware problem more quickly, and reduce the impact on your users’ productivity and
your organization’s budget. You also should remember to check for basic issues before attempting to
replace hardware devices.
Troubleshooting Physical Failures 437
SLAs
An SLA can specify what to do when hardware fails, and how to log a failure incident with your organiza-
tion’s service desk. The SLA also can dictate the expected response and replacement time for device
replacement. Procedures also must be in place to ensure that sufficient spare hardware devices are
available. Some companies maintain a hardware list of the available spare devices.
Warranties
Most hardware vendors include a warranty with their products. The warranty generally lasts for an initial
period, such as 12 months, and covers the hardware against failure during that period. A basic warranty
often includes a next-business-day response for device replacement. For a fee, most hardware vendors
offer additional warranty services with shorter response and replacement times. A typical option may
specify a four-hour telephone response time, with an engineer scheduled to visit the site within eight
hours to provide an on-site fix. Ensure that SLAs cover warranty agreements or other contracts with the
manufacturer or hardware vendor.
Escalation procedures
Providing appropriate escalation procedures and resources can be as simple as providing a contact
telephone number for the hardware vendor. However, most procedures also should include providing a
customer account number for the vendor, a specific contact name, and any pertinent contract details.
This makes service-desk employees aware of agreed-upon response times.
Issues with data security
If you need to replace a hard disk due to a hardware problem, you might need to return the broken disk
to the manufacturer. If so, check your organization’s security requirements for removing sensitive or
confidential data from the hard disk before you return it.
Vulnerable Hardware Devices

To pinpoint why a computer is experiencing a problem, you should identify if a hardware component or
device is the source of the problem. Knowing which devices are most susceptible to failure can help
accelerate your diagnosis. Being aware of the conditions under which vulnerable devices are most likely
to fail can help you avoid those conditions, as well. You then can use reliability measures to calculate the
probability of failure.
One such measure is mean time between failures (MTBF), which is the average time interval, usually
expressed in thousands or tens of thousands of hours, before a component fails and requires service.
Hard disk drives

There are five main reasons why hard disk drives fail:
●● Logical failure. Examples of logical failures include invalid entries in a file allocation table (FAT) or
master file table (MFT) on the NTFS file system volume. Logical failures are the least severe type of
failure. However, logical errors can cause corruption and file-system loss on a severely fragmented
drive. In these situations, you may need specialized tools to fix the problem.
●● Mechanical failure. Platters (one or more rotating, magnetically coated disks) store data on a hard
disk. Data is accessed through read/write heads mounted on rotating mechanical arms. One of the
most common mechanical failures occurs when the read/write heads of the hard disk come in contact
(momentarily or continuously), with the hard disk platters. Additionally, physical shock, computer
movement, static electricity, power surges, or mechanical read/write head failure can all cause head
crashes. Hard disk drives also could fail because of motor problems.
●● Electronic failure. An electronic failure is a problem with the hard disk’s controller board. If the
controller fails, the disk could be undetectable by the system BIOS. Additionally, electronic failure can
occur because of electrical surges that damage the controller board or because of defective board
components. However, you often can recover data because the disk platters and other mechanical
components remain undamaged.
●● Firmware failure. Hard disk firmware is code that controls the hardware. Often, it is stored on a flash
memory chip on the hard disk controller board. If the firmware becomes corrupt or unreadable, the
computer could be unable to communicate with the disk.
●● Bad sector. Bad sectors can be logical or physical sectors. A lost cluster is an example of a logical bad
sector that typically you can repair with software tools. Shock or vibrations often cause physical bad
sectors. Most hard disk drives have firmware that marks bad sectors. If the damage is minor, no data
is lost. You can use drive-monitoring tools to determine when the number of physical bad sectors is
critical enough to replace the drive.
Note: Some disks implement self-monitoring, analysis, and reporting Technology (SMART). This technolo-
gy enables the operating system to monitor the hard disk proactively, checking for reliability issues
before they can result in data loss.
Solid-state drives
Many devices, including tablets and some laptops, have SSDs. This technology differs from traditional
hard drives and offers benefits to users in terms of physical device size, speed, and, to some extent,
power consumption. Although there are no moving parts, SSDs can fail, often resulting in data loss. Every
time the operating system writes to an SSD drive, it uses memory cells to store the data. These cells can
wear out after extensive write operations, resulting in errors or even drive failure. Some drives offer error
checking memory cells, which can help to mitigate data errors, and some users report more problems
with larger drives. However, it is important not to consider SSDs as a fail-safe storage solution.
Power supplies
The power supply converts regular current into low, direct current (DC) voltage that a device can use. A
failing power supply can cause erratic behavior, including devices restarting randomly, memory errors, or
power being supplied to some devices and not others. Symptoms of power supply problems can include:
●● No indicator lights, disk action, or screen display.
●● On/Off indicator lights are visible, but there is no disk action or screen display.
●● The system produces a continuous beep.
Optical drives
Optical drives such as CD and DVD drives tend to have shorter lifetimes compared to other hardware
devices, and the MTBF is lower than that for a hard disk drive. Most hardware manufacturers provide a
one-year guarantee on optical drives and a three-year guarantee on hard drives.
The media quality in optical drives is a significant factor in the length of the optical drive’s life:
●● Higher-quality media can increase a device’s life.
●● Unclean media could reduce the device’s life.
Software settings also can affect optical drives. Using a high maximum write speed can result in a greater
number of irreparable and subsequently unusable disks, compared to using slower write speeds. Optical
drives can fail due to vibration because they require precise optical alignment in the device to work
properly. You can cause vibration by moving the computer while it is in use, or by operating the comput-
er in a location that is not stable. Excessive dust also can damage optical drives, which can be an environ-
mental factor.
Cooling fans
The most common cause of cooling fan failures is dust building up inside the computer and around the
fan area. This accumulation can lead to failures in the fan bearings, motor, or power supply. Cooling fan
failure can cause system to fail because of overheating.
CPUs and GPUs

Central processing units (CPUs) and graphics processing units (GPUs) are the devices least likely to fail.
However, you can overheat and damage the CPU if you attempt to overclock the CPU. Overheating also
can occur because of a failure with the cooling fan. Additionally, power spikes and static electricity
discharge can cause CPU failures.
System memory
Memory problems can occur because of heat, power surges, or static electricity. You can use the Windows
Memory Diagnostics Tool to help identify and resolve memory issues.
Additional components at risk

Additionally, other components can fail. These include:
●● Batteries. Laptop computers and tablets have batteries. Although battery technology has improved
dramatically over the past several years, they still have a limited life. When your device battery begins
to degrade, consider replacing it. Common signs of impending battery failure include:
●● Inability to maintain a charge for extended periods.
●● Inability to supply a charge to a device for extended periods.
●● Excessive time required to charge a battery.
Note: Although almost all laptops have batteries that users can replace, this is not the case with all
tablets. Some tablets require the manufacturer or service agent to replace the battery.
●● Docking stations. Many users rely on docking stations to use their Windows 10 devices. This is
especially true for smaller devices such as tablets, as users connect their tablets to docking stations to
utilize peripherals such as keyboards and monitors. Failure of these intermediate devices can result in
productivity loss for the user.
●● display is something that will require manufacturer replacement. Before acting on a possible display
failure, eliminate all other causes, including device drivers and the graphics card or system board.
Guidelines for Replacing Hardware

When a hardware device fails, you usually have to replace it. To minimize the risk of a replacement device
failing, adhere to the following guidelines:
●● When you install a device, take care to minimize the risk of damage during the installation process.
●● Eliminate support issues by choosing replacement devices that are compatible with Windows 10.
●● Follow your organization’s process for replacing hardware devices, including how to discard storage
devices.
●● Update the incident report after you replace the device and resolve the issue.
Root-cause analysis
Before you replace failed hardware devices, you should try to determine the cause of the root failure so
that you can prevent this issue from damaging replacement device. The root cause could be environmen-
tal, such as heat or moisture-related failures. For example, devices placed in direct sunlight, with poor
ventilation, or in a damp location where there might be condensation, could fail after a short time.
Alternatively, the root cause could be behavioral, such as users knocking or kicking the computer.
Verify if you can replace individual components

Check for warranties for failed hardware. Computer warranties often prohibit you from replacing hard-
ware components. Some devices, especially tablets, do not support user replacement of failed parts.
Typically, you will need to return the device to the manufacturer or their service agent to have parts
replaced.
Static-electricity issues
Because of the risks that static electricity poses to devices, such as degradation of system memory, it is
important that you observe static-electricity guidelines, and that you train your IT staff accordingly.
Initiate compulsory maintenance procedures, and ensure that you use antistatic kits, which are inexpen-
sive and available from numerous hardware manufacturers. Hardware vendors operate professional
hardware-qualification programs that include detailed information about antistatic maintenance precau-
tions. Additionally, ensure that IT staff wears grounding straps when working with sensitive components.
Windows 10 compatibility
When you purchase a new computer, verify that it is Windows 10 compatible. All hardware components
in a Windows 10 compatible computer have been tested and verified that they are optimized to run the
Windows 10 operating system.
Note: To determine which devices are compatible with Windows 10, refer to the Windows Compatibility
Center at: http://aka.ms/m5karm
Minimize interruption to users

Try to be as effective as possible when replacing hardware components. Replacement of one component
should not cause problems with other components. If you need to replace a failed hard disk drive, and
the old drive contained user data, try to restore the data from last computer backup.
Diagnosing Memory Problems

Each device that runs Windows 10 has memory, in which Windows 10 stores parts of the operating
system, apps, and data. If parts of the memory experience failure, you can expect various issues that seem
random and that can be challenging to diagnose. For example, memory problems can prevent Windows
from starting, cause unpredictable Stop errors that appear on blue screens, and cause apps to close
randomly. However, it is not necessarily easy to reproduce these issues, because the operating system
and apps are not loaded into the same area of memory each on each start up. Therefore, memory
problems can be very difficult to identify.
The Windows Memory Diagnostics tool works with Microsoft Online Crash Analysis to monitor computers
for defective memory, and it also determines whether defective physical memory is causing program
crashes.
If the Windows Memory Diagnostics tool identifies a memory problem, Windows 10 avoids using the
affected part of the physical memory, so that the operating system can start successfully and avoid app
failures. In most cases, Windows 10 automatically detects possible problems with a computer’s memory
and displays a notification that asks whether to run the Windows Memory Diagnostics tool. You also can
start the Windows Memory Diagnostics tool from Windows 10, from the Windows Recovery Environment,
or from Windows 10 installation media. Windows 10 prevents direct access to computer memory, so the
Windows Memory Diagnostics tool can test the memory only if Windows 10 is not running. If you start
the tool from Windows, you can restart the computer and check for memory problems immediately, or
you can schedule the tool to run when the computer next restarts.
How does the Windows Memory Diagnostics tool run?

When the computer restarts, the Windows Memory Diagnostics tool tests the computer’s memory by
sequentially writing values to the memory. It then reads those values and compares them to see if the
read operation returns the same value as it was written originally to memory. To identify the widest range
of memory failures, the Windows Memory Diagnostic tool includes three different testing levels: Basic,
Standard, and Extended. Press F1 while a test is running to access the Windows Memory Diagnostics tool
options, which include:
●● Test mix. Select which type of test to run.
●● Cache. Select the cache setting for each test.
●● Pass count. Set the number of times that the test mix will repeat the tests.
You can press the Tab key to move between the Windows Memory Diagnostics options. When you finish
selecting your options, press F10 to apply the selection and return to the test.
When the Windows Memory Diagnostics tool runs, it shows a progress bar that indicates the status of the
test. Based on the amount of memory, it can take considerable time for the tool to finish checking a
computer's memory. When the test finishes, the Windows operating system restarts automatically, and
the tool provides a report that details any issues that it encounters. It also adds information to the System
log in Event Viewer, so you can analyze it later.
Diagnosing and Troubleshooting Disk Problems

Most user data is stored on organizational file servers or in the cloud. If a disk fails, user data typically is
preserved, although you still have to replace the disk, and reinstall the operating system and apps.
However, if a user stores data locally, reliability of the local disks, and regular backups, become more
important. Nothing can replace regular backups, but you can increase the reliability of local storage by
implementing redundant storage, which requires multiple disks.
You can create several types of redundant storage in Windows 10, including using the Disk Management
tool to create mirrored volumes and parity, or the Storage Spaces app to create two-way or three-way
mirrors. Mirrored volumes and two-way mirror require two disks, parity requires at least three disks, and
three-way mirrors require at least five disks. Three-way mirrors protect data from two simultaneous
failures of disk drives, while other redundant storage protects data from a single failure of a disk drive.
Replacing failed disks in redundant storage

If a disk drive in redundant storage fails, you still can access the storage, and read or write the data. You
can view information about the failed disk in the Event Viewer tool and reestablish the redundancy by
replacing the failed disk. If a disk in a mirrored volume fails, you should perform the following steps:
1. Connect a new disk to the Windows 10 computer.
2. Remove the failed disk from the mirror by using the Disk Management tool.
3. Add a mirror that includes an operational disk from the previous mirror, and then add a new disk by
using the Disk Management tool.
If a disk fails that is in parity, or a two-way or three-way mirror storage space, you should perform
following steps:
1. Connect the new disk to the Windows 10 computer.
2. Add a new disk to the storage pool in the Storage Spaces app.
3. Remove the failed disk from the storage pool in the Storage Spaces app.
Note: When a disk failure occurs, you should add a new disk and reestablish redundancy as soon as
possible to avoid any data loss.
Moving dynamic disks between computers

All volume types, except simple volumes, require dynamic disks. All dynamic disks in a Windows 10
computer are members of a disk group, and each disk within a group stores a replica of the same
dynamic disk database. Each disk group has a unique name, and it is stored in the registry. If a single disk
in a disk group fails, data on this disk no longer will be available, but its failure does not affect access to
the data on other disks in the group. If a computer fails and you need to move a dynamic disk to a
different Windows 10 computer, the target computer considers the moved dynamic disk to be foreign,
because it does not know anything about the moved disk’s database. When Disk Management displays
the status of a moved disk as Foreign, you must right-click the disk, and then select Import Foreign Disk.
This option renames and updates the database on the moved disk, and then adds the information about
the disk group to the registry. When you are moving multi-disk volumes, such as spanned, stripped, or
mirrored volumes, you must simultaneously move all disks that are part of these volumes. If you move
only one or some of these disks, the volume is inaccessible until you move all remaining disks in that
volume.
Note: If you repair a disk that was part of a storage space and then move it to different computer, Disk
Management will classify it as Foreign.
Note: Windows 10 includes support for SMART. If you use disk drives that support SMART, Windows 10
can monitor them proactively and warn you to perform a backup before an expected disk failure. You can
use the WMIC (Windows Management Instrumentation Command-line) command diskdrive get status
at a command prompt to view the status that a disk reports to the operating system.

Lab 1301: Recovering Windows by using a Restore Point
Summary
During this lab, you will learn how to recover a Windows 10 device by using a Restore Point.
Scenario
One your colleagues reports that after installing a hardware driver that his device is no longer responsive.
You've decided to see if you can reproduce the same circumstances on SEA-CL1, but need to ensure that
you can return to a previous working state.
Lab 1302: Troubleshooting Hardware by Using Windows

Memory Diagnostics
Summary
In this lab, you will learn how to use the Windows Memory Diagnostics Tool to check for memory prob-
lems on a Windows 10 device.
Scenario
SEA-CL1 is still having issues with blue screen and performance symptoms. You decide to check for
memory problems using the Windows Memory Diagnostics Tool.
Module Review
1. You are an IT Support professional for an architectural firm. You are connecting an optical device for a
CAD application to a Windows 10 workstation. Which of the following is not a way to obtain a valid
driver for a device?
A. Media that came with the device
B. Manufacture's website
C. Windows 10
D. Windows Update
E. All mentioned are valid
2. While troubleshooting a Windows 10 computer, you start in Safe Mode. Which of the following
devices will be accessible? (select four)
A. Mouse
B. Floppy disk
C. Network Adapter
D. Hard disk
E. CD or DVD drive
F. Printer
3. You work in a highly-secured environment. As an IT Support professional you have been asked to con-
figure a group policy that will prevent anyone from using all external storage devices on your Win-
dows 10 computers. Which Group Policy setting will accomplish this without restricting allowed
devices?
A. Prevent installation of removable devices
B. Prevent installation of devices using drivers that match these device setup classes
C. Allow administrators to override Device Installation Restrictions policies
D. Prevent installation of devices not described by other policy settings
4. New company policy restricts USB device installation. Restricting USB device installation can benefit
hardware support but it can also cause issues. Which of the following is not an issue created by
restricting USB device installation?
A. More complicated levels of data security
B. Misdiagnosed faults
C. Policy management
D. USB 2 and USB 3 support
E. None mentioned
5. A user installed a new hardware device and now is reporting problems. Based on best practices, which
of the following tools are used to perform initial hardware-related troubleshooting? (select two)
A. The System Information tool
B. The Reliability and Performance Monitor tools
C. The Event Viewer tool
D. The Windows Memory Diagnostics tool
E. The Device Manager tool
6. A user reports problems with a computer. After starting the troubleshooting process, you determine
that the estimated recovery time will be longer than is acceptable. Other than recovery time, which of
the following should be taken into account before replacing a computer or device?
A. SLAs
B. Warranties
C. Escalation procedures
D. Issues with data security
E. All mentioned
7. A user reports that something on their computer is preventing Windows from starting. On further
investigation you determine that apps are closing randomly and Stop errors are appearing on blue
screens. Which Windows 10 tool can you use to gather information and resolve these issues?
A. The Event Viewer tool
B. Windows PowerShell
C. The Device Manager tool
D. The System Information tool
E. The Reliability and Performance Monitor tools
F. The Windows Memory Diagnostics tool
8. A Windows 10 computer in the Human Resources department stores important data. You need to
create redundant storage for this data. The computer has two available disks. Which two types of
redundant storage can you create? (select two)
A. Mirrored volumes
B. Parity
C. Three-way mirrors
D. Two-way mirror
E. Disk Striping
9. E 2) A,B,D,E 3) D 4) A 5) C,E 6) E 7) F 8) A,D

MD 100T00A ENU TrainerHandbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MD 100T00A ENU TrainerHandbook

Uploaded by

Copyright:

Available Formats

Microsoft

MICROSOFT LICENSE TERMS

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

This limitation applies to

■■ Module 0 Welcome to Windows 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  1

●● Managing Apps in Windows 10

Overview of the Windows Client

What's New in Windows 10

Benefits of Windows 10 for Small and Medi-

Managing Desktops in an Enterprise Environ-

Windows 10 User Interface

Using touch actions

Changes to the user interface

Windows 10 Editions and Requirements

Windows 10 Editions and Capabilities

Edition Audience Availability

●● Microsoft Edge, the new web browser

Windows 10 Pro for Workstations

●● Microsoft Application Virtualization (App-V). Enables organizations to deliver Win32 applications to

Windows 10 Enterprise LTSC

Windows 10 Pro Education and Windows 10 Education

Selecting a Windows 10 Edition

Choosing between 32-bit and 64-bit editions for installation

Windows 10 Hardware Requirements

Check for Hyper-V Compatibility

Hyper-V Requirements: A hypervisor has been detected. Features required for

Overview of Windows 10 Installation Methods

Installation Methods for Windows 10

The Process of Installing Windows 10

A typical manual installation of Windows 10 involves performing the following procedure:

●● Perform a PXE boot, and connect to a Windows Deployment Services server.

Key Management Service (KMS) Overview

Considerations for New Deployments

Upgrading and Migrating to Windows 10

The Process of Upgrading to Windows 10

Supported Upgrade Paths

Upgrade paths for Windows editions

Previous Windows edi- Windows 10 Home Windows 10 Pro Windows 10 Enter-

Previous Windows edition Media (.iso file) Windows Update

Previous Windows edition Media (.iso file) Windows Update

The Process of Migrating to Windows 10

Considerations for Choosing Between Upgrade

Common Upgrade and Migration Scenarios

Deployment Options for Windows

Bring Your Own Device

Imaging and Autopilot

Windows Assessment and Deployment Kit

Deployment Image Servicing and Management (DISM)

DISM Offline Servicing

Application Compatibility Toolkit (ACT)

Windows Imaging and Configuration Designer

The WICD Start Page.

Windows System Image Manager (Windows SIM)

Windows answer file opened in Windows SIM.

Volume Activation Management Tool (VAMT)

The Volume Activation Management Tool.

Windows Preinstallation Environment (Windows PE)

Microsoft Assessment and Planning Toolkit

Windows Deployment Services (WDS)

Windows Deployment Services using multicast to deploy three machines.

Microsoft Deployment Toolkit

The Deployment Workbench in, showing a task sequence.

Desktop Deployment Center

■■ Module 0 Welcome to Windows 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1